On 14/01/12 20:52, David Johnson wrote: > I've moved to newer versions of Struts and Spring to avoid the problems > mentioned below.
Thank you for your answer. > I'll see about putting together a 5.0.1 release to get these fixes out there. > I'm willing to volunteer as release manager. As for 4.0: I'm not willing to > volunteer for any 4.0 work. About the old 4.0 version: my intention was not to induce a fix for the old release, but rather to check if a security advisory would be relevant. I can imagine there are still sites running 4.0, and it would be crucial for them to know if someone can hack them. I believe Apache Software Fundation has some procedures related to security bullettins and ways of fixing security related bugs. Common sense tells us the most important is to withhold public disclosure of the details (allowing the bad guys to exploit it), as long as possible. And of course release an upgrade advisory to all users. My previous question concerning procedures should rather be: is there any developer keeping track and taking care of external libraries' security? best regards Slawomir Jasek
