[ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36

2018-11-04 Thread Lukasz Lenart
The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.1. This is necessary to prevent your publicly accessible web site from being exposed to possible DoS attacks [1] [2].

RE: Question Regarding Recent Security Announcement

2018-11-04 Thread Yasser Zamani
Hi David, That was a typo which already has fixed and re-announced. We meant 1.3.3. Thanks for your email. Regards. >-Original Message- >From: David Dillard >Sent: Sunday, November 4, 2018 9:10 PM >To: user@struts.apache.org >Subject: Question Regarding Recent Security Announcement >

Re: Question Regarding Recent Security Announcement

2018-11-04 Thread Lukasz Lenart
niedz., 4 lis 2018 o 18:40 David Dillard napisał(a): > 1. Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be > used, > not 1.3.3, so I'm confused about what's stated in the email. What's >

[ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior

2018-11-04 Thread Lukasz Lenart
The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.3. This is necessary to prevent your publicly accessible web site from being exposed to possible Remote Code Execution

Question Regarding Recent Security Announcement

2018-11-04 Thread David Dillard
Hi, An email was recently sent to the Apache Announcements list suggesting that users update to Apache Struts 2.3.36 in order to update to Apache

Re: [ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36

2018-11-04 Thread Lukasz Lenart
I meant commons-fileupload version 1.3.3, sorry for that. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ niedz., 4 lis 2018 o 10:30 Lukasz Lenart napisał(a): > > The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 > based projects to use the latest