Hi, An email<http://mail-archives.apache.org/mod_mbox/www-announce/201811.mbox/%3cCAMopvkMgZiJ+ZkT1HmkQt94q7-bzNWnZm0Td9vq589vz5YM=m...@mail.gmail.com%3e> was recently sent to the Apache Announcements list suggesting that users update to Apache Struts 2.3.36 in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS. I have a few questions about this:
1. Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be used<https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email. What's recommended doesn't seem to accomplish what the email states it will. 2. The recommendation for Fileupload 1.3.2 can be found in the Maven repository since Struts 2.3.30, which was released back in July 2016. 3. This makes sense since the last documented DoS vulnerability in Fileupload was fixed in 1.3.2. So, given all of this, can someone explain why this recommendation was made and why now since the noted issues to have been resolved for a couple of years? Thanks, David
