Just to clarify one thing: this was not a zero-day vulnerability [1] but it sounds better for journalists :\
[1] https://en.wikipedia.org/wiki/Zero-day_(computing) Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2017-09-20 13:56 GMT+02:00 Martin Gainty <mgai...@hotmail.com>: > David: > > the recommended hardened version for financial services industry is > Struts 2.5.10.1..here is why: > > > "If you are using Jakarta-based file upload Multipart parser, upgrade to > Apache Struts version 2.3.32 or 2.5.10.1," Apache says in a March 6 > security alert. "You can also switch to a different implementation of the > Multipart parser." > > https://www.bankinfosecurity.com/apache-struts-2-under- > zero-day-attack-update-now-a-9761 > > <https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761> > Apache Struts 2 Under Zero-Day Attack, Update Now > <https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761> > www.bankinfosecurity.com > Apache Struts 2 users are being warned to upgrade immediately, after > attackers began targeting a zero-day flaw in the widely used, open source > Java EE platform. > > David and Lukasz please confirm > Martin > ______________________________________________ > > > > > ------------------------------ > *From:* David Greene <da...@securelink.com> > *Sent:* Tuesday, September 19, 2017 9:43 AM > *To:* Struts Users Mailing List > *Subject:* Re: Which Struts Version To Use? > > Just from my personal experience, migrating from 2.3.x to 2.5.x was a very > small development task. I was actually surprised at how few changes were > required. As someone else mentioned, a little bit of regex to weed out the > now-unused tag arguments was probably the 'hardest' part. I would > recommend just biting the (small) bullet and going with 2.5.x if Java 1.6 > isn't required in your environment. > > -David > > > On Tue, Sep 19, 2017 at 1:11 AM, Lukasz Lenart <lukaszlen...@apache.org> > wrote: > > > Bruce > > > > Struts 2.5.x is not only due to build on JDK7, also there were few > > important architectural changes which may be backward incompatible in > > some cases. Also 2.5.x brings more new features and improvements that > > also at some point can break backward comaptibility. 2.5.x is a good > > choice when you start a new development project or you need a ned > > feature which is available in 2.5.x only. > > > > That's why I keep 2.3.x branch just to port security fixes and allow > > easier transition to 2.5.x (or 2.6.x soon). There is no exact plans > > how long 2.3.x will be around, I do plan switch to JDK7 (lack of tools > > to support build on JDK6) and then 2.3.x will be branded as 2.4.x but > > still with the same scope - only security fixes. So 2.3.x/2.4.x will > > stay with us for longer :) > > > > > > Regards > > -- > > Łukasz > > + 48 606 323 122 <606%20323%20122> http://www.lenart.org.pl/ > Łukasz Lenart - strona domowa <http://www.lenart.org.pl/> > www.lenart.org.pl > oto ja aplikacje. pierwszy program napisałem w wieku 15. lat na Commodore > VIC-20, dla przyjemności, nie dla pieniędzy i ciągle tak jest - przyjemność > ... > > > > > > PS. Please remember that Struts doesn't follow strict semantic > > versioning, "2" means "Struts 2" so Struts 2.5.x is "Struts 2 version > > 5.x" where Struts 2.3.x means "Struts 2 version 3.x" :) > > > > 2017-09-18 21:29 GMT+02:00 bruceaphill...@gmail.com < > > bruceaphill...@gmail.com>: > > > Thank you for the reply. > > > > > > I still don't understand why there are two active branches, especially > > since JDK7 was EOL some time ago. > > > > > > If the 2.3.X line is going to be ended soon and the 2.5.X line is the > > future then I'd like to get our Struts apps on 2.5.X > > > > > > But if 2.3.X is going to be maintained for the next 1-2 years then I'd > > feel comfortable updating to 2.3.X > > > > > > Another consideration is that all our newer web apps use Spring MVC and > > do not use Struts 2. We only have some legacy web apps that still use > > Struts 2. If the time commitment in converting from Struts 2.3.X to > 2.5.X > > is high then we might as well just convert those apps to Spring MVC. > > > > > > It would be great if the Struts 2 PMC would publicly state what the > > future plan is for Struts 2 or if there is already a published plan > please > > let know. > > > > > > Bruce > > > > > > On 2017-09-18 10:15, "Jason D. Burkert" <jason.burk...@craytek.com> > > wrote: > > >> On 2017-09-18 11:05 AM, Phillips, Bruce A wrote: > > >> > We still have a couple of web apps that are using Struts version > > 2.3.32 > > >> > > > >> > We want to update those web apps to the latest version of Struts but > > I’m not sure what version to update to. > > >> > > > >> > I see a 2.5.13 and a 2.3.34 – both tags seem to be recently created. > > >> > > > >> > Should I update to 2.5.13 or should I stay on the 2.3.X line? > > >> > > > >> > Why are there different production tags (2.5.X and 2.3.X) ? > > >> > > > >> > Thank You, > > >> > > > >> > Bruce Phillips > > >> > > > >> > > >> Hello Bruce, > > >> > > >> If you have existing web apps using 2.3.32 it would be easiest to > update > > >> to 2.3.34 for the latest security updates. > > >> > > >> In the future, to use the 2.5.x series, you'll need to perform some > > >> migration steps. Review the Version Notes for 2.5 to get started, > > >> especially "Internal Changes" and "Package names have changed". > > >> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5 > Version Notes 2.5 - Apache Software Foundation > <https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5> > cwiki.apache.org > These are the notes for the Struts 2.5 distribution. For prior notes in > this release series, see Version Notes 2.3.28.1. If you are a Maven user, > you might want to ... > > > > >> > > >> As to why there are both 2.3.x series and 2.5.x series releases, my > > >> understanding is that one significant reason is "Struts2 is now build > > >> with JDK7" as of the first 2.5 release. > > >> > > >> -Jason > > >> > > >> > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > > For additional commands, e-mail: user-h...@struts.apache.org > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > >
