Re: Release Struts 2.5

2016-04-20 Thread Johannes Geppert
I would like to see a first stable 2.5 release as soon as possible. So I could announce and recommend it at the ApacheCon in Vancouver. Best Regards Johannes # web: http://www.jgeppert.com twitter: http://twitter.com/jogep 2016-04-12 15:20

Re: [VOTE][FASTTRACK] Struts 2.3.28.1

2016-04-20 Thread Johannes Geppert
> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1 binding Best Regards Johannes # web: http://www.jgeppert.com twitter: http://twitter.com/jogep 2016-04-20 14:59 GMT+02:00 Lukasz Lenart

Re: [VOTE][FASTTRACK] Struts 2.3.20.3

2016-04-20 Thread Johannes Geppert
> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1 binding Best Regards Johannes # web: http://www.jgeppert.com twitter: http://twitter.com/jogep 2016-04-20 15:33 GMT+02:00 Rene Gielen : >

Re: [VOTE][FASTTRACK] Struts 2.3.24.3

2016-04-20 Thread Johannes Geppert
> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1 binding Best Regards Johannes # web: http://www.jgeppert.com twitter: http://twitter.com/jogep 2016-04-20 17:45 GMT+02:00 Johannes Geppert :

Re: [VOTE][FASTTRACK] Struts 2.3.24.3

2016-04-20 Thread Johannes Geppert
> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1 binding Best Regards Johannes # web: http://www.jgeppert.com twitter: http://twitter.com/jogep 2016-04-20 15:53 GMT+02:00 Christoph Nenning

Re: [VOTE][FASTTRACK] Struts 2.3.24.3

2016-04-20 Thread Christoph Nenning
> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1, binding Regards, Christoph > The Struts 2.3.24.3 test build is now available. It includes the > latest security patch which fixes three possible vulnerabilities: > - Forced double OGNL evaluation, when

Re: [VOTE][FASTTRACK] Struts 2.3.24.3

2016-04-20 Thread Rene Gielen
+1 GA, binding Am 20.04.16 um 15:19 schrieb Lukasz Lenart: > The Struts 2.3.24.3 test build is now available. It includes the > latest security patch which fixes three possible vulnerabilities: > - Forced double OGNL evaluation, when evaluated on raw user input in > tag attributes, may lead to

Re: [VOTE][FASTTRACK] Struts 2.3.20.3

2016-04-20 Thread Rene Gielen
+1 GA, binding Am 20.04.16 um 13:51 schrieb Lukasz Lenart: > The Struts 2.3.20.3 test build is now available. It includes the > latest security patch which fixes three possible vulnerabilities: > - Forced double OGNL evaluation, when evaluated on raw user input in > tag attributes, may lead to

Re: [VOTE][FASTTRACK] Struts 2.3.20.3

2016-04-20 Thread Lukasz Lenart
2016-04-20 13:51 GMT+02:00 Lukasz Lenart : > [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1 (binding) Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ -

[VOTE][FASTTRACK] Struts 2.3.24.3

2016-04-20 Thread Lukasz Lenart
The Struts 2.3.24.3 test build is now available. It includes the latest security patch which fixes three possible vulnerabilities: - Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. - Possible RCE vulnerability in XSLTResult -

Re: [VOTE][FASTTRACK] Struts 2.3.28.1

2016-04-20 Thread Lukasz Lenart
2016-04-20 8:42 GMT+02:00 Lukasz Lenart : > [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1 (binding) Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ -

Re: [VOTE][FASTTRACK] Struts 2.3.20.3

2016-04-20 Thread Christoph Nenning
> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1, binding Regards, Christoph > The Struts 2.3.20.3 test build is now available. It includes the > latest security patch which fixes three possible vulnerabilities: > - Forced double OGNL evaluation, when

Re: [VOTE][FASTTRACK] Struts 2.3.28.1

2016-04-20 Thread Rene Gielen
+1 GA, binding Am 20.04.16 um 08:42 schrieb Lukasz Lenart: > The Struts 2.3.28.1 test build is now available. It includes the > latest security patch which fixes two possible vulnerabilities: > - Possible RCE vulnerability in XSLTResult > - Prevents execution of chained expressions based on new

Re: [CANCELLED][VOTE][FASTRACK] Struts 2.3.24.2

2016-04-20 Thread Lukasz Lenart
This Vote has been cancelled and I'm preparing a new one 2016-04-20 8:40 GMT+02:00 Lukasz Lenart : > The Struts 2.3.24.2 test build is now available. It includes the > latest security patch which fixes two possible vulnerabilities: > - Possible RCE vulnerability in

[VOTE][FASTTRACK] Struts 2.3.20.3

2016-04-20 Thread Lukasz Lenart
The Struts 2.3.20.3 test build is now available. It includes the latest security patch which fixes three possible vulnerabilities: - Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. - Possible RCE vulnerability in XSLTResult -

