The 1.5.7-classloaderfix version is on its way to Maven Central and should
be available in a few hours.
http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.sourceforge.stripes%22
Cheers
Rémi
2014-04-28 10:35 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
> Hi again folks,
>
> I have pushed a hot fix in branch /1.5.7-classloaderfix :
> https://github.com/StripesFramework/stripes/tree/1.5.7-classloaderfix
>
> I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's
> fixed BindingPolicyManager. Should fix the class loader problem.
>
> The version (in the pom) is 1.5.7-classloaderfix.
>
> All tests are green, and I haven't changed anything else, so no regression
> is to be expected.
>
> I'm currently trying to release to maven central for those who don't want
> (can't) rebuild Stripes.
>
> Cheers
>
> Rémi
>
> PS: older versions could be patched the same way I guess : the fix in
> BindingPolicyManager is internal, doesn't break no API.
>
>
>
> 2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
>
> All versions are impacted AFAIK if you run tomcat 8. The whole thing is
>> about using bindable path to the class loader in order to exec arbitrary
>> code on the server.
>>
>> I could not reproduce on jetty using the same path, and I didn't have
>> time to check tomcat 6 and 7 yesterday, which I'll do today.
>>
>> But in any case, this fix is required ASAP, as you can't know all
>> possible bindings on ClassLoader, especially those of the various
>> containers...
>>
>> Cheers
>>
>> Remi
>>
>>
>> 2014-04-27 22:00 GMT+02:00 Timothy Stone <[email protected]>:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Remi,
>>>
>>> Do we know how far back this goes? We run 1.5.3 and 1.5.7.
>>>
>>> Tim
>>>
>>> On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
>>> > Hi folks,
>>> >
>>> > I haven't seen any communication about this fix :
>>> >
>>> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>>> >
>>> > It seems to be a quite ugly security issue actually, same as :
>>> > http://struts.apache.org/announce.html ClassLoader manipulation ?
>>> > Holy sh*t ! Running arbitrary code now ? wtf ?
>>> >
>>> > Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>>> >
>>> > I guess we might also wanna drop an email on the users list. This
>>> > is something all stripes should be aware of. Good opportunity to
>>> > recall about @Validate and @StrictBinding, for those who don't use
>>> > it...
>>> >
>>> > Cheers
>>> >
>>> > Rémi
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> >
>>> >
>>> Start Your Social Network Today - Download eXo Platform
>>> > Build your Enterprise Intranet with eXo Platform Software Java
>>> > Based Open Source Intranet - Social, Extensible, Cloud Ready Get
>>> > Started Now And Turn Your Intranet Into A Collaboration Platform
>>> > http://p.sf.net/sfu/ExoPlatform
>>> >
>>> >
>>> >
>>> > _______________________________________________ Stripes-development
>>> > mailing list [email protected]
>>> > https://lists.sourceforge.net/lists/listinfo/stripes-development
>>> >
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>>> Comment: Seeking grim and perilous adventure!
>>> Comment: Get my public key at http://bit.ly/9UQHQv
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
>>> eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
>>> AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
>>> kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
>>> mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
>>> h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
>>> q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
>>> w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
>>> 2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
>>> Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
>>> p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
>>> YWZGFF1ahTvSxIG94iJr
>>> =pIIa
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Start Your Social Network Today - Download eXo Platform
>>> Build your Enterprise Intranet with eXo Platform Software
>>> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>>> Get Started Now And Turn Your Intranet Into A Collaboration Platform
>>> http://p.sf.net/sfu/ExoPlatform
>>> _______________________________________________
>>> Stripes-development mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/stripes-development
>>>
>>
>>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
