[
https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aaron Katz updated VELTOOLS-172:
--------------------------------
Description:
*Please upgrade Apache Commons Validator to a supported, secure version*. At
this time, that appears to mean [upgrading to
1.6|https://commons.apache.org/proper/commons-validator/changes-report.html]
h2. vulnerabilities
There is at least one publicly known high severity vulnerability
([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]),
allowing remote code execution, affecting all versions from 1.3.1 through
1.4.1.
A cursory review shows that there do not appear to be publicly known
vulnerabilities in 1.5 and above.
h2. support
Apache Commons Validator 1.3.x [has not had a release since
2006|https://commons.apache.org/proper/commons-validator/changes-report.html],
but [VelocityTools depends upon Validator
1.3|http://velocity.apache.org/tools/2.0/dependencies.html]. I was unable to
determine which branches Validator considers to be supported, so am suggesting
upgrade to 1.6. Given the release history of one major release followed by one
minor release, then moving immediately to the next major release, this seems
like a reasonable starting target.
When vulnerabilities are discovered in unsupported software, the industry
standard response is "you need to patch to a supported version." If you get
too far behind in patch levels, then it may be very difficult to upgrade due to
broken backwards compatibility.
Furthermore, when vulnerabilities are discovered in supported software, there
is no industry standard for determining if it affects unsupported versions.
It's entirely possible that there are known vulnerabilities that affect the
apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and
nobody will know until they're breached. On the other hand, when there's a
supported major version, it's a de-facto industry standard to announce all
supported versions that are affected. This means that staying on a supported
version increases the chances of seeing vulnerability announcements for vulns
that affect Velocity. It also means that staying on an unsupported version is
considered equivalent to staying on a known vulnerable version.
was:
*Please upgrade struts to a supported, secure version*. At this time, that
means upgrading to 2.3.32 or 2.5.10.1
h2. vulnerabilities
There are publicly known high severity vulnerabilities, including remote code
execution vulns, affecting all versions of Struts 2 except the versions cited
above.
*
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aapache&cpe_product=cpe%3a%2f%3a%3astruts&cvss_version=3&cve_id=
* (details not yet in NVD) https://cwiki.apache.org/confluence/display/WW/S2-045
h2. support
Apache struts 1 [reached end of life in the year
2000|https://struts.apache.org/struts1eol-announcement.html], but
[VelocityTools depends upon Struts
1.3.8|http://velocity.apache.org/tools/2.0/dependencies.html].
When vulnerabilities are discovered in unsupported software, the industry
standard response is "you need to patch to a supported version." If you get
too far behind in patch levels, then it may be very difficult to upgrade due to
broken backwards compatibility.
Furthermore, when vulnerabilities are discovered in supported software, there
is no industry standard for determining if it affects unsupported versions.
It's entirely possible that there are known vulnerabilities that affect the
unsupported Struts 1.3.8 required by Velocity, and nobody will know until
they're breached. On the other hand, when there's a supported major version,
it's a de-facto industry standard to announce all supported versions that are
affected. This means that staying on a supported version increases the chances
of seeing vulnerability announcements for vulns that affect Velocity. It also
means that staying on an unsupported version is considered equivalent to
staying on a known vulnerable version.
> Upgrade to supported, secure version of Apache Commons Validator
> ----------------------------------------------------------------
>
> Key: VELTOOLS-172
> URL: https://issues.apache.org/jira/browse/VELTOOLS-172
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityStruts
> Affects Versions: 2.0, 2.0.x, 2.1, 2.x
> Reporter: Aaron Katz
> Labels: security
>
> *Please upgrade Apache Commons Validator to a supported, secure version*. At
> this time, that appears to mean [upgrading to
> 1.6|https://commons.apache.org/proper/commons-validator/changes-report.html]
> h2. vulnerabilities
> There is at least one publicly known high severity vulnerability
> ([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]),
> allowing remote code execution, affecting all versions from 1.3.1 through
> 1.4.1.
> A cursory review shows that there do not appear to be publicly known
> vulnerabilities in 1.5 and above.
> h2. support
> Apache Commons Validator 1.3.x [has not had a release since
> 2006|https://commons.apache.org/proper/commons-validator/changes-report.html],
> but [VelocityTools depends upon Validator
> 1.3|http://velocity.apache.org/tools/2.0/dependencies.html]. I was unable to
> determine which branches Validator considers to be supported, so am
> suggesting upgrade to 1.6. Given the release history of one major release
> followed by one minor release, then moving immediately to the next major
> release, this seems like a reasonable starting target.
> When vulnerabilities are discovered in unsupported software, the industry
> standard response is "you need to patch to a supported version." If you get
> too far behind in patch levels, then it may be very difficult to upgrade due
> to broken backwards compatibility.
> Furthermore, when vulnerabilities are discovered in supported software, there
> is no industry standard for determining if it affects unsupported versions.
> It's entirely possible that there are known vulnerabilities that affect the
> apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and
> nobody will know until they're breached. On the other hand, when there's a
> supported major version, it's a de-facto industry standard to announce all
> supported versions that are affected. This means that staying on a supported
> version increases the chances of seeing vulnerability announcements for vulns
> that affect Velocity. It also means that staying on an unsupported version
> is considered equivalent to staying on a known vulnerable version.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
