[struts-site] branch asf-site updated: Updates production by Jenkins

git-site-role Thu, 15 Aug 2019 00:58:51 -0700

This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git



The following commit(s) were added to refs/heads/asf-site by this push:
     new 56d5e52  Updates production by Jenkins
56d5e52 is described below

commit 56d5e5225758da621c7904ceddd0a1dbb69680c7
Author: jenkins <bui...@apache.org>
AuthorDate: Thu Aug 15 07:57:54 2019 +0000

    Updates production by Jenkins
---
 content/announce.html                               | 19 +++++++++++++++++++
 content/getting-started/message-resource-files.html |  4 ++--
 content/index.html                                  |  8 ++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/content/announce.html b/content/announce.html
index 8514feb..62b9877 100644
--- a/content/announce.html
+++ b/content/announce.html
@@ -130,6 +130,7 @@
     <h1 class="no_toc" id="announcements-2019">Announcements 2019</h1>
 
 <ul id="markdown-toc">
+  <li><a href="#a20190815" id="markdown-toc-a20190815">15 August 2019 - 
Security Advice: Announcing corrected affected version ranges in historic 
Apache Struts security bulletins and CVE entries</a></li>
   <li><a href="#a20190114" id="markdown-toc-a20190114">14 January 2019 - 
Struts 2.5.20 General Availability</a></li>
   <li><a href="#a20181230" id="markdown-toc-a20181230">30 December 2018 - 
Struts 2.3.37 General Availability</a></li>
 </ul>
@@ -138,6 +139,24 @@
   Skip to: <a href="announce-2018.html">Announcements - 2018</a>
 </p>
 
+<h4 id="a20190815">15 August 2019 - Security Advice: Announcing corrected 
affected version ranges in historic Apache Struts security bulletins and CVE 
entries</h4>
+
+<p>The Apache Struts Security team would like to announce that a number of 
historic <a 
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletin";>Struts 
Security Bulletins</a> and related CVE database entries contained incorrect 
affected release version ranges.</p>
+
+<p>The issue was reported by Christopher Fearon and the Black Duck Research 
Team within the Synopsys Cybersecurity Research Center. The reporting entity 
conducted thorough investigations on this matter, leading to a report to the 
Apache Struts Security Team. The Apache Struts Security Team worked with the 
reporters to cross-check said issues and map them to affected Apache Struts 
General Availability (GA) releases.</p>
+
+<p>This effort led to the issue of Struts Security Bulletin S2-058, 
referencing 15 historic Struts Security Bulletins and <a 
href="https://github.com/CVEProject/cvelist/pull/2423/files";>respective CVE 
entries</a> that have been updated to reflect corrections in affected GA 
version ranges as well as minimum GA versions to contain appropriate fixes for 
the issues at hand.</p>
+
+<p>The full Security Bulletin can be found here:</p>
+
+<p><a href="https://cwiki.apache.org/confluence/display/WW/S2-058";>Apache 
Struts Security Buletin S2-058</a></p>
+
+<p>The Struts Security Team stresses that while the reporters reference more 
affected issues and resulting affected version ranges, the Struts Security 
Bulletins only cover GA versions designated for production use. This led to 
less corrected Security Bulletins and CVE entries compared to the number of 
covered issues in the original report.</p>
+
+<p>It is very important to understand that while the individual listed 
bulletins contain updated minimum fix versions, it is strongly recommended to 
update to the version recommended by the latest Security Bulletin, which is <a 
href="https://cwiki.apache.org/confluence/display/WW/S2-057";>S2-057</a> by the 
time of this announcement. Following this advice, the recommended minimum 
Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17.</p>
+
+<p>The Apache Struts Security Team would like to thank the reporters for their 
efforts and their practice of responsible disclosure, as well as their help 
while investigating the report and coordinating public disclosure.</p>
+
 <h4 id="a20190114">14 January 2019 - Struts 2.5.20 General Availability</h4>
 
 <p>The Apache Struts group is pleased to announce that Struts 2.5.20 is 
available as a “General Availability”
diff --git a/content/getting-started/message-resource-files.html 
b/content/getting-started/message-resource-files.html
index 900d472..b5e57b3 100644
--- a/content/getting-started/message-resource-files.html
+++ b/content/getting-started/message-resource-files.html
@@ -226,7 +226,7 @@ this markup.</p>
 <p><strong>link to Register Action class</strong></p>
 
 <div class="highlighter-rouge"><pre class="highlight"><code><span 
class="nt">&lt;s:url</span> <span class="na">action=</span><span 
class="s">"registerInput"</span> <span class="na">var=</span><span 
class="s">"registerInputLink"</span> <span class="nt">/&gt;</span>
-<span class="nt">&lt;p&gt;&lt;a</span> <span class="na">href=</span><span 
class="s">"${registerInputLink}"</span><span class="nt">&gt;</span>Please 
register<span class="nt">&lt;/a&gt;</span> for our prize drawing.<span 
class="nt">&lt;/p&gt;</span>
+<span class="nt">&lt;p&gt;&lt;s:a</span> <span class="na">href=</span><span 
class="s">"%{registerInputLink}"</span><span class="nt">&gt;</span>Please 
register<span class="nt">&lt;/s:a&gt;</span> for our prize drawing.<span 
class="nt">&lt;/p&gt;</span>
 </code></pre>
 </div>
 
@@ -401,7 +401,7 @@ instead of the default locale value of our location (which 
is en). Add the follo
 <span class="nt">&lt;s:url</span> <span class="na">action=</span><span 
class="s">"registerInput"</span> <span class="na">var=</span><span 
class="s">"registerInputLinkES"</span><span class="nt">&gt;</span>
     <span class="nt">&lt;s:param</span> <span class="na">name=</span><span 
class="s">"request_locale"</span><span class="nt">&gt;</span>es<span 
class="nt">&lt;/s:param&gt;</span>
 <span class="nt">&lt;/s:url&gt;</span>
-<span class="nt">&lt;p&gt;&lt;a</span> <span class="na">href=</span><span 
class="s">"${registerInputLinkES}"</span><span class="nt">&gt;</span>Por favor, 
regístrese<span class="nt">&lt;/a&gt;</span> para nuestro sorteo<span 
class="nt">&lt;/p&gt;</span>
+<span class="nt">&lt;p&gt;&lt;s:a</span> <span class="na">href=</span><span 
class="s">"%{registerInputLinkES}"</span><span class="nt">&gt;</span>Por favor, 
regístrese<span class="nt">&lt;/s:a&gt;</span> para nuestro sorteo<span 
class="nt">&lt;/p&gt;</span>
 </code></pre>
 </div>
 
diff --git a/content/index.html b/content/index.html
index 8e09543..7650bac 100644
--- a/content/index.html
+++ b/content/index.html
@@ -186,6 +186,14 @@
         </p>
       </div>
       <div class="column col-md-4">
+        <h2>Security Advice S2-058 released</h2>
+        <p>
+            A number of historic Struts Security Bulletins and related CVE 
database entries contained incorrect affected release version ranges.
+            Read more in
+          <a href="announce#a20190815">Announcement</a>
+        </p>
+      </div>
+      <div class="column col-md-4">
       </div>
     </div>
   </div>

[struts-site] branch asf-site updated: Updates production by Jenkins

Reply via email to