Hello Lukasz,
I have a question:
For example in the doubleselect.ftl of the simple theme in line 102 I found
the following <@s.iterator value="${parameters.doubleList}">
Should this be changed to <@s.iterator value="parameters.doubleList"> like
in line 82 (Due to S2-053) ?
Kind regards Michael Hintenaus
> Am 07.09.2017 um 10:25 schrieb Lukasz Lenart <[email protected]>:
>
> The Apache Struts group is pleased to announce that Struts 2.3.34 is
> available as a “General Availability” release. The GA designation is
> our highest quality grade.
>
> This release addresses these potential security vulnerabilities:
> - S2-050 A regular expression Denial of Service when using
> URLValidator (similar to S2-044 & S2-047)
> - S2-051 A remote attacker may create a DoS attack by sending crafted
> xml request when using the Struts REST plugin
> - S2-052 Possible Remote Code Execution attack when using the Struts
> REST plugin with XStream handler to handle XML payloads
> - S2-053 A possible Remote Code Execution attack when using an
> unintentional expression in Freemarker tag instead of string literals
>
> This release contains several minor improvements just to mention few of
them:
> - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is
> ignored, Numeric Keys will work and mapped
> - Threads get blocked due to unnecessary synchronization in OgnlRuntime
> - Upgrade to OGNL 3.0.21
> - Upgrade to struts-master 11
> - Improve RegEx used to validate URLs
>
> More details in version notes
> http://struts.apache.org/docs/version-notes-2334.html
>
> All developers are strongly advised to perform this action.
>
> The 2.3.x series of the Apache Struts framework has a minimum
> requirement of the following specification versions: Servlet API 2.4,
> JSP API 2.0, and Java 6.
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.
>
> You can download this version from our download page.
> http://struts.apache.org/download.html#struts-23x
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
