The Apache Struts Extras Secure Jakarta Multipart parser plugin 1.0
and Secure Jakarta Stream Multipart parser plugin 1.0 test builds are
now available. They provider multipart parser implementations to fix
the latest critical security vulnerability:

- Possible Remote Code Execution when performing file upload based on
Jakarta plugin

For details and the rationale behind these changes, please consult the
corresponding security bulletins:
* https://cwiki.apache.org/confluence/display/WW/S2-045
* https://cwiki.apache.org/confluence/display/WW/S2-046

Release notes:
* 
https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md
* 
https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/struts-extras/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

This is a "fast-track" release vote. If we have a positive vote within
24 hours (at least three binding +1s and more +1s than -1s), the
release may be submitted for mirroring and announced to the usual
channels.

The website download link will include the mirroring timestamp
parameter [1], which limits the selection of mirrors to those that
have been refreshed since the indicated time and date. (After 24
hours, we *must* remove the timestamp parameter from the website link,
to avoid unnecessary server load.) In the case of a fast-track
release, the email announcement will not link directly to
<download.cgi>, but to <downloads.html>, so that we can control use of
the timestamp parameter.

[1] http://apache.org/dev/mirrors.html#use

- The Apache Struts group.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to