Re: [CANCELLED][VOTE][FASTRACK] 2.3.20.2

2016-04-20 Thread Lukasz Lenart
This Vote has been cancelled and I'm preparing a new one 2016-04-20 8:38 GMT+02:00 Lukasz Lenart : > The Struts 2.3.20.2 test build is now available. It includes the > latest security patch which fixes two possible vulnerabilities: > - Possible RCE vulnerability in

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

2016-04-20 Thread Lukasz Lenart
2016-04-20 12:56 GMT+02:00 Christoph Nenning : > so I was convinced too early ;) Yeah ... you must be harder next time ;-) Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

2016-04-20 Thread Christoph Nenning
> >> > I thought not blocking `ProcessBuilder` enables a whole lot of > >> > vulnerabilities. Is this risk gone when `isSequence` is set? > >> > > >> > What happens when `new ProcessBuilder` is used in a parameter name? > >> > >> It won't work because using constructors matches using

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

2016-04-20 Thread Christoph Nenning
> > Hi, > > > > I wonder about excludedClasses in 2.3.20.2 and 2.3.24.2. > > > > Both contain "ognl.MemberAccess" twice and both lack > > "java.lang.ProcessBuilder". Why is that? > > Overlooked :( And cherry-picking :\ But the most important thing is > `isSequence` flag - that will block any

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

2016-04-20 Thread Lukasz Lenart
2016-04-20 10:07 GMT+02:00 Christoph Nenning : > Hi, > > I wonder about excludedClasses in 2.3.20.2 and 2.3.24.2. > > Both contain "ognl.MemberAccess" twice and both lack > "java.lang.ProcessBuilder". Why is that? Overlooked :( And cherry-picking :\ But the most

struts.excludedClasses for 2.3.20.2 and 2.3.24.2

2016-04-20 Thread Christoph Nenning
Hi, I wonder about excludedClasses in 2.3.20.2 and 2.3.24.2. Both contain "ognl.MemberAccess" twice and both lack "java.lang.ProcessBuilder". Why is that? Regards, Christoph This Email was scanned by Sophos Anti Virus

Re: [VOTE][FASTTRACK] Struts 2.3.28.1

2016-04-20 Thread Christoph Nenning
> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA) +1, binding Regards, Christoph > The Struts 2.3.28.1 test build is now available. It includes the > latest security patch which fixes two possible vulnerabilities: > - Possible RCE vulnerability in XSLTResult >

Re: [VOTE][FASTTRACK] Struts 2.3.28.1

2016-04-20 Thread Greg Huber
Tested 2.3.28.1 and looks OK. +1 binding [ ] Leave at test build [ ] Alpha [ ] Beta [x] General Availability (GA) Thanks. On 20 April 2016 at 07:42, Lukasz Lenart wrote: > The Struts 2.3.28.1

Re: [VOTE][FASTRACK] Struts 2.3.24.2

2016-04-20 Thread Lukasz Lenart
I forgot to mention that fixes related to S2-029 was also ported into this version https://cwiki.apache.org/confluence/display/WW/S2-029 2016-04-20 8:40 GMT+02:00 Lukasz Lenart : > The Struts 2.3.24.2 test build is now available. It includes the > latest security patch

Re: [VOTE][FASTRACK] 2.3.20.2

2016-04-20 Thread Lukasz Lenart
I forgot to mention that fixes related to S2-029 was also ported into this version https://cwiki.apache.org/confluence/display/WW/S2-029 2016-04-20 8:38 GMT+02:00 Lukasz Lenart : > The Struts 2.3.20.2 test build is now available. It includes the > latest security patch

Re: [VOTE][FASTRACK] Struts 2.3.24.2

2016-04-20 Thread Lukasz Lenart
2016-04-20 8:40 GMT+02:00 Lukasz Lenart : > Distribution: > * https://dist.apache.org/repos/dist/dev/struts/2.3.20.2/ It's supposed to be https://dist.apache.org/repos/dist/dev/struts/2.3.24.2/ Cheers -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/

[VOTE][FASTTRACK] Struts 2.3.28.1

2016-04-20 Thread Lukasz Lenart
The Struts 2.3.28.1 test build is now available. It includes the latest security patch which fixes two possible vulnerabilities: - Possible RCE vulnerability in XSLTResult - Prevents execution of chained expressions based on new isSequence flag introduce in appropriated OGNL versions For details

[VOTE][FASTRACK] Struts 2.3.24.2

2016-04-20 Thread Lukasz Lenart
The Struts 2.3.24.2 test build is now available. It includes the latest security patch which fixes two possible vulnerabilities: - Possible RCE vulnerability in XSLTResult - Prevents execution of chained expressions based on new isSequence flag introduce in appropriated OGNL versions For details

[VOTE][FASTRACK] 2.3.20.2

2016-04-20 Thread Lukasz Lenart
The Struts 2.3.20.2 test build is now available. It includes the latest security patch which fixes two possible vulnerabilities: - Possible RCE vulnerability in XSLTResult - Prevents execution of chained expressions based on new isSequence flag introduce in appropriated OGNL versions For details