svn commit: r864360 - in /websites/production/struts/content/development/2.x/docs: building-struts-2-fast-track-release.html guides.html hello-world-using-struts-2.html migration-guide.html security-b
Author: lukaszlenart
Date: Tue Jun 4 14:47:50 2013
New Revision: 864360
Log:
Updates draft docs
Modified:
websites/production/struts/content/development/2.x/docs/building-struts-2-fast-track-release.html
websites/production/struts/content/development/2.x/docs/guides.html
websites/production/struts/content/development/2.x/docs/hello-world-using-struts-2.html
websites/production/struts/content/development/2.x/docs/migration-guide.html
websites/production/struts/content/development/2.x/docs/security-bulletins.html
websites/production/struts/content/development/2.x/docs/struts-next.html
websites/production/struts/content/development/2.x/docs/using-struts-2-tags.html
Modified:
websites/production/struts/content/development/2.x/docs/building-struts-2-fast-track-release.html
==
---
websites/production/struts/content/development/2.x/docs/building-struts-2-fast-track-release.html
(original)
+++
websites/production/struts/content/development/2.x/docs/building-struts-2-fast-track-release.html
Tue Jun 4 14:47:50 2013
@@ -125,35 +125,33 @@ under the License.
Content
/**/
+/*]]>*/
1 Building
Steps (Struts)
1.1 Getting ready
-1.2 Obtain a fresh
checkout.
-1.3 Change site
target
-1.4 Change scm info
-1.5 Revert to
-SNAPSHOT
-1.6 Update
version of archetypes
-1.7 Prepare release
-1.8 Perform the
release
-1.9 Move
the assemblies to the /www/people.apache.org/builds/struts/$VERSION
dir
-1.10 Jira stuff
-1.11 Vote on it
-1.12 Copy files
-1.13 Promote release
-1.14 Clean up old
releases
-1.15 Wait for rsync
-1.16 (Optional)
- Update Security Bulletins
-1.17 Update
site (Struts 2 site)
-1.18 Update
site (Struts top level site)
-1.19 Redeploy the
draft docs
-1.20 Permissions
-1.21 Post
announcements
+1.2 Obtain
a fresh checkout of created branch.
+1.3 Update
version of archetypes
+1.4 Apply security
patch
+1.5 Prepare release
+1.6 Perform the
release
+1.7 Move
the assemblies to the /www/people.apache.org/builds/struts/$VERSION
dir
+1.8 Jira stuff
+1.9 Vote on it
+1.10 Copy files
+1.11 Promote release
+1.12 Clean up old
releases
+1.13 Wait for rsync
+1.14 (Optional)
- Update Security Bulletins
+1.15 Update
site (Struts 2 site)
+1.16 Update
site (Struts top level site)
+1.17 Redeploy the
draft docs
+1.18 Permissions
+1.19 Post
announcements
@@ -161,17 +159,12 @@ div.rbtoc1366362432289 li {margin-left:
Getting
ready
- When a serious security issue arises, we should try to create a
STRUTS_#_#_#_X branch from the last GA release
(from tag).
+ When a serious security issue arises, we should try to create a
STRUTS_#_#_#_X branch from the last GA release
(from tag - check it out and use mvn release:branch as below).
-mvn release:branch -DbranchName=STRUTS_#_#_#_X
+mvn release:branch -DbranchName=STRUTS_#_#_#_X
-DupdateBranchVersions=true -DupdateWorkingCopyVersions=false
-DautoVersionSubmodules=true
-Read the http://maven.apache.org/maven-release/maven-release-plugin/examples/branch.html";
class="external-link" rel="nofollow">maven release:branch docs for further
details or alternatively
-
-svn copy
https://svn.apache.org/repos/asf/struts/struts2/tags/STRUTS_#_#_#
https://svn.apache.org/repos/asf/struts/struts2/branches/STRUTS_#_#_#_X -m
"Creating new branch"
-
-
-https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif";
width="16" height="16" align="absmiddle" alt="" border="0">The svn
copy command just copies the struts branch from the struts tags, no info about
the version will be changed, you have to update in the next steps Change scm
info.
+Read the http://maven.apache.org/maven-release/maven-release-plugin/examples/branch.html";
class="external-link" rel="nofollow">maven release:branch docs for further
details or alternatively
Apply to that branch only the security patch
Commit the fix. No reference should be make to the commit being
related to a security vulnerability.
