[ 
https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15903799#comment-15903799
 ] 

Aaron Katz commented on VELTOOLS-172:
-------------------------------------

Thanks!  This raises a few questions for me:

* When is 3.0 expected to release?  
* Did the removal of Validator also occur in VelocityTools 2.1 or 2.2?  
* If not, will 2.x enter end of life as the method to deal with this 
vulnerability, or will the changes be backported?
* Is there an ETA for when 3.0 will be available?


> Upgrade to supported, secure version of Apache Commons Validator
> ----------------------------------------------------------------
>
>                 Key: VELTOOLS-172
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-172
>             Project: Velocity Tools
>          Issue Type: Bug
>          Components: VelocityStruts
>    Affects Versions: 2.0, 2.0.x, 2.1, 2.x
>            Reporter: Aaron Katz
>              Labels: security
>
> *Please upgrade Apache Commons Validator to a supported, secure version*.  At 
> this time, that appears to mean [upgrading to 
> 1.6|https://commons.apache.org/proper/commons-validator/changes-report.html] 
> h2. vulnerabilities
> There is at least one publicly known high severity vulnerability 
> ([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]),
>  allowing remote code execution, affecting all versions from 1.3.1 through 
> 1.4.1.
> A cursory review shows that there do not appear to be publicly known 
> vulnerabilities in 1.5 and above.
> h2. support
> Apache Commons Validator 1.3.x [has not had a release since 
> 2006|https://commons.apache.org/proper/commons-validator/changes-report.html],
>  but [VelocityTools depends upon Validator 
> 1.3|http://velocity.apache.org/tools/2.0/dependencies.html].  I was unable to 
> determine which branches Validator considers to be supported, so am 
> suggesting upgrade to 1.6.  Given the release history of one major release 
> followed by one minor release, then moving immediately to the next major 
> release, this seems like a reasonable starting target.
> When vulnerabilities are discovered in unsupported software, the industry 
> standard response is "you need to patch to a supported version."  If you get 
> too far behind in patch levels, then it may be very difficult to upgrade due 
> to broken backwards compatibility.  
> Furthermore, when vulnerabilities are discovered in supported software, there 
> is no industry standard for determining if it affects unsupported versions.  
> It's entirely possible that there are known vulnerabilities that affect the 
> apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and 
> nobody will know until they're breached.  On the other hand, when there's a 
> supported major version, it's a de-facto industry standard to announce all 
> supported versions that are affected.  This means that staying on a supported 
> version increases the chances of seeing vulnerability announcements for vulns 
> that affect Velocity.  It also means that staying on an unsupported version 
> is considered equivalent to staying on a known vulnerable version.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to