was recently sent to the Apache Announcements list suggesting that users 
update to Apache Struts 2.3.36 in order to update to Apache Commons Fileupload 
1.3.3 due to a potential DoS.  I have a few questions about this:

  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be 
not 1.3.3, so I'm confused about what's stated in the email.  What's 
recommended doesn't seem to accomplish what the email states it will.
  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven 
repository since Struts 2.3.30, which was released back in July 2016.
  3.  This makes sense since the last documented DoS vulnerability in 
Fileupload was fixed in 1.3.2.

So, given all of this, can someone explain why this recommendation was made and 
why now since the noted issues to have been resolved for a couple of years?



Reply via email to