I've moved to newer versions of Struts and Spring to avoid the problems mentioned below.
In the Roller 5.0 branch: http://svn.apache.org/viewvc?view=revision&revision=1231571 And the Roller trunk http://svn.apache.org/viewvc?view=revision&revision=1231565 I'll see about putting together a 5.0.1 release to get these fixes out there. I'm willing to volunteer as release manager. As for 4.0: I'm not willing to volunteer for any 4.0 work. - Dave On Jan 11, 2012, at 7:07 AM, Slawomir Jasek wrote: > Hello, > > > I believe Roller-5.0.0 is bundled with: > Struts-2.1.1 > Spring-2.5.6 > > There are some security vulnerabilities known in these versions: > > http://struts.apache.org/2.x/docs/s2-006.html > http://struts.apache.org/2.x/docs/s2-007.html > http://struts.apache.org/2.x/docs/s2-008.html > > http://www.springsource.com/security/spring-framework > > And some of them are marked as serious. > > > Could you please explain me if these vulnerabilities have any chance to > be exploited in Roller? Unfortunatelly I am not a programmer, and can > not deduce it from source code. > > Would you be so nice to check btw if Roller-4.0.1, bundled with > Struts-2.0.9 (which has even more security vulnerabilities), is also > endangered? The most disturbing is > > http://struts.apache.org/2.x/docs/s2-005.html > > which I believe allows among others for unrestricted static java code > execution (for example with java.lang.Runtime exec()) with just single > crafted URL. > > > Do you follow any security procedures of upgrading external > libraries/frameworks? Do you issue any kind of Security Bulettin in such > cases? > > > > best regards > Slawomir Jasek