If the patch first applies to some other dependency, implore the
other group to do the same, to avoid side-effects from other changes.
@@ -181,57 +174,19 @@ div.rbtoc1366362432289 li {margin-left:
-Obtain a
fresh checkout.
+Obtain
a fresh checkout of created branch.
svn co https://svn.apache.org/repos/asf/struts/struts2/branches/STRUTS_#_#_#_X
STRU
svn commit: r1489472 - in /struts/site/trunk/content: resources/archetype-catalog.xml site.xml xdoc/announce.xml xdoc/download.xml xdoc/downloads.xml xdoc/index.xml
Author: lukaszlenart Date: Tue Jun 4 15:28:11 2013 New Revision: 1489472 URL: http://svn.apache.org/r1489472 Log: Updates site to reflect new release Modified: struts/site/trunk/content/resources/archetype-catalog.xml struts/site/trunk/content/site.xml struts/site/trunk/content/xdoc/announce.xml struts/site/trunk/content/xdoc/download.xml struts/site/trunk/content/xdoc/downloads.xml struts/site/trunk/content/xdoc/index.xml Modified: struts/site/trunk/content/resources/archetype-catalog.xml URL: http://svn.apache.org/viewvc/struts/site/trunk/content/resources/archetype-catalog.xml?rev=1489472&r1=1489471&r2=1489472&view=diff == --- struts/site/trunk/content/resources/archetype-catalog.xml (original) +++ struts/site/trunk/content/resources/archetype-catalog.xml Tue Jun 4 15:28:11 2013 @@ -7,42 +7,42 @@ org.apache.struts struts2-archetype-blank -2.3.14.2 +2.3.14.3 https://repository.apache.org/content/groups/public/ Struts 2 Archetypes - Blank org.apache.struts struts2-archetype-convention -2.3.14.2 +2.3.14.3 https://repository.apache.org/content/groups/public/ Struts 2 Archetypes - Blank Convention org.apache.struts struts2-archetype-dbportlet -2.3.14.2 +2.3.14.3 https://repository.apache.org/content/groups/public/ Struts 2 Archetypes - Database Portlet org.apache.struts struts2-archetype-plugin -2.3.14.2 +2.3.14.3 https://repository.apache.org/content/groups/public/ Struts 2 Archetypes - Plugin org.apache.struts struts2-archetype-portlet -2.3.14.2 +2.3.14.3 https://repository.apache.org/content/groups/public/ Struts 2 Archetypes - Portlet org.apache.struts struts2-archetype-starter -2.3.14.2 +2.3.14.3 https://repository.apache.org/content/groups/public/ Struts 2 Archetypes - Starter Modified: struts/site/trunk/content/site.xml URL: http://svn.apache.org/viewvc/struts/site/trunk/content/site.xml?rev=1489472&r1=1489471&r2=1489472&view=diff == --- struts/site/trunk/content/site.xml (original) +++ struts/site/trunk/content/site.xml Tue Jun 4 15:28:11 2013 @@ -84,7 +84,7 @@ name="Key Technologies" href="primer.html" /> http://struts.apache.org/release/2.3.x/index.html"; /> http://svn.apache.org/viewvc/struts/site/trunk/content/xdoc/announce.xml?rev=1489472&r1=1489471&r2=1489472&view=diff == --- struts/site/trunk/content/xdoc/announce.xml (original) +++ struts/site/trunk/content/xdoc/announce.xml Tue Jun 4 15:28:11 2013 @@ -30,6 +30,48 @@ limitations under the License. Announcements - 2012 +3 June 2013 - Struts 2.3.14.3 General Availability Release - Security Fix Release + +The Apache Struts group is pleased to announce that Struts 2.3.14.3 is +available as a "General Availability" release. The GA designation is our +highest quality grade. + + +Apache Struts 2 is an elegant, extensible framework for creating +enterprise-ready Java web applications. The framework is designed to +streamline the full development cycle, from building, to deploying, to +maintaining applications over time. + + +A highly critical security vulnerability was resolved in this release: + + +http://struts.apache.org/release/2.3.x/docs/s2-015.html";>S2-015 +- A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution + + + + +All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.3 immediately. + + +Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation distributions, from the +http://struts.apache.org/download.cgi#struts23143";>releases page. +The release is also available through the central Maven repository under Gr
svn commit: r864365 [2/2] - in /websites/staging/struts/trunk/content: ./ dev/
