It's there :
http://repo1.maven.org/maven2/net/sourceforge/stripes/stripes/1.5.7-classloaderfix/
<dependency>
<groupId>net.sourceforge.stripes</groupId>
<artifactId>stripes</artifactId>
<version>1.5.7-classloaderfix</version>
</dependency>
Cheers
Rémi
2014-04-28 10:59 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
> The 1.5.7-classloaderfix version is on its way to Maven Central and should
> be available in a few hours.
>
>
> http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.sourceforge.stripes%22
>
> Cheers
>
> Rémi
>
>
> 2014-04-28 10:35 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
>
> Hi again folks,
>>
>> I have pushed a hot fix in branch /1.5.7-classloaderfix :
>> https://github.com/StripesFramework/stripes/tree/1.5.7-classloaderfix
>>
>> I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's
>> fixed BindingPolicyManager. Should fix the class loader problem.
>>
>> The version (in the pom) is 1.5.7-classloaderfix.
>>
>> All tests are green, and I haven't changed anything else, so no
>> regression is to be expected.
>>
>> I'm currently trying to release to maven central for those who don't want
>> (can't) rebuild Stripes.
>>
>> Cheers
>>
>> Rémi
>>
>> PS: older versions could be patched the same way I guess : the fix in
>> BindingPolicyManager is internal, doesn't break no API.
>>
>>
>>
>> 2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
>>
>> All versions are impacted AFAIK if you run tomcat 8. The whole thing is
>>> about using bindable path to the class loader in order to exec arbitrary
>>> code on the server.
>>>
>>> I could not reproduce on jetty using the same path, and I didn't have
>>> time to check tomcat 6 and 7 yesterday, which I'll do today.
>>>
>>> But in any case, this fix is required ASAP, as you can't know all
>>> possible bindings on ClassLoader, especially those of the various
>>> containers...
>>>
>>> Cheers
>>>
>>> Remi
>>>
>>>
>>> 2014-04-27 22:00 GMT+02:00 Timothy Stone <[email protected]>:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> Remi,
>>>>
>>>> Do we know how far back this goes? We run 1.5.3 and 1.5.7.
>>>>
>>>> Tim
>>>>
>>>> On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
>>>> > Hi folks,
>>>> >
>>>> > I haven't seen any communication about this fix :
>>>> >
>>>> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>>>> >
>>>> > It seems to be a quite ugly security issue actually, same as :
>>>> > http://struts.apache.org/announce.html ClassLoader manipulation ?
>>>> > Holy sh*t ! Running arbitrary code now ? wtf ?
>>>> >
>>>> > Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>>>> >
>>>> > I guess we might also wanna drop an email on the users list. This
>>>> > is something all stripes should be aware of. Good opportunity to
>>>> > recall about @Validate and @StrictBinding, for those who don't use
>>>> > it...
>>>> >
>>>> > Cheers
>>>> >
>>>> > Rémi
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> >
>>>> >
>>>> Start Your Social Network Today - Download eXo Platform
>>>> > Build your Enterprise Intranet with eXo Platform Software Java
>>>> > Based Open Source Intranet - Social, Extensible, Cloud Ready Get
>>>> > Started Now And Turn Your Intranet Into A Collaboration Platform
>>>> > http://p.sf.net/sfu/ExoPlatform
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________ Stripes-development
>>>> > mailing list [email protected]
>>>> > https://lists.sourceforge.net/lists/listinfo/stripes-development
>>>> >
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>>>> Comment: Seeking grim and perilous adventure!
>>>> Comment: Get my public key at http://bit.ly/9UQHQv
>>>> Comment: GPGTools - http://gpgtools.org
>>>>
>>>> iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
>>>> eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
>>>> AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
>>>> kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
>>>> mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
>>>> h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
>>>> q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
>>>> w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
>>>> 2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
>>>> Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
>>>> p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
>>>> YWZGFF1ahTvSxIG94iJr
>>>> =pIIa
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Start Your Social Network Today - Download eXo Platform
>>>> Build your Enterprise Intranet with eXo Platform Software
>>>> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>>>> Get Started Now And Turn Your Intranet Into A Collaboration Platform
>>>> http://p.sf.net/sfu/ExoPlatform
>>>> _______________________________________________
>>>> Stripes-development mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/stripes-development
>>>>
>>>
>>>
>>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
