RE: Status of 2.5.23?

2020-08-15 Thread David Dillard
Released about six weeks ago: 
https://github.com/apache/struts/releases/tag/STRUTS_2_5_23


-Original Message-
From: Tellis, Wyatt  
Sent: Saturday, August 15, 2020 12:00 PM
To: 'user@struts.apache.org' 
Subject: [EXTERNAL] Status of 2.5.23?

Hi,

What's the status of 2.5.23?  The migration guide seems to indicate it exists:

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.23

but I don't see it mentioned anywhere else and it's not in the central repo.

Thanks,

Wyatt

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



RE: [EXTERNAL] struts2.5.22 + tiles3.0.8 + commons-beanutils to version 1.9.4

2019-12-09 Thread David Dillard
FYI, BeanUtils 1.9.4 only had one change and that was made to address a 
vulnerability.  See 
https://commons.apache.org/proper/commons-beanutils/changes-report.html#a1.9.4

If I were you I'd check to see if that vulnerability is an issue for you in the 
context of Tiles.  If it is maybe you can fix it yourself.  Tiles is "retired" 
(aka EOL) so don't expect a fix from the Tiles community, there isn't one 
anymore.


-Original Message-
From: em...@encs.concordia.ca  
Sent: Monday, December 9, 2019 10:55 AM
To: user@struts.apache.org
Subject: [EXTERNAL] struts2.5.22 + tiles3.0.8 + commons-beanutils to version 
1.9.4

Hello,

Based on struts2.5.22 + tiles3.0.8 + commons-beanutils to version 1.9.4,


got the following error:

org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of 
class org.apache.tiles.extras.complete.CompleteAutoloadTilesListener
org.apache.velocity.tools.config.ConfigurationException: Couldn't instantiate 
instance of tool for: Tool 'tiles' => null with 1 properties [key -auto-> 
tiles; ](java.lang.NullPointerException)


May I know do I miss any jar(s)?

Tried commons-beanutils 1.9.3, no errors. So, should I use beanutils
1.9.3 instead?

Thanks a lot.
--
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
Dependency
 [WW-5037] - Upgrade commons-beanutils to version 1.9.4


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



RE: Struts 2.5 upgrade clarification

2018-12-27 Thread David Dillard
Independent of Struts requirements, you should upgrade as Java 6 is no longer 
receiving updates (not even under a support contract).

https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
https://www.oracle.com/support/lifetime-support/



-Original Message-
From: Gopal, Siva Prakash (US - Mechanicsburg Delivery)  
Sent: Thursday, December 27, 2018 2:09 PM
To: Struts Users Mailing List 
Subject: [EXTERNAL] Struts 2.5 upgrade clarification

Hi Team,

We are upgrading our struts version from 2.3 to 2.5. currently we are using 
Java version 1.6. Do we need upgrade java version as part of struts upgrade

Thanks,
Siva

This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you 
are not the intended recipient, you should delete this message and any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, by you is strictly prohibited.

v.E.1

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



RE: [EXTERNAL] Re: Struts 2.5.x support above Java 8

2018-11-12 Thread David Dillard
True, however just because someone made the choice to use them (knowing that 
they would be supported for six months each) and to continue using them doesn’t 
mean Struts has to support those people.


-Original Message-
From: Dave Newton  
Sent: Sunday, November 11, 2018 11:17 AM
To: Struts Users Mailing List 
Subject: Re: [EXTERNAL] Re: Struts 2.5.x support above Java 8

Determining support is fraught, because people run on all sorts of JVMs, 
including EOLed versions :/

On Sun, Nov 11, 2018 at 10:01 AM David Dillard 
wrote:

> > We do plan support JDK 9 and JDK 11 as from Struts 2.6 (in 
> > development),
> maybe we will be able to port those changes into 2.5.x branch but we 
> will see.
>
> Really no point in supporting JDK 9 or 10 as they are now EOL.  JDK 11 
> support would be great.
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>


--
em: davelnew...@gmail.com
mo: 908-380-8699
tw: @dave_newton <https://twitter.com/dave_newton>
li: dave-newton <https://www.linkedin.com/in/dave-newton/>
gh: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
bl: Bucky Bits <http://buckybits.blogspot.com/>
sk: davelnewton_skype


RE: [EXTERNAL] Re: Struts 2.5.x support above Java 8

2018-11-11 Thread David Dillard
> We do plan support JDK 9 and JDK 11 as from Struts 2.6 (in development), 
> maybe we will be able to port those changes into 2.5.x branch but we will see.

Really no point in supporting JDK 9 or 10 as they are now EOL.  JDK 11 support 
would be great.


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org


RE: [EXTERNAL] Re: Question Regarding Recent Security Announcement

2018-11-05 Thread David Dillard
Ok, that addresses one question, but still leaves one: why is it being 
recommended to update File Upload NOW due to a possible DoS, when Struts has 
been using a version of File Upload with no documented DoS issue for the last 
six releases???

Or put another way, Struts 2.3.35 uses File Upload 1.3.2.  File Upload 1.3.2 
currently has no documented DoS issue.  Now, you're saying to update to File 
Upload 1.3.3 to fix a DoS issue.  Why?



-Original Message-
From: Lukasz Lenart  
Sent: Monday, November 5, 2018 2:16 AM
To: Struts Users Mailing List 
Subject: [EXTERNAL] Re: Question Regarding Recent Security Announcement

niedz., 4 lis 2018 o 18:40 David Dillard  napisał(a):
>   1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be 
> used<https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.36>,
>  not 1.3.3, so I'm confused about what's stated in the email.  What's 
> recommended doesn't seem to accomplish what the email states it will.

We have overlooked that when we were preparing Struts 2.3.36, this is an easy 
drop-in dependency.

>   2.  The recommendation for Fileupload 1.3.2 can be found in the Maven 
> repository since Struts 2.3.30, which was released back in July 2016.
>   3.  This makes sense since the last documented DoS vulnerability in 
> Fileupload was fixed in 1.3.2.

Here is the original announcement
https://struts.apache.org/announce.html#a20180323


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org



Question Regarding Recent Security Announcement

2018-11-04 Thread David Dillard
Hi,

An 
email
 was recently sent to the Apache Announcements list suggesting that users 
update to Apache Struts 2.3.36 in order to update to Apache Commons Fileupload 
1.3.3 due to a potential DoS.  I have a few questions about this:


  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be 
used, 
not 1.3.3, so I'm confused about what's stated in the email.  What's 
recommended doesn't seem to accomplish what the email states it will.
  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven 
repository since Struts 2.3.30, which was released back in July 2016.
  3.  This makes sense since the last documented DoS vulnerability in 
Fileupload was fixed in 1.3.2.

So, given all of this, can someone explain why this recommendation was made and 
why now since the noted issues to have been resolved for a couple of years?


Thanks,

David