[struts-master] branch bumps-parent updated: Fixes rebase issue
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch bumps-parent in repository https://gitbox.apache.org/repos/asf/struts-master.git The following commit(s) were added to refs/heads/bumps-parent by this push: new 2f03c04 Fixes rebase issue 2f03c04 is described below commit 2f03c0486e23a386b7209585aa489e55ece2fc3d Author: Lukasz Lenart AuthorDate: Thu Aug 23 08:49:55 2018 +0200 Fixes rebase issue --- pom.xml | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index df804dd..acb8995 100755 --- a/pom.xml +++ b/pom.xml @@ -307,9 +307,9 @@ -Yasser Zamani -yasserzamani -yasserzamani at apache.org +Aleksandr Mashchenko +amashchenko +amashchenko at apache.org PMC Member @@ -322,6 +322,14 @@ PMC Member + +Yasser Zamani +yasserzamani +yasserzamani at apache.org + +PMC Member + +
[struts-master] branch bumps-parent created (now 22855ec)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch bumps-parent in repository https://gitbox.apache.org/repos/asf/struts-master.git. at 22855ec Drops duplicated developer entry This branch includes the following new commits: new b61e986 Upgrades apache parent to version 21 new e8e8471 Adds Yasser to the developer's list new e2b59df Cleans up urls new 22855ec Drops duplicated developer entry The 4 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[struts-master] 03/04: Cleans up urls
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch bumps-parent in repository https://gitbox.apache.org/repos/asf/struts-master.git commit e2b59df2720a6b7723ca2f79e14bedbd3d4068ca Author: Lukasz Lenart AuthorDate: Thu Aug 23 08:37:55 2018 +0200 Cleans up urls --- pom.xml | 26 +++--- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/pom.xml b/pom.xml index aeda6b3..d32a79a 100755 --- a/pom.xml +++ b/pom.xml @@ -12,9 +12,9 @@ Apache Struts -scm:git:git://git.apache.org/struts-master.git - scm:git:https://git-wip-us.apache.org/repos/asf/struts-master.git -http://git.apache.org/struts-master.git + scm:git:https://gitbox.apache.org/repos/asf/struts-master.git + scm:git:https://gitbox.apache.org/repos/asf/struts-master.git +https://github.com/apache/struts-master/ HEAD @@ -34,38 +34,26 @@ user-subscr...@struts.apache.org user-unsubscr...@struts.apache.org u...@struts.apache.org - http://mail-archives.apache.org/mod_mbox/struts-user/ - - http://struts.apache.org/mail.html#Archives - + https://lists.apache.org/list.html?u...@struts.apache.org Struts Developer List dev-subscr...@struts.apache.org dev-unsubscr...@struts.apache.org d...@struts.apache.org - http://mail-archives.apache.org/mod_mbox/struts-dev/ - - http://struts.apache.org/dev/dev-mail.html#Archives - + https://lists.apache.org/list.html?d...@struts.apache.org Struts Commits List commits-subscr...@struts.apache.org commits-unsubscr...@struts.apache.org - http://mail-archives.apache.org/mod_mbox/struts-commits/ - - http://struts.apache.org/dev/dev-mail.html#Archives - + https://lists.apache.org/list.html?commits@struts.apache.org Struts Issues List issues-subscr...@struts.apache.org issues-unsubscr...@struts.apache.org - http://mail-archives.apache.org/mod_mbox/struts-issues/ - - http://struts.apache.org/dev/dev-mail.html#Archives - + https://lists.apache.org/list.html?iss...@struts.apache.org
[struts-master] 02/04: Adds Yasser to the developer's list
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch bumps-parent in repository https://gitbox.apache.org/repos/asf/struts-master.git commit e8e847167a9e8d385f2de878c3905ec9c6cc1596 Author: Lukasz Lenart AuthorDate: Thu Aug 23 08:31:43 2018 +0200 Adds Yasser to the developer's list --- pom.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index ca4726b..aeda6b3 100755 --- a/pom.xml +++ b/pom.xml @@ -319,9 +319,9 @@ -Aleksandr Mashchenko -amashchenko -amashchenko at apache.org +Yasser Zamani +yasserzamani +yasserzamani at apache.org PMC Member
[struts-master] 01/04: Upgrades apache parent to version 21
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch bumps-parent in repository https://gitbox.apache.org/repos/asf/struts-master.git commit b61e986c3ec40a007d614c7304de9ca904598e44 Author: Lukasz Lenart AuthorDate: Thu Aug 23 08:28:45 2018 +0200 Upgrades apache parent to version 21 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index bc8cf6a..ca4726b 100755 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.apache apache -18 +21 org.apache.struts struts-master
[struts-master] 04/04: Drops duplicated developer entry
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch bumps-parent in repository https://gitbox.apache.org/repos/asf/struts-master.git commit 22855ec3b34b96bc103c52d1dae2e9db1856e890 Author: Lukasz Lenart AuthorDate: Thu Aug 23 08:39:40 2018 +0200 Drops duplicated developer entry --- pom.xml | 8 1 file changed, 8 deletions(-) diff --git a/pom.xml b/pom.xml index d32a79a..df804dd 100755 --- a/pom.xml +++ b/pom.xml @@ -322,14 +322,6 @@ PMC Member - -Yasser Zamani -yasserzamani -yasserzamani at apache.org - -Committer - -
