[jira] [Commented] (VELTOOLS-172) Upgrade to supported, secure version of Apache Commons Validator
[ https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15947412#comment-15947412 ] Mark Symons commented on VELTOOLS-172: -- FYI: CVE-2014-0114 is a threat linked to Apache Commons BeanUtils. See VELTOOLS-170. Note also that it is not merely sufficient to use the latest version (1.9.3) but it must be used correctly. > Upgrade to supported, secure version of Apache Commons Validator > > > Key: VELTOOLS-172 > URL: https://issues.apache.org/jira/browse/VELTOOLS-172 > Project: Velocity Tools > Issue Type: Bug > Components: VelocityStruts >Affects Versions: 2.0, 2.0.x, 2.1, 2.x >Reporter: Aaron Katz > Labels: security > > *Please upgrade Apache Commons Validator to a supported, secure version*. At > this time, that appears to mean [upgrading to > 1.6|https://commons.apache.org/proper/commons-validator/changes-report.html] > h2. vulnerabilities > There is at least one publicly known high severity vulnerability > ([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]), > allowing remote code execution, affecting all versions from 1.3.1 through > 1.4.1. > A cursory review shows that there do not appear to be publicly known > vulnerabilities in 1.5 and above. > h2. support > Apache Commons Validator 1.3.x [has not had a release since > 2006|https://commons.apache.org/proper/commons-validator/changes-report.html], > but [VelocityTools depends upon Validator > 1.3|http://velocity.apache.org/tools/2.0/dependencies.html]. I was unable to > determine which branches Validator considers to be supported, so am > suggesting upgrade to 1.6. Given the release history of one major release > followed by one minor release, then moving immediately to the next major > release, this seems like a reasonable starting target. > When vulnerabilities are discovered in unsupported software, the industry > standard response is "you need to patch to a supported version." If you get > too far behind in patch levels, then it may be very difficult to upgrade due > to broken backwards compatibility. > Furthermore, when vulnerabilities are discovered in supported software, there > is no industry standard for determining if it affects unsupported versions. > It's entirely possible that there are known vulnerabilities that affect the > apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and > nobody will know until they're breached. On the other hand, when there's a > supported major version, it's a de-facto industry standard to announce all > supported versions that are affected. This means that staying on a supported > version increases the chances of seeing vulnerability announcements for vulns > that affect Velocity. It also means that staying on an unsupported version > is considered equivalent to staying on a known vulnerable version. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-172) Upgrade to supported, secure version of Apache Commons Validator
[ https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15903885#comment-15903885 ] Michael Osipov commented on VELTOOLS-172: - Release planning is dicussed in the users mailing list, not in tickets. As four your second question: consult Subversion history. > Upgrade to supported, secure version of Apache Commons Validator > > > Key: VELTOOLS-172 > URL: https://issues.apache.org/jira/browse/VELTOOLS-172 > Project: Velocity Tools > Issue Type: Bug > Components: VelocityStruts >Affects Versions: 2.0, 2.0.x, 2.1, 2.x >Reporter: Aaron Katz > Labels: security > > *Please upgrade Apache Commons Validator to a supported, secure version*. At > this time, that appears to mean [upgrading to > 1.6|https://commons.apache.org/proper/commons-validator/changes-report.html] > h2. vulnerabilities > There is at least one publicly known high severity vulnerability > ([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]), > allowing remote code execution, affecting all versions from 1.3.1 through > 1.4.1. > A cursory review shows that there do not appear to be publicly known > vulnerabilities in 1.5 and above. > h2. support > Apache Commons Validator 1.3.x [has not had a release since > 2006|https://commons.apache.org/proper/commons-validator/changes-report.html], > but [VelocityTools depends upon Validator > 1.3|http://velocity.apache.org/tools/2.0/dependencies.html]. I was unable to > determine which branches Validator considers to be supported, so am > suggesting upgrade to 1.6. Given the release history of one major release > followed by one minor release, then moving immediately to the next major > release, this seems like a reasonable starting target. > When