The Apache Struts Extras Secure Jakarta Multipart parser plugin 1.0 and Secure Jakarta Stream Multipart parser plugin 1.0 test builds are now available. They provider multipart parser implementations to fix the latest critical security vulnerability:
- Possible Remote Code Execution when performing file upload based on Jakarta plugin For details and the rationale behind these changes, please consult the corresponding security bulletins: * https://cwiki.apache.org/confluence/display/WW/S2-045 * https://cwiki.apache.org/confluence/display/WW/S2-046 Release notes: * https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md * https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md Distribution: * https://dist.apache.org/repos/dist/dev/struts/struts-extras/ Maven 2 staging repository: * https://repository.apache.org/content/repositories/staging/ Once you have had a chance to review the test build, please respond with a vote on its quality: [ ] Leave at test build [ ] Alpha [ ] Beta [ ] General Availability (GA) Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s. This is a "fast-track" release vote. If we have a positive vote within 24 hours (at least three binding +1s and more +1s than -1s), the release may be submitted for mirroring and announced to the usual channels. The website download link will include the mirroring timestamp parameter [1], which limits the selection of mirrors to those that have been refreshed since the indicated time and date. (After 24 hours, we *must* remove the timestamp parameter from the website link, to avoid unnecessary server load.) In the case of a fast-track release, the email announcement will not link directly to <download.cgi>, but to <downloads.html>, so that we can control use of the timestamp parameter. [1] http://apache.org/dev/mirrors.html#use - The Apache Struts group. Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
