Hi David,

That was a typo which already has fixed and re-announced. We meant 1.3.3. 
Thanks for your email.


>-----Original Message-----
>From: David Dillard <david.dill...@veritas.com>
>Sent: Sunday, November 4, 2018 9:10 PM
>To: user@struts.apache.org
>Subject: Question Regarding Recent Security Announcement
>An email<http://mail-archives.apache.org/mod_mbox/www-
>bzNWnZm0Td9vq589vz5YM=m...@mail.gmail.com%3e> was recently sent to the
>Apache Announcements list suggesting that users update to Apache Struts 2.3.36
>in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS.  
>have a few questions about this:
>  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be
>core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  
>recommended doesn't seem to accomplish what the email states it will.
>  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven
>repository since Struts 2.3.30, which was released back in July 2016.
>  3.  This makes sense since the last documented DoS vulnerability in 
> Fileupload
>was fixed in 1.3.2.
>So, given all of this, can someone explain why this recommendation was made
>and why now since the noted issues to have been resolved for a couple of years?

To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to