Modified: websites/staging/struts/trunk/content/helping.html == --- websites/staging/struts/trunk/content/helping.html (original) +++ websites/staging/struts/trunk/content/helping.html Tue Jun 4 15:29:47 2013 @@ -1,13 +1,13 @@ http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> - + How to Help FAQ @@ -53,7 +53,7 @@ - Last Published: 2013-05-26 + Last Published: 2013-06-04 @@ -153,9 +153,9 @@ - + -Struts 2.3.14.2 (GA) +Struts 2.3.14.3 (GA) Modified: websites/staging/struts/trunk/content/index.html == --- websites/staging/struts/trunk/content/index.html (original) +++ websites/staging/struts/trunk/content/index.html Tue Jun 4 15:29:47 2013 @@ -1,13 +1,13 @@ http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> - + Welcome @@ -54,7 +54,7 @@ - Last Published: 2013-05-26 + Last Published: 2013-06-04 @@ -152,9 +152,9 @@ - + -Struts 2.3.14.2 (GA) +Struts 2.3.14.3 (GA) @@ -312,7 +312,7 @@ - http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> - + Javadoc Index @@ -54,7 +54,7 @@ - Last Published: 2013-05-26 + Last Published: 2013-06-04 @@ -154,9 +154,9 @@ - + -Struts 2.3.14.2 (GA) +Struts 2.3.14.3 (GA) Modified: websites/staging/struts/trunk/content/kickstart.html == --- websites/staging/struts/trunk/content/kickstart.html (original) +++ websites/staging/struts/trunk/content/kickstart.html Tue Jun 4 15:29:47 2013 @@ -1,13 +1,13 @@ http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> - + Kickstart FAQ @@ -53,7 +53,7 @@ - Last Published: 2013-05-26 + Last Published: 2013-06-04 @@ -151,9 +151,9 @@ - + -Struts 2.3.14.2 (GA) +Struts 2.3.14.3 (GA) Modified: websites/staging/struts/trunk/content/mail.html == --- websites/staging/struts/trunk/content/mail.html (original) +++ websites/staging/struts/trunk/content/mail.html Tue Jun 4 15:29:47 2013 @@ -1,13 +1,13 @@ http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> - + Mailing Lists @@ -54,7 +54,7 @@ - Last Published: 2013-05-26 + Last Published: 2013-06-04 @@ -154,9 +154,9 @@ - + -Struts 2.3.14.2 (GA) +Struts 2.3.14.3 (GA) Modified: websites/staging/struts/trunk/content/primer.html == --- websites/staging/struts/trunk/content/primer.html (original) +++ websites/staging/struts/trunk/content/primer.html Tue Jun 4 15:29:47 2013 @@ -1,13 +1,13 @@ http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> - + Key Technologies Primer @@ -54,7 +54,7 @@ - Last Published: 2013-05-26 + Last Published: 2013-06-04 @@ -152,9 +152,9 @@ - + -Struts 2.3.14.2 (GA) +Struts 2.3.14.3 (GA)
svn commit: r1489475 - /struts/site/trunk/content/xdoc/downloads.xml
Author: lukaszlenart Date: Tue Jun 4 15:31:50 2013 New Revision: 1489475 URL: http://svn.apache.org/r1489475 Log: Updates site to reflect new release Modified: struts/site/trunk/content/xdoc/downloads.xml Modified: struts/site/trunk/content/xdoc/downloads.xml URL: http://svn.apache.org/viewvc/struts/site/trunk/content/xdoc/downloads.xml?rev=1489475&r1=1489474&r2=1489475&view=diff == --- struts/site/trunk/content/xdoc/downloads.xml (original) +++ struts/site/trunk/content/xdoc/downloads.xml Tue Jun 4 15:31:50 2013 @@ -165,7 +165,6 @@ limitations under the License. 6 March 2013 -likely: http://struts.apache.org/2.x/docs/s2-012.html";>S2-012, http://struts.apache.org/2.x/docs/s2-013.html";>S2-013, http://struts.apache.org/2.x/docs/s2-014.html";>S2-014, @@ -181,7 +180,6 @@ limitations under the License. 22 December 2012 -likely: http://struts.apache.org/2.x/docs/s2-012.html";>S2-012, http://struts.apache.org/2.x/docs/s2-013.html";>S2-013, http://struts.apache.org/2.x/docs/s2-014.html";>S2-014, @@ -197,7 +195,6 @@ limitations under the License. 19 November 2012 -likely: http://struts.apache.org/2.x/docs/s2-012.html";>S2-012, http://struts.apache.org/2.x/docs/s2-013.html";>S2-013, http://struts.apache.org/2.x/docs/s2-014.html";>S2-014, @@ -213,7 +210,6 @@ limitations under the License. 13 August 2012 -likely: http://struts.apache.org/2.x/docs/s2-012.html";>S2-012, http://struts.apache.org/2.x/docs/s2-013.html";>S2-013, http://struts.apache.org/2.x/docs/s2-014.html";>S2-014,
svn commit: r864366 - in /websites/staging/struts/trunk/content: ./ downloads.html
Author: buildbot Date: Tue Jun 4 15:33:41 2013 New Revision: 864366 Log: Staging update by buildbot for struts Modified: websites/staging/struts/trunk/content/ (props changed) websites/staging/struts/trunk/content/downloads.html Propchange: websites/staging/struts/trunk/content/ -- --- cms:source-revision (original) +++ cms:source-revision Tue Jun 4 15:33:41 2013 @@ -1 +1 @@ -1489472 +1489475 Modified: websites/staging/struts/trunk/content/downloads.html == --- websites/staging/struts/trunk/content/downloads.html (original) +++ websites/staging/struts/trunk/content/downloads.html Tue Jun 4 15:33:41 2013 @@ -312,7 +312,7 @@ -
