One more thing ... :) Could you (or someone else) also write a short security bulletin? https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
I've updated the Creating and Signing page to refer to creating security bulletin announcements as an optional release step. I've placed it under the "wait for rsync" section. While this has the disadvantage that the docs exported with the release will not cover the security announcement for the fixes of this particular release, it will help to keep the security issue undisclosed until the fix is assured to be available. It's a hen-and-egg problem, but for me so far an acceptable trade off - if you guys would prefer to add security bulletins _before_ exporting the wiki docs, to have them included up2date in the distribution docs, please speak up! - René Am 06.09.11 16:47, schrieb Maurizio Cucchiara: > The Struts 2.2.3.1 test build is now available. It includes the latest > security patch which fixes a vulnerability that allows to evaluate the > user input as an OGNL expression when there's a conversion error. > > Release notes: > * [https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.2.3.1] > > Distribution: > * [http://people.apache.org/builds/struts/2.2.3.1/] > > Maven 2 staging repository: > * [https://repository.apache.org/content/repositories/orgapachestruts-031/] > > Once you have had a chance to review the test build, please respond > with a vote on its quality: > > [ ] Leave at test build > [ ] Alpha > [ ] Beta > [ ] General Availability (GA) > > Everyone who has tested the build is invited to vote. Votes by PMC > members are considered binding. A vote passes if there are at least > three binding +1s and more +1s than -1s. > > The vote will remain open for at least 72 hours, longer upon request. > A vote can be amended at any time to upgrade or downgrade the quality > of the release based on future experience. If an initial vote > designates the build as "Beta", the release will be submitted for > mirroring and announced to the user list. Once released as a public > beta, subsequent quality votes on a build may be held on the user > list. > > As always, the act of voting carries certain obligations. A binding > vote not only states an opinion, but means that the voter is agreeing > to help do the work > > Thank in advance > > Maurizio Cucchiara > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
