[ANN] Apache Struts 2.3.29 General Availability with Security Fixes Release

2016-06-17 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.29 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release addresses two potential security vulnerabilities:

- S2-035 Action name clean up is error prone
- S2-036 Forced double OGNL evaluation, when evaluated on raw user
input in tag attributes, may lead to remote code execution (similar to
S2-029)
- S2-037 Remote Code Execution can be performed when using REST Plugin.
- S2-038 It is possible to bypass token validation and perform a CSRF attack
- S2-039 Getter as action method leads to security bypass
- S2-040 Input validation bypass using existing default action method.
- S2-041 Possible DoS attack when using URLValidator

This release contains several minor improvements just to mention few of them:
- Json result type breaks
- MessageStorePreResultListener doesn’t store messages for 3rd-party
RedirectResult subclasses
- Multiple tiles.xml in web.xml
- New Tiles version can not find tiles*.xml files in sub-directories
- EmailValidator flags .cat emails as invalid
- Struts2 JSON Plugin: messages in fieldsErrors are serialized twice
since jdk1.7_80
- Tile definition Inheritance/overriding is broken in Struts2 tiles
plugin 2.3.28+
-  generates a value attribute for type=image which violates W3C
- ClassCastException while generating report using Struts 2.3.28 and
jasperreports 4.5.1

More details in version notes
http://struts.apache.org/docs/version-notes-2329.html

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.
Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-ga


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Struts 2.5.1 General Availability

2016-06-17 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.1 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release addresses one potential security vulnerability:
- S2-041 Possible DoS attack when using URLValidator
  http://struts.apache.org/docs/s2-041.html

Also all security patches applied to version Struts 2.3.29 were also
applied to this version (just in case).

This release contains several improvements just to mention few of them:
- contentType override ignored for JSONInterceptor - see WW-4558
- MessageStorePreResultListener does not store messages for 3rd-party
RedirectResult subclasses - see WW-4618
- EmailValidator flags .cat emails as invalid - see WW-4626
- SMI cannot be disabled - see WW-4632
- Centre alignment does not seem to work in Velocity tags - see WW-4634
- Unable to process Jar entry (javassist-3.20.0-GA.jar) - see WW-4637
- Strict Method Invocation breaks Action-Less Results - see WW-4643
- When method is not allowed throw exception with meaningful message -
see WW-4640
- update struts2 bom - see WW-4644

Version notes
http://struts.apache.org/docs/version-notes-251.html

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-ga


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Struts 2.5-BETA3 Beta release available

2016-01-27 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5-BETA3
is available as a "Beta" release. The Beta designation indicates that
we believe the distribution needs wider testing before being upgraded
to a "General Availability" release. Your input is essential.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains several breaking changes and improvements just
to mention few of them:

New in BETA1
- XWork source was merged into Struts Core source, it means that there
be no more xwork artifact nor dedicated jar
- OGNL was upgraded to version 3.0.11 and it breaks access to
properties as it follows Java Bean Specification, see WW-4207 and
WW-3909
- Spring dependency for tests and spring plugin was upgraded to
version 4.1.6, see WW-4510.
- Struts2 internal logging api was marked as deprecated and was
replaced with new Log4j2 api as logging layer, see WW-4504.
- Struts2 is now build with JDK7, see WW-4503.
- New plugin to support bean validation is now part of the
distribution, see WW-4505.
- Deprecated plugins are now removed from the distribution and are not
longer supported anymore.
- - Dojo Plugin
- - Codebehind Plugin
- - JSF Plugin
- - Struts1 Plugin

New in BETA2
- New security option was added - Strict Method Invocation (also known
as Strict DMI), see WW-4540
- Add support for latest stable AngularJS in Maven archetype, see WW-4522