svn commit: r864369 - in /websites/production/struts/content/development/2.x/docs: s2-015.html security-bulletins.html
Author: lukaszlenart
Date: Tue Jun 4 16:01:40 2013
New Revision: 864369
Log:
Updates draft docs
Added:
websites/production/struts/content/development/2.x/docs/s2-015.html
Modified:
websites/production/struts/content/development/2.x/docs/security-bulletins.html
Added: websites/production/struts/content/development/2.x/docs/s2-015.html
==
--- websites/production/struts/content/development/2.x/docs/s2-015.html (added)
+++ websites/production/struts/content/development/2.x/docs/s2-015.html Tue Jun
4 16:01:40 2013
@@ -0,0 +1,246 @@
+
+
+
+http://www.w3.org/TR/html4/loose.dtd";>
+
+
+https://struts.apache.org/css/default.css";>
+
+ .dp-highlighter {
+width:95% !important;
+ }
+
+
+ .footer {
+background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+background-repeat: repeat-x;
+background-position: left top;
+padding-top: 4px;
+color: #666;
+ }
+
+
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+/* Search form initialization */
+var form = document.forms['search'];
+if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+}
+
+/* Children initialization */
+hide = document.getElementById('hide');
+show = document.getElementById('show');
+children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+}
+ }
+
+ function showChildren() {
+children.style.display = 'block';
+show.style.display = 'none';
+hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+children.style.display = 'none';
+show.style.display = 'inline';
+hide.style.display = 'none';
+ }
+
+S2-015
+
+
+
+
+
+ Apache Struts 2 Documentation > Home > Security
Bulletins > S2-015
+
+
+ http://www.google.com/search";
method="get">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Apache Struts
2 Documentation
+S2-015
+
+
+ https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638";>
+https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; height="16"
width="16" border="0" align="absmiddle" title="Edit Page">
+https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638";>Edit
Page
+
+ https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
height="16" width="16" border="0" align="absmiddle" title="Browse Space">
+https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space
+
+ https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638";>
+https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
height="16" width="16" border="0" align="absmiddle" title="Add Page">
+ https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638";>Add
Page
+
+ https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638";>
+https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
height="16" width="16" border="0" align="absmiddle" title="Add News">
+ https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638";>Add
News
+
+
+
+
+
+ Summary
+
+
+A vulnerability introduced by forcing parameter inclusion in the
URL and Anchor Tag allows remote command execution, session
access and manipulation and XSS attacks
+
+
+
+
+
+Who should read this
+All Struts 2 developers and users
+
+
+Impact of vulnerability
+Remote command execution, remote server context
manipulation, injection of malicious client side code
+
+
+Maximum security rating
+Highly Critical
+
+
+Recommendation
+Developers should immediately upgrade to http://struts.apache.org/download.cgi#struts23142"; class="external-link"
rel="nofollow">Struts 2.3.14.2
+
+
+Affected Software
+ Struts 2.0.0 - Struts 2.3.14.1
+
+
+Reporter
+ Eric Kobrin
svn commit: r864378 - in /websites/production/struts/content/release/2.3.x: ./ docs/ struts2-apps/ struts2-apps/struts2-blank/ struts2-apps/struts2-jboss-blank/ struts2-apps/struts2-mailreader/ struts
Author: lukaszlenart Date: Tue Jun 4 17:57:01 2013 New Revision: 864378 Log: Updates site after release [This commit notification would consist of 167 parts, which exceeds the limit of 50 ones, so it was shortened to the summary.]
