Any new on 2.0.12 release that would contain XWork 2.0.6 for Websphere users?
----- Original Message ---- From: Rene Gielen <[EMAIL PROTECTED]> To: Struts Users Mailing List <[EMAIL PROTECTED]> Sent: Wednesday, July 16, 2008 2:40:38 AM Subject: [ANN] Struts 2.0.11.2 General Availability Release with Important Security Fix Apache Struts 2.0.11.2 is now available from <http://struts.apache.org/download.cgi#struts20112>. This release is a fast track security fix release, including a security fixed version 2.0.5 of XWork, which corrects a serious vulnerability in ParametersInterceptor allowing malicious users to remotely change server side context objects. For more information about the exploit, visit our security bulletins page at <http://struts.apache.org/2.0.11.2/docs/s2-003.html>. IMPORTANT ADDITIONAL NOTES: There are two known issues with this release: 1. the integrated XWork 2.0.5 jar may cause problems when used in a combination of WebSphere 6.1 runtime environments with validation configuration via XML files. Possible Workarounds: - use annotation based validation definition instead XML based - stay with Struts 2..0.11.1 including XWork 2.0.4, applying the following exclude rule to your parameter interceptor refs in struts.xml <interceptor-ref name="params"> <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param> </interceptor-ref> 2. the filtering mechanism implemeted in XWork's ParametersInterceptor to fix the described security issue does not completely avoid any possible malicious parameter name. Possible Workaround: - apply the following exclude rule to your parameter interceptor refs in struts.xml to avoid the usage of backslash characters in parameter names <interceptor-ref name="params"> <param name="excludeParams">.*\\.*</param> </interceptor-ref> Both issues will be addressed in a soon upcoming XWork 2.0.6 release, followed by a new Struts 2.0 GA release including this new XWork version. * All developers are advised to either update Struts 2 applications to Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar with the fixed xwork-2.0.5.jar to prevent remotety induced context manipulations. For the complete release notes for Struts 2.0.11.2, see <http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>. - The Apache Struts Team. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __________________________________________________________________ Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://ca.promos.yahoo.com/newmail/overview2/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
