2017-09-13 18:57 GMT+02:00 Lehmer, Jason <jason.leh...@capella.edu>: > In cases where the Struts community is notified or discovers a security > vulnerability in a supported version, does the evaluation process include > identifying unsupported versions that may be impacted as well? I realize the > recommendation will likely be to upgrade to a supported version but I just > wanted to confirm that even EOL versions are taken into account when > identifying potential impacts.
We support two lines now: - 2.3.x where you can expect only security fixes and small improvements (mostly incorporated from the main line) - 2.5.x our main line, with security fixes and new features When verifying a vulnerability report we try to investigate which versions are affected down the line but we omit EOLed versions (in this case Struts 1). Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org