Hi David, That was a typo which already has fixed and re-announced. We meant 1.3.3. Thanks for your email.
Regards. >-----Original Message----- >From: David Dillard <david.dill...@veritas.com> >Sent: Sunday, November 4, 2018 9:10 PM >To: user@struts.apache.org >Subject: Question Regarding Recent Security Announcement > >Hi, > >An email<http://mail-archives.apache.org/mod_mbox/www- >announce/201811.mbox/%3cCAMopvkMgZiJ+ZkT1HmkQt94q7- >bzNWnZm0Td9vq589vz5YM=m...@mail.gmail.com%3e> was recently sent to the >Apache Announcements list suggesting that users update to Apache Struts 2.3.36 >in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS. >I >have a few questions about this: > > > 1. Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be >used<https://mvnrepository.com/artifact/org.apache.struts/struts2- >core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email. >What's >recommended doesn't seem to accomplish what the email states it will. > 2. The recommendation for Fileupload 1.3.2 can be found in the Maven >repository since Struts 2.3.30, which was released back in July 2016. > 3. This makes sense since the last documented DoS vulnerability in > Fileupload >was fixed in 1.3.2. > >So, given all of this, can someone explain why this recommendation was made >and why now since the noted issues to have been resolved for a couple of years? > > >Thanks, > >David --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
