Re: Demoting older Struts releases

Thu, 22 Mar 2012 05:49:20 -0700 

On 3/21/2012 11:50 PM, Robert wrote:

On 3/20/2012 3:53 PM, Łukasz Lenart wrote:

What do you propose ?



As text


There is not a perfect solution, as Dave indicated beta may not mean 
much to managers.



A hard line approach would be to reclassify all prior releases of Struts 
2, as  beta or alpha, does Struts have a not recommended classification ?

Struts 2.3.1.1,2.3.1
Struts 2.2.3.1,2.2.3,2.2.1.1,2.2.1
Struts 2.1.8.1,2.1.8,2.1.6
Struts 2.0.14,2.0.12,2.0.11.2,2.0.11.1,2.0.11,2.0.9, 2.0.8, 2.0.6


Then change the download page,http://struts.apache.org/downloads.html, 
wording for older releases


from:

'As a courtesy, we retain archival copies of the website for each 
"General Availability" release.'


to

'As a courtesy, we retain archival copies of the website for releases 
that initially were considered "General Availability"
but which has been reclassified as "Not recommended" since they contain 
security issues'

                                  ^ or beta/alpha ^



Then instead of listing just the prior version of the web site, 
explicitly list the vulnerabilities these releases are known/assumed to 
contain.


Struts 2.X Releases
           Release,           Approx Rel Date,  Vulnerability

    Struts 2.3.1.1 ,   2012/1/23       S2-009
    Struts 2.3.1,       2011/12/14,    S2-008  likely : S2-009
    Struts 2.2.3.1,    2011/9/7,        likely : S2-008, S2-009
    Struts 2.2.3 ,      2011/5/7,        S2-007   likely : S2-008, S2-009

    Struts 2.2.1.1 ,  2010/12/21,    S2-006   likely : S2-007, S2-008, 
S2-009
    Struts 2.2.1,       2010/8/16       likely : S2-006, S2-007, 
S2-008, S2-009
    Struts 2.1.8.1,    2010/8/16       S2-005    likely : S2-006, 
S2-007, S2-008, S2-009
    Struts 2.1.8,       2009/9/30,      likely : S2-005, S2-006, 
S2-007, S2-008, S2-009
    Struts 2.1.6,       2009/1/5,        likely : S2-005, S2-006, 
S2-007, S2-008, S2-009
    Struts 2.0.14,     2008/11/16,   likely : S2-005, S2-006, S2-007, 
S2-008, S2-009
    Struts 2.0.12,     2008/10/16,   likely : S2-005, S2-006, S2-007, 
S2-008, S2-009
    Struts 2.0.11.2,  2008/6/22,     S2-004,   S2-003,   likely : 
S2-005, S2-006, S2-007, S2-008, S2-009
    Struts 2.0.11.1,  2008/3/2,       likely : S2-003, S2-004, S2-005, 
S2-006, S2-007, S2-008, S2-009
    Struts 2.0.11,     2007/9/21,      S2-002   likely : S2-003, 
S2-004, S2-005, S2-006, S2-007, S2-008, S2-009
    Struts 2.0.9,       2007/7/23,      likely : S2-002, S2-003, 
S2-004, S2-005, S2-006, S2-007, S2-008, S2-009
    Struts 2.0.8,       2007/6/6,        S2-001   likely : S2-002, 
S2-003, S2-004, S2-005, S2-006, S2-007, S2-008, S2-009
    Struts 2.0.6,       2007/2/18,      S2-001   likely : S2-002, 
S2-003, S2-004, S2-005, S2-006, S2-007, S2-008, S2-009



Struts 1.X Releases

    Struts 1.3.8
    Struts 1.3.5
    Struts 1.2.9
    Struts 1.2.8
    Struts 1.2.7
    Struts 1.2.4
    Struts 1.1
    Struts 1.0.2



It may seem drastic but if the list of security issues next to releases 
doesn't encourage upgrading I don't know what will.

Now to talk to my manager :)!

-Rob









Regards


























					Reply via email to