Should we update dependancy jar or is that okay to update only struts core jar?
On Wed, 22 Aug 2018 at 13:05, Yasser Zamani <yasserzam...@apache.org> wrote: > The Apache Struts group is pleased to announce that Struts 2.3.35 is > available as a “General Availability” release. The GA designation is > our highest quality grade. > > In addition to critical overall proactive security improvements, this > release addresses one potential security vulnerability: > - Possible Remote Code Execution when using results with no namespace > and in same time, its upper action(s) have no or wildcard namespace. > Same possibility when using url tag which doesn’t have value and action > set. - S2-057 - > http://struts.apache.org/docs/s2-057.html > > Apache Struts 2 is an elegant, extensible framework for creating > enterprise-ready Java web applications. The framework is designed to > streamline the full development cycle, from building, to deploying, to > maintaining applications over time. > > All developers are strongly advised to perform this action. > > The 2.3.x series of the Apache Struts framework has a minimum > requirement of the following specification versions: Servlet API 2.4, > JSP API 2.0, and Java 6. > > Should any issues arise with your use of any version of the Struts > framework, please post your comments to the user list, and, if > appropriate, file a tracking ticket. > > You can download this version from our download page. > http://struts.apache.org/download.cgi#struts-23x > > > Regards. > -- Regards Gokul