New in BETA3
- Dropped support for id and name - replaced with var, see WW-2069
- Dedicated archive with a minimal set of dependencies was introduced,
see WW-4570
- It is possible to use multiple names when defining a result, see WW-4590
- Rest plugin honors Accept header, see WW-4588
- New result 'JSONActionRedirectResult' in json-plugin was defined, see WW-4591
- Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was
dropped, see WW-4584
- JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381
- OGNL was upgraded to version 3.0.11 and it breaks access to
properties as it follows Java Bean Specification, see WW-4207 and
WW-3909
- - and then OGNL was upgraded to version 3.1.1, see WW-4561
- - and then OGNL was upgraded to version 3.2.1, see WW-4577

and many other improvements, please check the version notes

Struts 2.5-BETA3 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page.
* http://struts.apache.org/download.cgi#struts-beta

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java SE 7
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 5

The release notes are available online at:
* http://struts.apache.org/2.x/docs/version-notes-25.html

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW


- The Apache Struts group.
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.3.28 GA

2016-03-22 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.28 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release addresses three potential security vulnerabilities:

S2-028 Possible XSS vulnerability in pages not using UTF-8 was fixed.
S2-029 Forced double OGNL evaluation, when evaluated on raw user input
in tag attributes, may lead to remote code execution.
S2-030 I18NInterceptor narrows selected locale to those available in
JVM to reduce possibility of another XSS vulnerability.

All developers are strongly advised to perform this action.

This release contains several changes and improvements just to mention
few of them:

- New Configurationprovider type was introduced -
ServletContextAwareConfigurationProvider, see WW-4410
- Setting status code in HttpHeaders isn’t ignored anymore, see WW-4545
- Spring BeanPostProcessor(s) are called only once to constructed
objects., see WW-4554
- OGNL was upgraded to version 3.0.13, see WW-4562
- Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
- A dedicated assembly with minimal set of jars was defined, see WW-4570
- Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
- Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
- MessageStoreInterceptor was refactored to use PreResultListener to
store messages, see WW-4605
- A new annotation was added to support configuring Tiles -
@TilesDefinition, see WW-4606

and many other improvements, please check the version notes

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.

Struts 2.3.28 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page
* http://struts.apache.org/download.cgi#struts2328

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.3.28 version of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 6

The release notes are available online at:
* http://struts.apache.org/docs/version-notes-2328.html

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.3.28.1 GA

2016-04-21 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.28.1 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release addresses two potential security vulnerabilities:

- S2-031 Possible RCE vulnerability in XSLTResult was fixed.
- S2-032 Prevents execution of chained expressions based on new
isSequence flag introduce in appropriated OGNL versions.

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.

Struts 2.3.28.1 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page
* http://struts.apache.org/download.cgi#struts23281

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.3.28.1 version of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 6

The release notes are available online at:
* http://struts.apache.org/docs/version-notes-23281.html

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.3.20.3 GA & Apache Struts 2.3.24.3 GA

2016-04-21 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.20.3
and Struts 2.3.24.3 are
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

These releases address three potential security vulnerabilities:
- S2-029 Forced double OGNL evaluation, when evaluated on raw user
input in tag attributes, may lead to remote code execution.
- S2-031 Possible RCE vulnerability in XSLTResult was fixed.
- S2-032 Prevents execution of chained expressions based on new
isSequence flag introduce in appropriated OGNL versions.

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.

Struts 2.3.20.3 & 2.3.24.3 are available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page
* http://struts.apache.org/download.cgi#struts23203
* http://struts.apache.org/download.cgi#struts23243

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.3.20.3 & 2.3.24.3 versions of the Apache Struts framework have a minimum
requirement of the following specification versions:
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 6

The release notes are available online at:
* http://struts.apache.org/docs/version-notes-23203.html
* http://struts.apache.org/docs/version-notes-23243.html

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.2 GA

2016-07-15 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.2 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains several improvements just to mention few of them:
- SecurityMemberAccess exclude class design issue, see WW-4645
- Json deserialization does not work in 2.5.1, see WW-4650
- Negative number is considered an arithmetic expression, see WW-4651
- Wildcard redirect and path /static/, see WW-4656
- Upgrade commons-fileupload to the latest version, see WW-4648
- Cleans up logic in StreamResult and update docs, see WW-4655