[CONF] Confluence Changes in the last 24 hours
This is a daily summary of all recent changes in Confluence. - Updated Spaces: - Apache ActiveMQ (https://cwiki.apache.org/confluence/display/ACTIVEMQ) Pages - JDBC Support edited by tabish121 (01:38 PM) https://cwiki.apache.org/confluence/display/ACTIVEMQ/JDBC+Support Virtual Destinations edited by ceposta (12:23 AM) https://cwiki.apache.org/confluence/display/ACTIVEMQ/Virtual+Destinations Apache Camel (https://cwiki.apache.org/confluence/display/CAMEL) Pages - Camel 2.12.0 Release edited by davsclaus (10:49 AM) https://cwiki.apache.org/confluence/display/CAMEL/Camel+2.12.0+Release Netty edited by davsclaus (10:44 AM) https://cwiki.apache.org/confluence/display/CAMEL/Netty Netty HTTP edited by davsclaus (08:27 AM) https://cwiki.apache.org/confluence/display/CAMEL/Netty+HTTP Comments https://cwiki.apache.org/confluence/display/CAMEL/Error+handling+in+Camel (1) Apache Open Climate Workbench (https://cwiki.apache.org/confluence/display/CLIMATE) Pages - Code Style and Linting Practices edited by mjoyce (02:20 PM) https://cwiki.apache.org/confluence/display/CLIMATE/Code+Style+and+Linting+Practices RCMES flowchart edited by boustani (02:11 PM) https://cwiki.apache.org/confluence/display/CLIMATE/RCMES+flowchart Apache Cloudstack (https://cwiki.apache.org/confluence/display/CLOUDSTACK) Pages - Cloudstack 4.2 Release edited by animeshc (05:48 PM) https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cloudstack+4.2+Release Internal load balancing between VPC tiers Execution results edited by abhinavr (08:02 AM) https://cwiki.apache.org/confluence/display/CLOUDSTACK/Internal+load+balancing+between+VPC+tiers+Execution+results Granular Global Configuration Parameters edited by prashantkm (06:33 AM) https://cwiki.apache.org/confluence/display/CLOUDSTACK/Granular+++Global+Configuration+Parameters Storage Xenmotion Test Plan edited by talluri (05:46 AM) https://cwiki.apache.org/confluence/display/CLOUDSTACK/Storage+Xenmotion+Test+Plan Storage XenMotion Test Execution report edited by talluri (05:44 AM) https://cwiki.apache.org/confluence/display/CLOUDSTACK/Storage+XenMotion+Test+Execution+report KVM with OpenVSwitch edited by ka...@stratosphere.co.jp (02:26 AM) https://cwiki.apache.org/confluence/display/CLOUDSTACK/KVM+with+OpenVSwitch SSVM, templates, Secondary storage troubleshooting edited by nitin.me...@citrix.com (02:22 AM) https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSVM%2C+templates%2C+Secondary+storage+troubleshooting Apache CXF Documentation (https://cwiki.apache.org/confluence/display/CXF20DOC) Pages - JAX-RS OAuth2 edited by sergey_beryozkin (09:14 AM) https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth2 JAXRS Services Configuration edited by sergey_beryozkin (04:58 AM) https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Services+Configuration JAX-RS CORS edited by sergey_beryozkin (04:51 AM) https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+CORS Apache DeltaSpike (https://cwiki.apache.org/confluence/display/DeltaSpike) Pages - DeltaSpike_BoardReport_2013-06 created by struberg (05:19 PM) https://cwiki.apache.org/confluence/display/DeltaSpike/DeltaSpike_BoardReport_2013-06 Apache Hive (https://cwiki.apache.org/confluence/display/Hive) Pages - Enhanced Aggregation, Cube, Grouping and Rollup edited by leftyl (09:38 PM) https://cwiki.apache.org/confluence/display/Hive/Enhanced+Aggregation%2C+Cube%2C+Grouping+and+Rollup LanguageManual GroupBy edited by leftyl (09:21 PM) https://cwiki.apache.org/confluence/display/Hive/LanguageManual+GroupBy Apache Kafka (https://cwiki.apache.org/confluence/display/KAFKA) Comments https://cwiki.apache.org/confluence/display/KAFKA/Kafka+0.8+Quick+Start (1) Apache Qpid (https://cwiki.apache.org/confluence/display/qpid) Pages - AMQP 1.0 JMS Client Coding Standards created by p...@philharveyonline.com (11:04 AM) https://cwiki.apache.org/confluence/display/qpid/AMQP+1.0+JMS+Client+Coding+Standards Java Coding Standards edited by p...@philharveyonline.com (11:04 AM) https://cwiki.apache.org/confluence/display/qpid/Java+Coding+Standards AMQP 1.0 Roadmap edited by p...@philharveyonline.com (06:01 AM) https://cwiki.apache.org/confluence/display/qpid/AMQP+1.0+Roadmap Apache Santuario
svn commit: r864453 - in /websites/production/struts/content: ./ development/ release/