vulnerabilities are discovered in unsupported software, the industry > standard response is "you need to patch to a supported version." If you get > too far behind in patch levels, then it may be very difficult to upgrade due > to broken backwards compatibility. > Furthermore, when vulnerabilities are discovered in supported software, there > is no industry standard for determining if it affects unsupported versions. > It's entirely possible that there are known vulnerabilities that affect the > apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and > nobody will know until they're breached. On the other hand, when there's a > supported major version, it's a de-facto industry standard to announce all > supported versions that are affected. This means that staying on a supported > version increases the chances of seeing vulnerability announcements for vulns > that affect Velocity. It also means that staying on an unsupported version > is considered equivalent to staying on a known vulnerable version. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-172) Upgrade to supported, secure version of Apache Commons Validator
[ https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15903799#comment-15903799 ] Aaron Katz commented on VELTOOLS-172: - Thanks! This raises a few questions for me: * When is 3.0 expected to release? * Did the removal of Validator also occur in VelocityTools 2.1 or 2.2? * If not, will 2.x enter end of life as the method to deal with this vulnerability, or will the changes be backported? * Is there an ETA for when 3.0 will be available? > Upgrade to supported, secure version of Apache Commons Validator > > > Key: VELTOOLS-172 > URL: https://issues.apache.org/jira/browse/VELTOOLS-172 > Project: Velocity Tools > Issue Type: Bug > Components: VelocityStruts >Affects Versions: 2.0, 2.0.x, 2.1, 2.x >Reporter: Aaron Katz > Labels: security > > *Please upgrade Apache Commons Validator to a supported, secure version*. At > this time, that appears to mean [upgrading to > 1.6|https://commons.apache.org/proper/commons-validator/changes-report.html] > h2. vulnerabilities > There is at least one publicly known high severity vulnerability > ([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]), > allowing remote code execution, affecting all versions from 1.3.1 through > 1.4.1. > A cursory review shows that there do not appear to be publicly known > vulnerabilities in 1.5 and above. > h2. support > Apache Commons Validator 1.3.x [has not had a release since > 2006|https://commons.apache.org/proper/commons-validator/changes-report.html], > but [VelocityTools depends upon Validator > 1.3|http://velocity.apache.org/tools/2.0/dependencies.html]. I was unable to > determine which branches Validator considers to be supported, so am > suggesting upgrade to 1.6. Given the release history of one major release > followed by one minor release, then moving immediately to the next major > release, this seems like a reasonable starting target. > When vulnerabilities are discovered in unsupported software, the industry > standard response is "you need to patch to a supported version." If you get > too far behind in patch levels, then it may be very difficult to upgrade due > to broken backwards compatibility. > Furthermore, when vulnerabilities are discovered in supported software, there > is no industry standard for determining if it affects unsupported versions. > It's entirely possible that there are known vulnerabilities that affect the > apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and > nobody will know until they're breached. On the other hand, when there's a > supported major version, it's a de-facto industry standard to announce all > supported versions that are affected. This means that staying on a supported > version increases the chances of seeing vulnerability announcements for vulns > that affect Velocity. It also means that staying on an unsupported version > is considered equivalent to staying on a known vulnerable version. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-172) Upgrade to supported, secure version of Apache Commons Validator