Version notes
http://struts.apache.org/docs/version-notes-252.html

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-ga


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.3.30 GA

2016-07-15 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.30 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains several minor improvements just to mention few of them:
- Pre-evaluation of “name” attribute stopped working, see WW-4641
- Unable to retrieve s:hidden field values, see WW-4642
- SecurityMemberAccess exclude class design issue, see WW-4645
- Negative number is considered an arithmetic expression, see WW-4651
- Upgrade commons-fileupload to the latest version, see WW-4648

More details in version notes
http://struts.apache.org/docs/version-notes-2330.html

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-2330


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.10 GA

2017-02-03 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.10 is
available as a “General Availability” release. The GA designation is
our highest quality grade. Apache Struts 2 is an elegant, extensible
framework for creating enterprise-ready Java web applications. The
framework is designed to streamline the full development cycle, from
building, to deploying, to maintaining applications over time.

This release contains several breaking changes and improvements just
to mention few of them:
- How to handle 404 when using wildcard instead of error 500 when the
wildcard method doesn’t exist
- MessageStoreInterceptor must handle all redirects
- MaxMultiPartUpload limited to 2GB (Long –> Integer)
- Struts 2.5.8 no longer supports the  directive in the struts.xml
- JSONValidationInterceptor change static parameters names
- ServletDispatcherResult can’t handle parameters anymore
- TokenInterceptor synchronized on session.getId().intern()
- XSLT error during transformation
- No default parameter defined for result json of type
org.apache.struts2.json.JSONResult
- I18Interceptor ignores session or cookie Locale after first lookup failure
- EmailValidator does not accept new domain suffixes
- AnnotationValidationInterceptor : NullPointerException when method is null
- struts.xml include not loading in dependant jar files
- AnnotationValidationInterceptor should consult UnknownHandler before
throwing NoSuchMethodException
- ActionSupport.LOG should be private
- Remove StrutsObjectFactory and define StrutsInterceptorFactory instead
- Make OgnlValueStack and OgnlValueStackFactory More Extensible
- Make interceptor parameters dynamic
- allow include other config files from classpath

Version notes
http://struts.apache.org/docs/version-notes-2510.html

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-ga


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.5 GA

2016-10-21 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.5 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains several improvements just to mention few of them:
- webconsole can always be accessed, see WW-4601
- Space character and includeParams, see WW-4628
- Empty  is being supressed, see WW-4631
- remove ASM 3 from struts2, see WW-4646
- SMI do not work with JSON plugin, see WW-4649
- Concurrency issue in addDefaultResourceBundle, see WW-4652
- Action parameters should be included when building the URL to
action, see WW-4654
- StreamResult closes outputstream early, see WW-4662
- NullPointerException when displaying a form without action
attribute, see WW-4663
- ParametersInterceptor excludeParams only applies to first instance
of params interceptor in paramsPrepareParamsStack, see WW-4667
- URL validator is case sensitive, see WW-4671
- Select box does not pre-select chosen values, see WW-4675
- Tiles-Plugin unable to load tiles definition XML, see WW-4679
- Missing brackets in checkbox.ftl of css_xhtml template, see WW-4681
- Move Struts Archetypes to dedicated project, see WW-4316
- Add dedicated class to represent Http Parameters, see WW-4572
- ParametersInterceptor should check collection index to against DOS,
see WW-4620
- Move example portlet-app into struts-examples, see WW-4660
- Upgrade JFreeChart plugin to the latest version of JFreeChart, see WW-4670
- StrutsPrepareAndExecuteFilter should check for response commited
status, see WW-4674
- ConversionErrorInterceptor to extend MethodFilterInterceptor, see WW-4676
- I18N Interceptor automatically validates Locale, see WW-4677
- Upgrade Tiles to 3.0.7 GA version, see WW-4680
- Allow directly accessing I18N keys from Tiles defintions, see WW-4685
- Merge two existing I18NInterceptors into one, see WW-4686
- Exclude "java.ext.dirs" when scanning for actions, see WW-4688
- CycleDetector - use enum instead of String constants, see WW-4689
- Upgrade Commons Collections to 4.1, see WW-4695
- Upgrade to Log4j 2.7, see WW-4696
- Warn about excluded action/method only when DMI is disabled, see WW-4697

