This is an automated email from the ASF dual-hosted git repository. yasserzamani pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push: new 1f66ba6 release 2.5.17 and 2.3.35 1f66ba6 is described below commit 1f66ba6028734438164834675cb7d11be4e75b9c Author: Yasser Zamani <yasserzam...@apache.org> AuthorDate: Wed Aug 22 11:44:37 2018 +0430 release 2.5.17 and 2.3.35 --- _config.yml | 12 ++++++---- source/announce.md | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++ source/download.html | 40 ++++++++++++++++---------------- source/index.html | 14 +++++------ source/releases.html | 13 +++++++++++ 5 files changed, 113 insertions(+), 31 deletions(-) diff --git a/_config.yml b/_config.yml index d69c392..dca449a 100644 --- a/_config.yml +++ b/_config.yml @@ -10,13 +10,17 @@ kramdown: syntax_highlighter: rouge # Simplifies introducing changes related to the latest release -current_version: 2.5.16 -current_version_short: 2516 +current_version: 2.5.17 +current_version_short: 2517 +prev_version: 2.3.35 +prev_version_short: 2335 archetype_version: 2.5.14 current_beta_version: 2.5-BETA3 current_beta_version_short: 25B3 -release_date: 16 March 2018 -release_date_short: 20180316 +release_date: 22 August 2018 +release_date_short: 20180822 +prev_release_date: 22 August 2018 +prev_release_date_short: 20180822 beta_release_date_short: 20160126 # Allows directly edit pages on GitHub diff --git a/source/announce.md b/source/announce.md index e9b7f7e..805e44d 100644 --- a/source/announce.md +++ b/source/announce.md @@ -13,6 +13,71 @@ title: Announcements 2018 Skip to: <a href="announce-2017.html">Announcements - 2017</a> </p> +#### 22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 {#a20180822-0} + +CVEID:CVE-2018-11776 + +PRODUCT:Apache Struts + +VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 + +PROBLEMTYPE:Remote Code Execution + +REFERENCES:[S2-057]({{ site.wiki_url }}/S2-057) + +DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and +2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its +upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action +set and in same time, its upper action(s) have no or wildcard namespace. + +#### 22 August 2018 - Struts 2.5.17 General Availability {#a20180822-1} + +The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a "General Availability" +release. The GA designation is our highest quality grade. + +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability: + +- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057) + +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time. + +**All developers are strongly advised to perform this action.** + +The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 7. + +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket. + +You can download this version from our [download](download.cgi#struts-ga) page. + +#### 22 August 2018 - Struts 2.3.35 General Availability {#a20180822-2} + +The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a "General Availability" +release. The GA designation is our highest quality grade. + +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability: + +- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057) + +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time. + +**All developers are strongly advised to perform this action.** + +The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 6. + +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket. + +You can download this version from our [download](download.cgi#struts-23x) page. + #### 27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin {#a20180327} The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released diff --git a/source/download.html b/source/download.html index b3e3420..9b325d2 100644 --- a/source/download.html +++ b/source/download.html @@ -141,19 +141,19 @@ title: Download a Release </ul> -<h3 id="struts-23x">Struts 2.3.34</h3> +<h3 id="struts-23x">Struts {{ site.prev_version }}</h3> <ul> <li> - <a href="https://struts.apache.org/docs/version-notes-2334.html">Version Notes</a> + <a href="{{ site.wiki_url }}/Version+Notes+{{ site.prev_version }}">Version Notes</a> </li> <li>Full Distribution: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-all.zip">struts-2.3.34-all.zip</a> (65MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip.md5">MD5</a>] + <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-all.zip">struts-{{ site.prev_version }}-all.zip</a> (65MB) + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-all.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-all.zip.md5">MD5</a>] </li> </ul> </li> @@ -161,9 +161,9 @@ title: Download a Release <li>Example Applications: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-apps.zip">struts-2.3.34-apps.zip</a> (35MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-apps.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-apps.zip.md5">MD5</a>] + <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-apps.zip">struts-{{ site.prev_version }}-apps.zip</a> (35MB) + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-apps.