Author: lukaszlenart Date: Wed Jun 5 04:58:35 2013 New Revision: 864453 Log: Push changes Added: websites/production/struts/content/ - copied from r864452, websites/staging/struts/trunk/content/ websites/production/struts/content/development/ - copied from r864452, websites/production/struts/content/development/ websites/production/struts/content/release/ - copied from r864452, websites/production/struts/content/release/
svn commit: r864455 - in /websites/production/struts/content/development/2.x/docs: guides.html migration-guide.html s2-015.html security-bulletins.html version-notes-23143.html wildcard-method-selecti
Author: lukaszlenart Date: Wed Jun 5 05:14:58 2013 New Revision: 864455 Log: Updates draft docs Added: websites/production/struts/content/development/2.x/docs/version-notes-23143.html Modified: websites/production/struts/content/development/2.x/docs/guides.html websites/production/struts/content/development/2.x/docs/migration-guide.html websites/production/struts/content/development/2.x/docs/s2-015.html websites/production/struts/content/development/2.x/docs/security-bulletins.html websites/production/struts/content/development/2.x/docs/wildcard-method-selection.html Modified: websites/production/struts/content/development/2.x/docs/guides.html == --- websites/production/struts/content/development/2.x/docs/guides.html (original) +++ websites/production/struts/content/development/2.x/docs/guides.html Wed Jun 5 05:14:58 2013 @@ -353,7 +353,7 @@ under the License. Version Notes 2.3.15 - TBR - https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3"; title="Version Notes 2.3.14.3">Version Notes 2.3.14.3 + Version Notes 2.3.14.3 Version Notes 2.3.14.2 Version Notes 2.3.14.1 Version Notes 2.3.14 Modified: websites/production/struts/content/development/2.x/docs/migration-guide.html == --- websites/production/struts/content/development/2.x/docs/migration-guide.html (original) +++ websites/production/struts/content/development/2.x/docs/migration-guide.html Wed Jun 5 05:14:58 2013 @@ -130,7 +130,7 @@ under the License. Version Notes 2.3.15 - TBR - https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3"; title="Version Notes 2.3.14.3">Version Notes 2.3.14.3 + Version Notes 2.3.14.3 Version Notes 2.3.14.2 Version Notes 2.3.14.1 Version Notes 2.3.14 @@ -444,7 +444,7 @@ under the License. Version Notes 2.3.14.2 (Apache Struts 2 Documentation) - https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3"; title="Version Notes 2.3.14.3">Version Notes 2.3.14.3 + Version Notes 2.3.14.3 (Apache Struts 2 Documentation) Modified: websites/production/struts/content/development/2.x/docs/s2-015.html == --- websites/production/struts/content/development/2.x/docs/s2-015.html (original) +++ websites/production/struts/content/development/2.x/docs/s2-015.html Wed Jun 5 05:14:58 2013 @@ -126,7 +126,7 @@ under the License. Summary -A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks +A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution. @@ -145,19 +145,19 @@ under the License. Recommendation -Developers should immediately upgrade to http://struts.apache.org/download.cgi#struts23142"; class="external-link" rel="nofollow">Struts 2.3.14.2 +Developers should immediately upgrade to http://struts.apache.org/download.cgi#struts23143"; class="external-link" rel="nofollow">Struts 2.3.14.3 Affected Software - Struts 2.0.0 - Struts 2.3.14.1 + Struts 2.0.0 - Struts 2.3.14.2 Reporter - Eric Kobrin and Douglas Rodrigues (Akamai), Coverity Security Research Laboratory, NSFOCUS Security Team + Jon Passki from Coverity Security Research Laboratory reported directly to security@struts.a.o and via https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection"; class="external-link" rel="nofollow">blog post CVE Identifier -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115"; class="external-link" rel="nofollow">CVE-2013-2115, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1966"; class="external-link" rel="nofollow">CVE-2013-1966 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2135"; class="external-link" rel="nofollow">CVE-2013-2135, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2134"; class="external-link" rel="nofollow">CVE-2013-2134 @@ -165,73 +165,89 @@ under the License. Problem -Both the http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/components/URL.html"; class="external-link" rel="nofollow">s:url