They build OK, although the version is 1.1.  The upload still works after
applying the to a v2.5.10 /lib folder.

struts2-secure-jakarta-multipart-parser-plugin-1.1-SNAPSHOT.jar
struts2-secure-jakarta-stream-multipart-parser-plugin-1.1-SNAPSHOT.jar

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[x] General Availability (GA)

On 20 March 2017 at 08:25, Lukasz Lenart <lukaszlen...@apache.org> wrote:

> The Apache Struts Extras Secure Jakarta Multipart parser plugin 1.0
> and Secure Jakarta Stream Multipart parser plugin 1.0 test builds are
> now available. They provider multipart parser implementations to fix
> the latest critical security vulnerability:
>
> - Possible Remote Code Execution when performing file upload based on
> Jakarta plugin
>
> For details and the rationale behind these changes, please consult the
> corresponding security bulletins:
> * https://cwiki.apache.org/confluence/display/WW/S2-045
> * https://cwiki.apache.org/confluence/display/WW/S2-046
>
> Release notes:
> * https://github.com/apache/struts-extras/blob/master/
> struts2-secure-jakarta-multipart-parser-plugin/README.md
> * https://github.com/apache/struts-extras/blob/master/
> struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/struts-extras/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> This is a "fast-track" release vote. If we have a positive vote within
> 24 hours (at least three binding +1s and more +1s than -1s), the
> release may be submitted for mirroring and announced to the usual
> channels.
>
> The website download link will include the mirroring timestamp
> parameter [1], which limits the selection of mirrors to those that
> have been refreshed since the indicated time and date. (After 24
> hours, we *must* remove the timestamp parameter from the website link,
> to avoid unnecessary server load.) In the case of a fast-track
> release, the email announcement will not link directly to
> <download.cgi>, but to <downloads.html>, so that we can control use of
> the timestamp parameter.
>
> [1] http://apache.org/dev/mirrors.html#use
>
> - The Apache Struts group.
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Reply via email to