[ https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15903709#comment-15903709 ] Michael Osipov commented on VELTOOLS-172: - Same here, Tools 3.0 don't use Commons Validator as far as POMs are concerned. > Upgrade to supported, secure version of Apache Commons Validator > > > Key: VELTOOLS-172 > URL: https://issues.apache.org/jira/browse/VELTOOLS-172 > Project: Velocity Tools > Issue Type: Bug > Components: VelocityStruts >Affects Versions: 2.0, 2.0.x, 2.1, 2.x >Reporter: Aaron Katz > Labels: security > > *Please upgrade Apache Commons Validator to a supported, secure version*. At > this time, that appears to mean [upgrading to > 1.6|https://commons.apache.org/proper/commons-validator/changes-report.html] > h2. vulnerabilities > There is at least one publicly known high severity vulnerability > ([CVE-2014-0114|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114]), > allowing remote code execution, affecting all versions from 1.3.1 through > 1.4.1. > A cursory review shows that there do not appear to be publicly known > vulnerabilities in 1.5 and above. > h2. support > Apache Commons Validator 1.3.x [has not had a release since > 2006|https://commons.apache.org/proper/commons-validator/changes-report.html], > but [VelocityTools depends upon Validator > 1.3|http://velocity.apache.org/tools/2.0/dependencies.html]. I was unable to > determine which branches Validator considers to be supported, so am > suggesting upgrade to 1.6. Given the release history of one major release > followed by one minor release, then moving immediately to the next major > release, this seems like a reasonable starting target. > When vulnerabilities are discovered in unsupported software, the industry > standard response is "you need to patch to a supported version." If you get > too far behind in patch levels, then it may be very difficult to upgrade due > to broken backwards compatibility. > Furthermore, when vulnerabilities are discovered in supported software, there > is no industry standard for determining if it affects unsupported versions. > It's entirely possible that there are known vulnerabilities that affect the > apparantly-unsupported Apache Commons Validator 1.3 required by Velocity, and > nobody will know until they're breached. On the other hand, when there's a > supported major version, it's a de-facto industry standard to announce all > supported versions that are affected. This means that staying on a supported > version increases the chances of seeing vulnerability announcements for vulns > that affect Velocity. It also means that staying on an unsupported version > is considered equivalent to staying on a known vulnerable version. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-172) Upgrade to supported, secure version of Apache Commons Validator
[ https://issues.apache.org/jira/browse/VELTOOLS-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15903658#comment-15903658 ] Michael Osipov commented on VELTOOLS-172: - Wrong description, please update. > Upgrade to supported, secure version of Apache Commons Validator > > > Key: VELTOOLS-172 > URL: https://issues.apache.org/jira/browse/VELTOOLS-172 > Project: Velocity Tools > Issue Type: Bug > Components: VelocityStruts >Affects Versions: 2.0, 2.0.x, 2.1, 2.x >Reporter: Aaron Katz > Labels: security > > *Please upgrade struts to a supported, secure version*. At this time, that > means upgrading to 2.3.32 or 2.5.10.1 > h2. vulnerabilities > There are publicly known high severity vulnerabilities, including remote code > execution vulns, affecting all versions of Struts 2 except the versions cited > above. > * > https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true=on_vendor=cpe%3a%2f%3aapache_product=cpe%3a%2f%3a%3astruts_version=3_id= > * (details not yet in NVD) > https://cwiki.apache.org/confluence/display/WW/S2-045 > h2. support > Apache struts 1 [reached end of life in the year > 2000|https://struts.apache.org/struts1eol-announcement.html], but > [VelocityTools depends upon Struts > 1.3.8|http://velocity.apache.org/tools/2.0/dependencies.html]. > When vulnerabilities are discovered in unsupported software, the industry > standard response is "you need to patch to a supported version." If you get > too far behind in patch levels, then it may be very difficult to upgrade due > to broken backwards compatibility. > Furthermore, when vulnerabilities are discovered in supported software, there > is no industry standard for determining if it affects unsupported versions. > It's entirely possible that there are known vulnerabilities that affect the > unsupported Struts 1.3.8 required by Velocity, and nobody will know until > they're breached. On the other hand, when there's a supported major version, > it's a de-facto industry standard to announce all supported versions that are > affected. This means that staying on a supported version increases the > chances of seeing vulnerability announcements for vulns that affect Velocity. > It also means that staying on an unsupported version is considered > equivalent to staying on a known vulnerable version. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org