and http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/components/Anchor.html"; class="external-link" rel="nofollow">s:a tag provide an includeParams attribute. +Struts 2 allows define action mapping base on wildcards, like in example below: + + +svn commit: r864456 - /websites/production/struts/content/release/2.3.x/docs/version-notes-23143.html Author: lukaszlenart Date: Wed Jun 5 05:19:53 2013 New Revision: 864456 Log: Adds missing version notes Added: websites/production/struts/content/release/2.3.x/docs/version-notes-23143.html Added: websites/production/struts/content/release/2.3.x/docs/version-notes-23143.html == --- websites/production/struts/content/release/2.3.x/docs/version-notes-23143.html (added) +++ websites/production/struts/content/release/2.3.x/docs/version-notes-23143.html Wed Jun 5 05:19:53 2013 @@ -0,0 +1,206 @@ + + + +http://www.w3.org/TR/html4/loose.dtd";> + + +https://struts.apache.org/css/default.css";> + + .dp-highlighter { +width:95% !important; + } + + + .footer { +background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); +background-repeat: repeat-x; +background-position: left top; +padding-top: 4px; +color: #666; + } + + + var hide = null; + var show = null; + var children = null; + + function init() { +/* Search form initialization */ +var form = document.forms['search']; +if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; +} + +/* Children initialization */ +hide = document.getElementById('hide'); +show = document.getElementById('show'); +children = document.all != null ? + document.all['children'] : + document.getElementById('children'); +if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; +} + } + + function showChildren() { +children.style.display = 'block'; +show.style.display = 'none'; +hide.style.display = 'inline'; + } + + function hideChildren() { +children.style.display = 'none'; +show.style.display = 'inline'; +hide.style.display = 'none'; + } + +Version Notes 2.3.14.3 + + + + + + Apache Struts 2 Documentation > Home > Guides > Migration Guide > Version Notes 2.3.14.3 + + + http://www.google.com/search"; method="get"> + + + + + + + + + + + + + + + +Apache Struts 2 Documentation +Version Notes 2.3.14.3 + + + https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823655";> +https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; height="16" width="16" border="0" align="absmiddle" title="Edit Page"> +https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823655";>Edit Page + + https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> +https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; height="16" width="16" border="0" align="absmiddle" title="Browse Space"> +https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space + + https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823655";> +https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; height="16" width="16" border="0" align="absmiddle" title="Add Page"> + https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823655";>Add Page + + https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823655";> +https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; height="16" width="16" border="0" align="absmiddle" title="Add News"> + https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823655";>Add News + + + + + + https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; height="16" width="16" align="absmiddle" alt="" border="0"> These are the notes for the Struts 2.3.14.3 distribution. + +https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"; height="16" width="16" align="absmiddle" alt="" border="0"> For prior notes in this release series, see Version Notes 2.3.14.3 + + + If you are a Maven user, you might want to get started using the Maven Archetype. + Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development. + + + +Maven Dependency + +
svn commit: r864458 - /websites/production/struts/content/release/2.3.x/docs/migration-guide.html