Version notes
http://struts.apache.org/docs/version-notes-255.html

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-ga


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.3.31 General Availability with Security Fixes Release

2016-10-18 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.31 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release addresses two potential security vulnerabilities:

- S2-042 Possible path traversal in the Convention plugin
- S2-043 Using the Config Browser plugin in production

This release contains several minor improvements just to mention few of them:
- webconsole can always be accessed, see WW-4601
- Space character and includeParams,see WW-4628
- ParametersInterceptor excludeParams only applies to first instance
of params interceptor in paramsPrepareParamsStack,see WW-4667
- Select box does not pre-select chosen values,see WW-4675
- StrutsPrepareAndExecuteFilter should check for response committed
status,see WW-4674
- Allow directly accessing I18N keys from Tiles definitions,see WW-4685

More details in version notes
http://struts.apache.org/docs/version-notes-2331.html

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.
Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-2331


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] [SECURITY] Struts Extras secure Multipart plugins GA - versions 1.1

2017-03-23 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that the Apache Struts
2 Secure Jakarta Multipart parser plugin 1.1 and Apache Struts 2
Secure Jakarta Stream Multipart parser plugin 1.1 are available as a
“General Availability” release. The GA designation is our highest
quality grade.

These releases address one critical security vulnerability:

- Possible Remote Code Execution when performing file upload based on
Jakarta Multipart parser S2-045, S2-046 (CVE-2017-5638)

Also backward comaptibility between different Struts versions was improved.

http://struts.apache.org/docs/s2-045.html
http://struts.apache.org/docs/s2-046.html

Those plugins were released to allow users running older versions of
the Apache Struts secure their applications in easy way. You don’t
have to migrate to the latest version (which is still preferable) but
by applying one of those plugins, your application won’t be vulnerable
anymore.

Please read the README (https://github.com/apache/struts-extras) for
more details and supported Apache Struts versions.

All developers are strongly advised to perform this action.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download those plugins from our download page.
http://struts.apache.org/download.cgi#struts-extras


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] [SECURITY] Struts Extras secure Multipart plugins GA

2017-03-20 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that the Apache Struts
2 Secure Jakarta Multipart parser plugin and Apache Struts 2 Secure
Jakarta Stream Multipart parser plugin are available as a “General
Availability” release. The GA designation is our highest quality
grade.

These releases address one critical security vulnerability:

- Possible Remote Code Execution when performing file upload based on
Jakarta Multipart parser S2-045, S2-046 (CVE-2017-5638)

http://struts.apache.org/docs/s2-045.html
http://struts.apache.org/docs/s2-046.html

Those plugins were released to allow users running older versions of
the Apache Struts secure their applications in easy way. You don’t
have to migrate to the latest version (which is still preferable) but
by applying one of those plugins, your application won’t be vulnerable
anymore.

It is a drop-in installation, just select a proper jar file and copy
it to WEB-INF/lib folder. Please read the README
(https://github.com/apache/struts-extras) for more details and
supported Apache Struts versions.

All developers are strongly advised to perform this action.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download those plugins from our download page.
http://struts.apache.org/download.cgi#struts-extras


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.3.32 GA with Security Fixe Release

2017-03-10 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.32 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

This release addresses one potential security vulnerability:
- Possible Remote Code Execution when performing file upload based on
Jakarta Multipart parser - S2-045 -
http://struts.apache.org/docs/s2-045.html

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-23x


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.10.1 GA with Security Fixe Release

2017-03-08 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.10.1 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

This release addresses one potential security vulnerability:
- Possible Remote Code Execution when performing file upload based on
Jakarta Multipart parser - S2-045 -
http://struts.apache.org/docs/s2-045.html

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts25101


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts: S2-049 Security Bulletin update

2017-08-10 Thread Lukasz Lenart
This is an update of the recently announced Security Bulletin S2-049 -
http://struts.apache.org/docs/s2-049.html

The bulletin was extended with an additional information when the
potential vulnerability can be present in your application. Please
re-read the mentioned bulletin and apply required actions if needed.

