Ok, that addresses one question, but still leaves one: why is it being 
recommended to update File Upload NOW due to a possible DoS, when Struts has 
been using a version of File Upload with no documented DoS issue for the last 
six releases???

Or put another way, Struts 2.3.35 uses File Upload 1.3.2.  File Upload 1.3.2 
currently has no documented DoS issue.  Now, you're saying to update to File 
Upload 1.3.3 to fix a DoS issue.  Why?

-----Original Message-----
From: Lukasz Lenart <lukaszlen...@apache.org> 
Sent: Monday, November 5, 2018 2:16 AM
To: Struts Users Mailing List <user@struts.apache.org>
Subject: [EXTERNAL] Re: Question Regarding Recent Security Announcement

niedz., 4 lis 2018 o 18:40 David Dillard <david.dill...@veritas.com> napisał(a):
>   1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be 
> used<https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.36>,
>  not 1.3.3, so I'm confused about what's stated in the email.  What's 
> recommended doesn't seem to accomplish what the email states it will.

We have overlooked that when we were preparing Struts 2.3.36, this is an easy 
drop-in dependency.

>   2.  The recommendation for Fileupload 1.3.2 can be found in the Maven 
> repository since Struts 2.3.30, which was released back in July 2016.
>   3.  This makes sense since the last documented DoS vulnerability in 
> Fileupload was fixed in 1.3.2.

Here is the original announcement

+ 48 606 323 122 http://www.lenart.org.pl/

To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to