Author: lukaszlenart Date: Wed Jun 5 05:21:43 2013 New Revision: 864458 Log: Adds missing version notes Modified: websites/production/struts/content/release/2.3.x/docs/migration-guide.html Modified: websites/production/struts/content/release/2.3.x/docs/migration-guide.html == --- websites/production/struts/content/release/2.3.x/docs/migration-guide.html (original) +++ websites/production/struts/content/release/2.3.x/docs/migration-guide.html Wed Jun 5 05:21:43 2013 @@ -130,7 +130,7 @@ under the License. Version Notes 2.3.15 - TBR - https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3"; title="Version Notes 2.3.14.3">Version Notes 2.3.14.3 + Version Notes 2.3.14.3 Version Notes 2.3.14.2 Version Notes 2.3.14.1 Version Notes 2.3.14 @@ -444,7 +444,7 @@ under the License. Version Notes 2.3.14.2 (Apache Struts 2 Documentation) - https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3"; title="Version Notes 2.3.14.3">Version Notes 2.3.14.3 + Version Notes 2.3.14.3 (Apache Struts 2 Documentation)
svn commit: r864459 - in /websites/production/struts/content/release/2.3.x/docs: s2-015.html security-bulletins.html
Author: lukaszlenart Date: Wed Jun 5 05:24:01 2013 New Revision: 864459 Log: Adds missing version notes Added: websites/production/struts/content/release/2.3.x/docs/s2-015.html Modified: websites/production/struts/content/release/2.3.x/docs/security-bulletins.html Added: websites/production/struts/content/release/2.3.x/docs/s2-015.html == --- websites/production/struts/content/release/2.3.x/docs/s2-015.html (added) +++ websites/production/struts/content/release/2.3.x/docs/s2-015.html Wed Jun 5 05:24:01 2013 @@ -0,0 +1,262 @@ + + + +http://www.w3.org/TR/html4/loose.dtd";> + + +https://struts.apache.org/css/default.css";> + + .dp-highlighter { +width:95% !important; + } + + + .footer { +background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); +background-repeat: repeat-x; +background-position: left top; +padding-top: 4px; +color: #666; + } + + + var hide = null; + var show = null; + var children = null; + + function init() { +/* Search form initialization */ +var form = document.forms['search']; +if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; +} + +/* Children initialization */ +hide = document.getElementById('hide'); +show = document.getElementById('show'); +children = document.all != null ? + document.all['children'] : + document.getElementById('children'); +if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; +} + } + + function showChildren() { +children.style.display = 'block'; +show.style.display = 'none'; +hide.style.display = 'inline'; + } + + function hideChildren() { +children.style.display = 'none'; +show.style.display = 'inline'; +hide.style.display = 'none'; + } + +S2-015 + + + + + + Apache Struts 2 Documentation > Home > Security Bulletins > S2-015 + + + http://www.google.com/search"; method="get"> + + + + + + + + + + + + + + + +Apache Struts 2 Documentation +S2-015 + + + https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638";> +https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; height="16" width="16" border="0" align="absmiddle" title="Edit Page"> +https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823638";>Edit Page + + https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> +https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; height="16" width="16" border="0" align="absmiddle" title="Browse Space"> +https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space + + https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638";> +https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; height="16" width="16" border="0" align="absmiddle" title="Add Page"> + https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823638";>Add Page + + https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638";> +https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; height="16" width="16" border="0" align="absmiddle" title="Add News"> + https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823638";>Add News + + + + + + Summary + + +A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution. + + + + + +Who should read this +All Struts 2 developers and users + + +Impact of vulnerability +Remote command execution, remote server context manipulation, injection of malicious client side code + + +Maximum security rating +Highly Critical + + +Recommendation +Developers should immediately upgrade to http://struts.apache.org/download.cgi#struts23143"; class="external-link" rel="nofollow">Struts 2.3.14.3 + + +Affected Software + Struts 2.0.0 - Struts 2.3.14.2 + + +Reporter + Jon Passki from Coverity Security Research Labo