Please report any problems back to the Struts Security mailing list -
secur...@struts.apache.org


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2: possible RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts 2.3.x series

2017-07-07 Thread Lukasz Lenart
A potential security vulnerability was reported in the Struts 1 plugin
used in the Struts 2.3.x series. It is possible to perform a Remote
Code Execution attack if given construction exists in the vulnerable
application. Please read the security bulletin for more details and
inspect your application.

- S2-048 Possible RCE in the Struts Showcase app in the Struts 1
plugin example in Struts 2.3.x series

http://struts.apache.org/docs/s2-048.html
http://struts.apache.org/announce.html#a20170707

NOTE: Please notice that this vulnerability does not affect
applications using Struts 2.5.x series or applications that do not use
the Struts 1 plugin. Even if the plugin is available but certain code
construction is not present, your application is safe.


On behalf of the Apache Struts project

Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.12 GA with Security Fixes Release

2017-07-13 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.12 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains fixes for the following potential security
vulnerabilities:

- S2-047 Possible DoS attack when using URLValidator
  http://struts.apache.org/docs/s2-047.html
- S2-049 A DoS attack is available for Spring secured actions
  http://struts.apache.org/docs/s2-049.html

Except the above this release also contains several improvements just
to mention few of them:

- `double` and `Double` are not validated with the same decimal separator
- `ognl.MethodFailedException` when you do not enter a value for a
field mapped to an int
- `Double` Value Conversion with requestLocale=de
- The `TextProvider` injection in `ActionSupport` isn't quite
integrated into the framework's core DI
- Struts2 raise `java.lang.ClassCastException` when Result type is `chain`
- `@InputConfig` annotation is not working when integrating with spring aop
- Validators do not work for multiple values
- `BigDecimal` are not converted according context locale
- `NullPointerException` when displaying a form without action attribute
- Http Sessions forcefully created for all requests using
I18nInterceptor with default Storage value.
- `cssErrorClass` attribute has no effect on `label` tag
- Why `JSONValidationInterceptor` return Status Code `400 BAD_REQUEST`
instead of `200 SUCCESS`
- @autowired does not work since Struts 2.3.28.1
- Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1
- Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin gives a
NoSuchDefinitionException
- Aspects are not executed when chaining AOPed actions
- Duplicate hidden input field checkboxListHandler
- The value of checkbox getted in server-side is "false" when no any
checkbox been selected.
- refactor file upload framework
- `creditCard` validator available in Struts 1 missing in Struts 2
- No easy way to have an empty interceptor stack if have default stack
- `@TypeConversion` converter attribute to class
- Convert `LocalizedTextUtil` into a bean with default implementation
- NPE in `StrutsTilesContainerFactory` when resource isn't found
- Buffer/Flush behaviour in `FreemarkerResult`
- Struts2 should know and consider config time class of user's Actions
- getters of exclude-sets in OgnlUtil should return immutable collections
- Mark `site-graph` plugin as deprecated
- Use `TextProviderFactory` instead of `TextProvider` as bean's dependency
- Create `LocaleProviderFactory` and uses instead of `LocaleProvider`
- Improve error logging in `DefaultDispatcherErrorHandler`
- Make `jakarta-stream` multipart parser more extensible
- Make Multipart parsers more extensible
- Add proper validation if request is a multipart request
- Make `SecurityMethodAccess` excluded classes & packages definitions immutable
- Upgrade to Log4j2 2.8.2
- Allow disable file upload support via an configurable option
- Stop using `DefaultLocalizedTextProvider#localeFromString` static util method
- Don't add `JBossFileManager` as a possible FileManager when not on JBoss
- There is no `@LongRangeFieldValidator` annotation to support
`LongRangeFieldValidator`
- Upgrade to commons-lang 3.6
- Update commons-fileupload

