Adds announcement about latest security vulnerabilities
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/88e6a4a3 Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/88e6a4a3 Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/88e6a4a3 Branch: refs/heads/master Commit: 88e6a4a3a38e20e3296e2ffbc605110023376a2b Parents: b6a4c5e Author: Lukasz Lenart <lukasz.len...@gmail.com> Authored: Wed Jun 1 11:57:13 2016 +0200 Committer: Lukasz Lenart <lukasz.len...@gmail.com> Committed: Fri Jun 17 14:25:04 2016 +0200 ---------------------------------------------------------------------- source/announce.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts-site/blob/88e6a4a3/source/announce.md ---------------------------------------------------------------------- diff --git a/source/announce.md b/source/announce.md index 6b0668a..70fa7a7 100644 --- a/source/announce.md +++ b/source/announce.md @@ -8,6 +8,22 @@ title: Announcements Skip to: <a href="announce-2015.html">Announcements - 2015</a> </p> +#### 1 June 2016 - Two security vulnerabilities reported {#a20160601} + +Two potential security vulnerabilities were reported which were already addressed in the latest Apache Struts 2 versions. +Those reports just added other vectors of attack. + + - [S2-033](/docs/s2-033.html) + Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled + + - [S2-034](/docs/s2-034.html) + OGNL cache poisoning can lead to DoS vulnerability + +Please read carefully the Security Bulletins and take suggested actions. The simplest way to avoid those vulnerabilities +in your application is to upgrade the Apache Struts to latest available version in 2.3.x series or to the Apache Struts 2.5. + +You can download those versions from our [download](download.html#struts-ga) page. + #### 9 May 2016 - Struts 2.5 General Availability {#a20160509} The Apache Struts group is pleased to announce that Struts 2.5 is available as a "General Availability"