[struts-site] branch asf-site updated: Updates production by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 871b9b4 Updates production by Jenkins 871b9b4 is described below commit 871b9b498d6baefe7f8991bb0c86dd0b8c2ad502 Author: jenkins AuthorDate: Wed Aug 22 07:30:53 2018 + Updates production by Jenkins --- content/announce.html | 72 + content/core-developers/interceptors.html | 2 + content/core-developers/struts-default-xml.html | 2 + content/download.html | 84 - content/index.html | 22 +++ content/releases.html | 15 - 6 files changed, 143 insertions(+), 54 deletions(-) diff --git a/content/announce.html b/content/announce.html index 32f7605..5faaddd 100644 --- a/content/announce.html +++ b/content/announce.html @@ -130,6 +130,9 @@ Announcements 2018 + 22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 + 22 August 2018 - Struts 2.5.17 General Availability + 22 August 2018 - Struts 2.3.35 General Availability 27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin 23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3 16 March 2018 - Struts 2.5.16 General Availability @@ -139,6 +142,75 @@ Skip to: Announcements - 2017 +22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 + +CVEID:CVE-2018-11776 + +PRODUCT:Apache Struts + +VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 + +PROBLEMTYPE:Remote Code Execution + +REFERENCES:https://cwiki.apache.org/confluence/display/WW/S2-057";>S2-057 + +DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and +2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its +upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action +set and in same time, its upper action(s) have no or wildcard namespace. + +22 August 2018 - Struts 2.5.17 General Availability + +The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a “General Availability” +release. The GA designation is our highest quality grade. + +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability: + + + Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - https://cwiki.apache.org/confluence/display/WW/S2-057";>S2-057 + + +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time. + +All developers are strongly advised to perform this action. + +The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 7. + +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket. + +You can download this version from our download page. + +22 August 2018 - Struts 2.3.35 General Availability + +The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a “General Availability” +release. The GA designation is our highest quality grade. + +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability: + + + Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - https://cwiki.apache.org/confluence/display/WW/S2-057";>S2-057 + + +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time. + +All developers are strongly advised to perform this action. + +The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 6. + +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket. + +Y
[struts-site] branch master updated: release 2.5.17 and 2.3.35
This is an automated email from the ASF dual-hosted git repository. yasserzamani pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/master by this push: new 1f66ba6 release 2.5.17 and 2.3.35 1f66ba6 is described below commit 1f66ba6028734438164834675cb7d11be4e75b9c Author: Yasser Zamani AuthorDate: Wed Aug 22 11:44:37 2018 +0430 release 2.5.17 and 2.3.35 --- _config.yml | 12 ++ source/announce.md | 65 source/download.html | 40 source/index.html| 14 +-- source/releases.html | 13 +++ 5 files changed, 113 insertions(+), 31 deletions(-) diff --git a/_config.yml b/_config.yml index d69c392..dca449a 100644 --- a/_config.yml +++ b/_config.yml @@ -10,13 +10,17 @@ kramdown: syntax_highlighter: rouge # Simplifies introducing changes related to the latest release -current_version: 2.5.16 -current_version_short: 2516 +current_version: 2.5.17 +current_version_short: 2517 +prev_version: 2.3.35 +prev_version_short: 2335 archetype_version: 2.5.14 current_beta_version: 2.5-BETA3 current_beta_version_short: 25B3 -release_date: 16 March 2018 -release_date_short: 20180316 +release_date: 22 August 2018 +release_date_short: 20180822 +prev_release_date: 22 August 2018 +prev_release_date_short: 20180822 beta_release_date_short: 20160126 # Allows directly edit pages on GitHub diff --git a/source/announce.md b/source/announce.md index e9b7f7e..805e44d 100644 --- a/source/announce.md +++ b/source/announce.md @@ -13,6 +13,71 @@ title: Announcements 2018 Skip to: Announcements - 2017 + 22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 {#a20180822-0} + +CVEID:CVE-2018-11776 + +PRODUCT:Apache Struts + +VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 + +PROBLEMTYPE:Remote Code Execution + +REFERENCES:[S2-057]({{ site.wiki_url }}/S2-057) + +DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and +2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its +upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action +set and in same time, its upper action(s) have no or wildcard namespace. + + 22 August 2018 - Struts 2.5.17 General Availability {#a20180822-1} + +The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a "General Availability" +release. The GA designation is our highest quality grade. + +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability: + +- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057) + +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time. + +**All developers are strongly advised to perform this action.** + +The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 7. + +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket. + +You can download this version from our [download](download.cgi#struts-ga) page. + + 22 August 2018 - Struts 2.3.35 General Availability {#a20180822-2} + +The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a "General Availability" +release. The GA designation is our highest quality grade. + +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability: + +- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057) + +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time. + +**All developers are strongly advised to perform this action.** + +The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 6. + +Should any is