Please read the Version Notes to find more details about performed bug
fixes and improvements.
http://struts.apache.org/docs/version-notes-2512.html

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.3.34 General Availability with Security Fixes Release

2017-09-07 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.3.34 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

This release addresses these potential security vulnerabilities:
- S2-050 A regular expression Denial of Service when using
URLValidator (similar to S2-044 & S2-047)
- S2-051 A remote attacker may create a DoS attack by sending crafted
xml request when using the Struts REST plugin
- S2-052 Possible Remote Code Execution attack when using the Struts
REST plugin with XStream handler to handle XML payloads
- S2-053 A possible Remote Code Execution attack when using an
unintentional expression in Freemarker tag instead of string literals

This release contains several minor improvements just to mention few of them:
 - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is
ignored, Numeric Keys will work and mapped
 - Threads get blocked due to unnecessary synchronization in OgnlRuntime
 - Upgrade to OGNL 3.0.21
 - Upgrade to struts-master 11
 - Improve RegEx used to validate URLs

More details in version notes
http://struts.apache.org/docs/version-notes-2334.html

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 6.
Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.html#struts-23x


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.13 GA with Security Fixes Release

2017-09-05 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.13 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains fixes for the following potential security
vulnerabilities:

- S2-050 A regular expression Denial of Service when using
URLValidator (similar to S2-044 & S2-047)
http://struts.apache.org/docs/s2-050.html
- S2-051 A remote attacker may create a DoS attack by sending crafted
xml request when using the Struts REST plugin
http://struts.apache.org/docs/s2-051.html
- S2-052 Possible Remote Code Execution attack when using the Struts
REST plugin with XStream handler to handle XML payloads
http://struts.apache.org/docs/s2-050.html

Except the above this release also contains several improvements just
to mention few of them:

Except the above this release also contains several improvements just
to mention few of them:

- Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is
ignored, Numeric Keys will work and mapped
- NP with TextProvider and wildcardmapping
- Threads get blocked due to unnecessary synchronization in OgnlRuntime
- Default Multipart validation regex is invalid
- Not fully initialized ObjectFactory tries to create beans
- http://struts.apache.org/dtds/struts-2.5.dtd missing
- Set a global resource bundle in class
- Override TextProvider doesnot work in struts 2.5.12
- Array-of-null parameters are converted to string “null”
- JakartaStreamMultiPartRequest Should Honor “struts.multipart.maxSize”
- Build Fails Due to Unused com.sun Import
- Struts2.5.12 - NPE in DeligatingValidatorContext
- Struts 2 Fails to Initialize with JRebel
- Allow define more than one Action suffix
- Remove jQuery from debugging interceptor views
- update dependencies page on the struts site
- Improve RegEx used to validate URLs
- Make REST ContentHandlers configurable
- expose Freemarker incompatible_improvements into FreemarkerManager
and StrutsBeansWrapper
- Upgrade Commons Collections to 3.2.2
- Upgrade Commons IO to 2.5
- Upgrade to ASM version 5.2
- Upgrade to OGNL 3.1.15
- Upgrade xstream to the latest version
- Upgrade to struts-master 11

Please read the Version Notes to find more details about performed bug
fixes and improvements.
http://struts.apache.org/docs/version-notes-2513.html

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


Re: [ANN] Apache Struts 2.5.13 GA with Security Fixes Release

2017-09-05 Thread Lukasz Lenart
2017-09-05 15:17 GMT+02:00 Lukasz Lenart <lukaszlen...@apache.org>:
> - S2-052 Possible Remote Code Execution attack when using the Struts REST 
> plugin with XStream handler to handle XML payloads
> http://struts.apache.org/docs/s2-050.html

It's supposed to be http://struts.apache.org/docs/s2-052.html


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.14 GA

2017-11-27 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.14 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

