[ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior

2018-11-04 Thread Lukasz Lenart
The Apache Struts Team recommends to immediately upgrade your Struts
2.3.36 based projects to use the latest released version of Commons
FileUpload library, which is currently 1.3.3. This is necessary to
prevent your publicly accessible web site from being exposed to
possible Remote Code Execution attacks (see [1] [2]).

This affects Struts 2.3.36 and prior. Struts versions from 2.5.12 are
already using the latest commons-fileupload version [3].

Your project is affected if it uses the built-in file upload mechanism
of Struts 2, which defaults to the use of commons-fileupload. The
updated commons-fileupload library is a drop-in replacement for the
vulnerable version. Deployed applications can be hardened by replacing
the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
Maven based Struts 2 projects, the following dependency needs to be
added:


  commons-fileupload
  commons-fileupload
  1.3.3


More details can be found here:

[1] https://issues.apache.org/jira/browse/FILEUPLOAD-279
[2] https://nvd.nist.gov/vuln/detail/CVE-2016-131
[3] https://issues.apache.org/jira/browse/WW-4812

All developers are strongly advised to perform this action.

on behalf of the Apache Struts Team

Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



Re: Question Regarding Recent Security Announcement

2018-11-04 Thread Lukasz Lenart
niedz., 4 lis 2018 o 18:40 David Dillard  napisał(a):
>   1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be 
> used,
>  not 1.3.3, so I'm confused about what's stated in the email.  What's 
> recommended doesn't seem to accomplish what the email states it will.

We have overlooked that when we were preparing Struts 2.3.36, this is
an easy drop-in dependency.

>   2.  The recommendation for Fileupload 1.3.2 can be found in the Maven 
> repository since Struts 2.3.30, which was released back in July 2016.
>   3.  This makes sense since the last documented DoS vulnerability in 
> Fileupload was fixed in 1.3.2.

Here is the original announcement
https://struts.apache.org/announce.html#a20180323


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



RE: Question Regarding Recent Security Announcement

2018-11-04 Thread Yasser Zamani
Hi David,

That was a typo which already has fixed and re-announced. We meant 1.3.3. 
Thanks for your email.

Regards.

>-Original Message-
>From: David Dillard 
>Sent: Sunday, November 4, 2018 9:10 PM
>To: user@struts.apache.org
>Subject: Question Regarding Recent Security Announcement
>
>Hi,
>
>An emailannounce/201811.mbox/%3cCAMopvkMgZiJ+ZkT1HmkQt94q7-
>bzNWnZm0Td9vq589vz5YM=m...@mail.gmail.com%3e> was recently sent to the
>Apache Announcements list suggesting that users update to Apache Struts 2.3.36
>in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS.  
>I
>have a few questions about this:
>
>
>  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be
>usedcore/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  
>What's
>recommended doesn't seem to accomplish what the email states it will.
>  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven
>repository since Struts 2.3.30, which was released back in July 2016.
>  3.  This makes sense since the last documented DoS vulnerability in 
> Fileupload
>was fixed in 1.3.2.
>
>So, given all of this, can someone explain why this recommendation was made
>and why now since the noted issues to have been resolved for a couple of years?
>
>
>Thanks,
>
>David


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



Question Regarding Recent Security Announcement

2018-11-04 Thread David Dillard
Hi,

An 
email
 was recently sent to the Apache Announcements list suggesting that users 
update to Apache Struts 2.3.36 in order to update to Apache Commons Fileupload 
1.3.3 due to a potential DoS.  I have a few questions about this:


  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be 
used, 
not 1.3.3, so I'm confused about what's stated in the email.  What's 
recommended doesn't seem to accomplish what the email states it will.
  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven 
repository since Struts 2.3.30, which was released back in July 2016.
  3.  This makes sense since the last documented DoS vulnerability in 
Fileupload was fixed in 1.3.2.

So, given all of this, can someone explain why this recommendation was made and 
why now since the noted issues to have been resolved for a couple of years?


Thanks,

David



Re: [ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36

2018-11-04 Thread Lukasz Lenart
I meant commons-fileupload version 1.3.3, sorry for that.


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

niedz., 4 lis 2018 o 10:30 Lukasz Lenart  napisał(a):
>
> The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36
> based projects to use the latest released version of Commons
> FileUpload library, which is currently 1.3.1. This is necessary to
> prevent your publicly accessible web site from being exposed to
> possible DoS attacks [1] [2].
>
> Your project is affected if it uses the built-in file upload mechanism
> of Struts 2, which defaults to the use of commons-fileupload. The
> updated commons-fileupload library is a drop-in replacement for the
> vulnerable version. Deployed applications can be hardened by replacing
> the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
> Maven based Struts 2 projects, the following dependency needs to be
> added:
> 
> commons-fileupload
> commons-fileupload
> 1.3.1
> 
>
>
> More details can be found here:
> [1] 
> http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1
> [2] 
> http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3c52f373fc.9030...@apache.org%3E
>
> on behalf of the Apache Struts Team
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



[ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36

2018-11-04 Thread Lukasz Lenart
The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36
based projects to use the latest released version of Commons
FileUpload library, which is currently 1.3.1. This is necessary to
prevent your publicly accessible web site from being exposed to
possible DoS attacks [1] [2].

Your project is affected if it uses the built-in file upload mechanism
of Struts 2, which defaults to the use of commons-fileupload. The
updated commons-fileupload library is a drop-in replacement for the
vulnerable version. Deployed applications can be hardened by replacing
the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
Maven based Struts 2 projects, the following dependency needs to be
added:

commons-fileupload
commons-fileupload
1.3.1



More details can be found here:
[1] 
http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1
[2] 
http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3c52f373fc.9030...@apache.org%3E

on behalf of the Apache Struts Team


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org