Hi,
in this case it does not matter whether ${} is present as interator tag
uses expressions by default. There are other struts tags where it makes a
difference. I think param is among them.
Regards,
Christoph
> From: <[email protected]>
> To: <[email protected]>,
> Date: 09.09.2017 09:27
> Subject: Re: [ANN] Apache Struts 2.3.34 General Availability with
> Security Fixes Release
>
>
> Hello Lukasz,
>
> I have a question:
>
> For example in the doubleselect.ftl of the simple theme in line 102 I
found
> the following <@s.iterator value="${parameters.doubleList}">
>
> Should this be changed to <@s.iterator value="parameters.doubleList">
like
> in line 82 (Due to S2-053) ?
>
> Kind regards Michael Hintenaus
>
> > Am 07.09.2017 um 10:25 schrieb Lukasz Lenart
<[email protected]>:
> >
> > The Apache Struts group is pleased to announce that Struts 2.3.34 is
> > available as a “General Availability” release. The GA designation is
> > our highest quality grade.
> >
> > This release addresses these potential security vulnerabilities:
> > - S2-050 A regular expression Denial of Service when using
> > URLValidator (similar to S2-044 & S2-047)
> > - S2-051 A remote attacker may create a DoS attack by sending crafted
> > xml request when using the Struts REST plugin
> > - S2-052 Possible Remote Code Execution attack when using the Struts
> > REST plugin with XStream handler to handle XML payloads
> > - S2-053 A possible Remote Code Execution attack when using an
> > unintentional expression in Freemarker tag instead of string literals
> >
> > This release contains several minor improvements just to mention few
of
> them:
> > - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is
> > ignored, Numeric Keys will work and mapped
> > - Threads get blocked due to unnecessary synchronization in
OgnlRuntime
> > - Upgrade to OGNL 3.0.21
> > - Upgrade to struts-master 11
> > - Improve RegEx used to validate URLs
> >
> > More details in version notes
> > http://struts.apache.org/docs/version-notes-2334.html
> >
> > All developers are strongly advised to perform this action.
> >
> > The 2.3.x series of the Apache Struts framework has a minimum
> > requirement of the following specification versions: Servlet API 2.4,
> > JSP API 2.0, and Java 6.
> > Should any issues arise with your use of any version of the Struts
> > framework, please post your comments to the user list, and, if
> > appropriate, file a tracking ticket.
> >
> > You can download this version from our download page.
> > http://struts.apache.org/download.html#struts-23x
> >
> >
> > Kind regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
This Email was scanned by Sophos Anti Virus
