This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 125519a Automatic Site Publish by Buildbot
125519a is described below
commit 125519ad8a3f881a449d622c3b98fb7123223585
Author: buildbot <[email protected]>
AuthorDate: Sun Dec 12 16:02:59 2021 +0000
Automatic Site Publish by Buildbot
---
output/announce-2021.html | 14 ++++++++++++++
output/index.html | 10 ++++++----
2 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/output/announce-2021.html b/output/announce-2021.html
index abfde59..0f1606d 100644
--- a/output/announce-2021.html
+++ b/output/announce-2021.html
@@ -131,6 +131,7 @@
<h1 class="no_toc" id="announcements-2021">Announcements 2021</h1>
<ul id="markdown-toc">
+ <li><a href="#a20211212-1" id="markdown-toc-a20211212-1">12 December 2021 -
Security Advice on Log4j 2.15.0</a></li>
<li><a href="#a20211212" id="markdown-toc-a20211212">12 December 2021 -
Struts 2.5.28 General Availability</a></li>
<li><a href="#a20211116" id="markdown-toc-a20211116">16 November 2021 -
Struts 2.5.27 General Availability</a></li>
<li><a href="#a20210219" id="markdown-toc-a20210219">19 February 2021 -
Struts Security Impact Levels</a></li>
@@ -140,6 +141,19 @@
Skip to: <a href="announce-2020">Announcements - 2020</a>
</p>
+<h4 id="a20211212-1">12 December 2021 - Security Advice on Log4j 2.15.0</h4>
+
+<p>The Apache Struts team would like to announce that all the users using the
latest Struts 2.5.x series should upgrade
+<a href="https://logging.apache.org/log4j/2.x/";>Log4j</a> library to the
latest <strong>2.15.0</strong> version which addresses
+the Remote-Code-Execution vulnerability <strong>CVE-2021-44228</strong>.</p>
+
+<p>This version of Log4j requires Java 8, while Apache Struts 2.5.x series is
still using Java 1.7 and because
+of that we cannot prepare a new patched 2.5.x version. Yet, in most cases this
is a drop-in upgrade as Log4j 2.15.0
+maintains binary compatibility with previous releases - once you are running
on Java 8. In case you are not able
+to upgrade Log4j, please use one of the described mitigations.</p>
+
+<p>More information can be found <a
href="https://logging.apache.org/log4j/2.x/#News";>here</a>.</p>
+
<h4 id="a20211212">12 December 2021 - Struts 2.5.28 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.28 is
available as a “General Availability”
diff --git a/output/index.html b/output/index.html
index 665c60a..99765ae 100644
--- a/output/index.html
+++ b/output/index.html
@@ -152,11 +152,13 @@
<a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28";>Version
notes</a>
</div>
<div class="column col-md-4">
- <h2>Security Advice S2-061 released</h2>
+ <h2>Security Advice on Log4j 2.15.0</h2>
<p>
- Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.
- Read more in
- <a href="announce-2020#a20201208">Announcement</a>
+ The Apache Struts team would like to announce that all the users
using
+ the latest Struts 2.5.x series should upgrade Log4j library to the
+ latest 2.15.0 version which addresses the Remote-Code-Execution
+ vulnerability - CVE-2021-44228. .
+ Read more in <a href="announce-2021#a20211212-2">Announcement</a>
</p>
</div>
<div class="column col-md-4">
