Hello,
I believe Roller-5.0.0 is bundled with: Struts-2.1.1 Spring-2.5.6 There are some security vulnerabilities known in these versions: http://struts.apache.org/2.x/docs/s2-006.html http://struts.apache.org/2.x/docs/s2-007.html http://struts.apache.org/2.x/docs/s2-008.html http://www.springsource.com/security/spring-framework And some of them are marked as serious. Could you please explain me if these vulnerabilities have any chance to be exploited in Roller? Unfortunatelly I am not a programmer, and can not deduce it from source code. Would you be so nice to check btw if Roller-4.0.1, bundled with Struts-2.0.9 (which has even more security vulnerabilities), is also endangered? The most disturbing is http://struts.apache.org/2.x/docs/s2-005.html which I believe allows among others for unrestricted static java code execution (for example with java.lang.Runtime exec()) with just single crafted URL. Do you follow any security procedures of upgrading external libraries/frameworks? Do you issue any kind of Security Bulettin in such cases? best regards Slawomir Jasek