Below is a full list of all changes:

- A class JSONWriter was converted into an interface with default
implementation in DefaultJSONWriter class. If you were using the class
directly, you must update your code in other case it won’t compile
when using Struts 2.5.14.
- DefaultUrlHelper().buildUrl() not outputting port when used as parameter
- Not able to convert Spring object to the JSON response
- The if test can accidently incorrectly assign a new value to an object
- ObjectFactory constructor signature change breaks extensions
- Snippets in Struts documentation are missing
- I am migrating my struts 2.2.x to 2.5.13 and where all used struts
taglibs and tags UI is breaking where i have not used bootstrap there
and all working fine
- Default Multipart validation regex is invalid due to charset encoding
- Exception starting filter struts-prepare: Unable to load
configuration. - interceptor - vfs
- createInstance method signature change of TextProviderFactory from
merged xwork-core code inside struts2-core-2.5.13.jar which was
present with xwork-core jar
- Struts2.5.13 can’t run in java9 win10
- StringConverter from OGNL 3.1.15 in Struts 2.5.13
- Decimal converters should avoid loss of user’s data caused by rounding
- Struts text tag doesn’t print value from Stack
- No validations happening after upgrading to Struts 2.5.12
- Allow to use custom JSONwriter
- Implement Dependency Check in Maven build
- Fallback to ActionContext if container is null in ActionSupport
- Upgrade to the latest Jetty plugin in all examples
- Add missing header with license to all files reported by the Rat plugin
- Review available interceptors and document the missing ones
- Fetch docs from new locations
- Allow define only TextProvider instead of providing the whole
TextProviderFactory
- HTML escaping on the text tag
- Upgrade FreeMarker to version 2.3.26-incubating
- Upgrade to Log4j2 2.9.1
- Upgrade com.fasterxml.jackson to version 2.8.2
- Upgrade net.sf.json-lib to version 2.4
- Upgrade Spring to version 4.1.9

Please read the Version Notes to find more details about performed bug
fixes and improvements.
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.14.1 GA with Security Fixes Release

2017-12-01 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.14.1 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains fixes for the following potential security
vulnerabilities:
- S2-054 A crafted JSON request can be used to perform a DoS attack
when using the Struts REST plugin
  https://cwiki.apache.org/confluence/display/WW/S2-054
- S2-055 Vulnerability in the Jackson JSON library
  https://cwiki.apache.org/confluence/display/WW/S2-055

Please read the Version Notes to find more details about performed bug
fixes and improvements.
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14.1

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

2017-12-11 Thread Lukasz Lenart
Hi,

After further clarification we increased impact of a vulnerability
reported to us and described as S2-055 to High. The vulnerability
exists in a JSON Jackson library and it's registered under
CVE-2017-7525. Please read the bulletin [1] and apply possible
solutions. This vulnerability impacts anyone using the vulnerable
Jackson JSON library (not only Struts users).

[1] https://cwiki.apache.org/confluence/display/WW/S2-055


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] New version of the Apache Struts Maven Archetypes

2018-02-06 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that the Apache Struts
Maven Archetypes are available as a “General Availability” release.
The GA designation is our highest quality grade.

The Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time. Apache Struts 2 is an elegant,
extensible framework for creating enterprise-ready Java web
applications. The framework is designed to streamline the full
development cycle, from building, to deploying, to maintaining
applications over time.

This release of the archetypes is compatible with the latest version
of the Apache Struts. Please read the following web page of how to use
the archetypes:
http://struts.apache.org/maven-archetypes/

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java SE 7
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 5

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW


- The Apache Struts group.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin

2018-03-27 Thread Lukasz Lenart
The Apache Security Struts Team recommends to immediately upgrade your
Struts 2 based projects to use the latest released version of the
Apache Struts. This is necessary to prevent your publicly accessible
web site, which is using the Struts REST plugin and performing XML
serialisation, from being exposed to possible DoS attack.