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-apps.zip.md5">MD5</a>] </li> </ul> </li> @@ -171,9 +171,9 @@ title: Download a Release <li>Essential Dependencies Only: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-min-lib.zip">struts-2.3.34-min-lib.zip</a> (4MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-min-lib.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-min-lib.zip.md5">MD5</a>] + <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-min-lib.zip">struts-{{ site.prev_version }}-min-lib.zip</a> (4MB) + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-min-lib.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-min-lib.zip.md5">MD5</a>] </li> </ul> </li> @@ -181,9 +181,9 @@ title: Download a Release <li>All Dependencies: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-lib.zip">struts-2.3.34-lib.zip</a> (19MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.md5">MD5</a>] + <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-lib.zip">struts-{{ site.prev_version }}-lib.zip</a> (19MB) + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-lib.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-lib.zip.md5">MD5</a>] </li> </ul> </li> @@ -191,9 +191,9 @@ title: Download a Release <li>Documentation: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-docs.zip">struts-2.3.34-docs.zip</a> (13MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-docs.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-docs.zip.md5">MD5</a>] + <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-docs.zip">struts-{{ site.prev_version }}-docs.zip</a> (13MB) + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-docs.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-docs.zip.md5">MD5</a>] </li> </ul> </li> @@ -201,9 +201,9 @@ title: Download a Release <li>Source: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-src.zip">struts-2.3.34-src.zip</a> (7MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-src.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-src.zip.md5">MD5</a>] + <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-src.zip">struts-{{ site.prev_version }}-src.zip</a> (7MB) + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-src.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-src.zip.md5">MD5</a>] </li> </ul> </li> diff --git a/source/index.html b/source/index.html index ed46171..ecbf42b 100644 --- a/source/index.html +++ b/source/index.html @@ -40,15 +40,15 @@ title: Welcome to the Apache Struts project <p> Apache Struts {{ site.current_version }} GA has been released<br/>on {{ site.release_date }}. </p> - Read more in <a href="announce.html#a{{ site.release_date_short }}">Announcement</a> or in + Read more in <a href="announce.html#a{{ site.release_date_short }}-1">Announcement</a> or in <a href="{{ site.wiki_url }}/Version+Notes+{{ site.current_version }}">Version notes</a> </div> <div class="column col-md-4"> - <h2>Apache Struts 2.3.34 GA</h2> + <h2>Apache Struts {{ site.prev_version }} GA</h2> <p> It's the latest release of Struts 2.3.x which contains the latest security fixes, - read more in <a href="announce-2017.html#a20170907">Announcement</a> or in - <a href="/docs/version-notes-2334.html">Version notes</a> + released on {{ site.prev_release_date }}.<br/> Read more in <a href="announce.html#a{{ site.prev_release_date_short }}-2">Announcement</a> or in + <a href="{{ site.wiki_url }}/Version+Notes+{{ site.prev_version }}">Version notes</a> </p> </div> </div> @@ -72,11 +72,11 @@ title: Welcome to the Apache Struts project </p> </div> <div class="column col-md-4"> - <h2>A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</h2> + <h2>Immediately upgrade to version {{ site.current_version }} or {{ site.prev_version }}</h2> <p> The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use - the latest released version of the Apache Struts to prevent possible DoS attack when using the REST plugin. - <a href="announce.html#a20180327">Announcement</a> + the latest released version of the Apache Struts to prevent possible RCE attack when using results with no namespace, + reported in <a href="{{ site.wiki_url }}/S2-057">S2-057</a>. Read more in <a href="announce.html#a{{ site.release_date_short }}-0">Announcement</a>. </p> </div> </div> diff --git a/source/releases.html b/source/releases.html index 57f29fb..1badc7b 100644 --- a/source/releases.html +++ b/source/releases.html @@ -107,6 +107,18 @@ title: Releases <tbody> <tr> <td class="no-wrap"> + Struts 2.5.16 + </td> + <td class="no-wrap">16 March 2018</td> + <td> + <a href="{{ site.wiki_url }}/S2-057">S2-057</a> + </td> + <td> + <a href="{{ site.wiki_url }}/Version+Notes+2.5.16">Version notes</a> + </td> + </tr> + <tr> + <td class="no-wrap"> Struts 2.5.14.1 </td> <td class="no-wrap">30 November 2017</td> @@ -136,6 +148,7 @@ title: Releases </td> <td class="no-wrap">7 September 2017</td> <td> + <a href="{{ site.wiki_url }}/S2-057">S2-057</a> </td> <td> <a href="{{ site.wiki_url }}/Version+Notes+2.3.34">Version notes</a>