You can find more details in a Security Bulletin S2-056 -
https://cwiki.apache.org/confluence/display/WW/S2-056

All developers are strongly advised to perform this action.


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Immediately upgrade commons-fileupload to version 1.3.3

2018-03-27 Thread Lukasz Lenart
The Apache Struts Team recommends to immediately upgrade your Struts 2
based projects to use the latest released version of Commons
FileUpload library, which is currently 1.3.3. This is necessary to
prevent your publicly accessible web site from being exposed to
possible Remote Code Execution attacks (see [1] [2]).

This affects any Struts version prior to 2.5.12 [3].

Your project is affected if it uses the built-in file upload mechanism
of Struts 2, which defaults to the use of commons-fileupload. The
updated commons-fileupload library is a drop-in replacement for the
vulnerable version. Deployed applications can be hardened by replacing
the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
Maven based Struts 2 projects, the following dependency needs to be
added:


  commons-fileupload
  commons-fileupload
  1.3.3


More details can be found here:

1. https://issues.apache.org/jira/browse/FILEUPLOAD-279
2. https://nvd.nist.gov/vuln/detail/CVE-2016-131
3. https://issues.apache.org/jira/browse/WW-4812

All developers are strongly advised to perform this action.


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.16 GA

2018-03-16 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.16 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

Below is a full list of all changes:

- unclosed instantiation of PrintWriter
- Http Sessions forcefully created for all requests using
I18nInterceptor with default Storage value.
- NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
- NotSerializableException:
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when
using ExecuteAndWait
  interceptor
- ClassCastException in JarEntryRevision
- Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
- The converter() method of
com.opensymphony.xwork2.conversion.annotations.TypeConversion is now
deprecated. If this
  method is removed in some next release, it will forbid to describe a
converter by the name (id) of a Spring bean.
- Conversion by annotation does not work
- List of Boolean is not populated in Action class
- JSONResult exception in struts2-json-plugin-2.5.14.1.jar
- buttons with name="method:METHODNAME" sometimes ignore
global-allowed-methods defined in struts.xml
- Could not create JarEntryRevision for [zip:C:/ unknown protocol c
- NPE in I18nInterceptor$SessionLocaleHandler.read
- JasperReportResult: NPE When Not Using SQL Connection
- support JSR 303 Validation Groups in BeanValidation-Plugin
- Debug tag should not display anything when not in dev mode
- Allow using of Initializable interface on an implementation level
- Allowed methods inheritance
- Allow use Jackson XML bindings to serialise / deserialise XML
- when using an custom array as a filed in struts 2 action form
textfiled data from jsp page in not populating into
  custom array but populating in String array or array list
- Upgrade Spring to version 4.3.13
- Update Log4j2 to 2.10.0

Please read the Version Notes to find more details about performed bug
fixes and improvements.
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Extended list of Struts version affected by CVE-2018-11776 - RCE when using alwaysSelectFullNamespace

2018-09-24 Thread Lukasz Lenart
Hello,

We received an additional information about possible affected versions
of Struts. Please read the bulletin [1] to find more details about the
vulnerability and upgrade to the latest version of Struts if you are
running one of those versions:
- Struts 2.0.4 - Struts 2.3.34
- Struts 2.5.0 - Struts 2.5.16

[1] https://cwiki.apache.org/confluence/display/WW/S2-057


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


[ANN] Apache Struts 2.5.18 GA

2018-10-15 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.18 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

Below is a full list of all changes:
- jar_cache Some jar_cache**.tmp files are generated into a temporary
directory(/tmp) during web service start
- Struts 2.5.16 is creating jar_cache files in temp folder
- MD5 and SHA1 should no longer be provided on download pages
- xml-validation fails since struts 2.5.17

Internal Changes:
- XWorkList was moved into a com.opensymphony.xwork2.conversion.impl
package as com.opensymphony.xwork2.util package is excluded by the
Internal Security Mechanism.

Please read the Version Notes to find more details about performed bug
fixes and improvements.
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.18

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/