[struts-site] branch master updated (f60cb52 -> 1cc8e74)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git. from f60cb52 Merge pull request #111 from apache/release-2516 add f2b19ba Adds announcement about file-upload add 36a66d1 Adds info about using Struts Tag and cleans up page new 1cc8e74 Merge pull request #112 from lukaszlenart/dependencies The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: source/announce.md | 34 ++ source/index.html| 21 +-- source/security/index.md | 94 3 files changed, 106 insertions(+), 43 deletions(-) -- To stop receiving notification emails like this one, please contact lukaszlen...@apache.org.
[struts-site] 01/01: Merge pull request #112 from lukaszlenart/dependencies
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git commit 1cc8e7467b5f58ef02e273a374f563d03c32819f Merge: f60cb52 36a66d1 Author: Lukasz Lenart AuthorDate: Tue Mar 27 11:54:42 2018 +0200 Merge pull request #112 from lukaszlenart/dependencies Dependencies source/announce.md | 34 ++ source/index.html| 21 +-- source/security/index.md | 94 3 files changed, 106 insertions(+), 43 deletions(-) -- To stop receiving notification emails like this one, please contact lukaszlen...@apache.org.
[struts-site] branch asf-site updated: Updates production by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 603e631 Updates production by Jenkins 603e631 is described below commit 603e631e48a1c00ce96ec9170375da7c79b3d592 Author: jenkins AuthorDate: Tue Mar 27 10:01:19 2018 + Updates production by Jenkins --- content/announce.html | 37 ++ content/index.html | 21 --- content/security/index.html | 92 - 3 files changed, 110 insertions(+), 40 deletions(-) diff --git a/content/announce.html b/content/announce.html index 4d61c2f..18a3ebe 100644 --- a/content/announce.html +++ b/content/announce.html @@ -130,6 +130,7 @@ Announcements 2018 + 23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3 16 March 2018 - Struts 2.5.16 General Availability @@ -137,6 +138,42 @@ Skip to: Announcements - 2017 +23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3 + +The Apache Struts Team recommends to immediately upgrade your Struts 2 +based projects to use the latest released version of Commons +FileUpload library, which is currently 1.3.3. This is necessary to +prevent your publicly accessible web site from being exposed to +possible Remote Code Execution attacks (see [1] [2]). + +This affects any Struts version prior to 2.5.12 [3]. + +Your project is affected if it uses the built-in file upload mechanism +of Struts 2, which defaults to the use of commons-fileupload. The +updated commons-fileupload library is a drop-in replacement for the +vulnerable version. Deployed applications can be hardened by replacing +the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For +Maven based Struts 2 projects, the following dependency needs to be +added: + ++ + + + +More details can be found here: + + + https://issues.apache.org/jira/browse/FILEUPLOAD-279";>https://issues.apache.org/jira/browse/FILEUPLOAD-279 + https://nvd.nist.gov/vuln/detail/CVE-2016-131";>https://nvd.nist.gov/vuln/detail/CVE-2016-131 + https://issues.apache.org/jira/browse/WW-4812";>https://issues.apache.org/jira/browse/WW-4812 + + +All developers are strongly advised to perform this action. + 16 March 2018 - Struts 2.5.16 General Availability The Apache Struts group is pleased to announce that Struts 2.5.16 is available as a “General Availability” diff --git a/content/index.html b/content/index.html index 123cfaf..08e39a7 100644 --- a/content/index.html +++ b/content/index.html @@ -162,18 +162,19 @@ Apache Struts 2.3.34 GA It's the latest release of Struts 2.3.x which contains the latest security fixes, - read more in Announcement or in + read more in Announcement or in Version notes -Potential RCE vulnerability in the Showcase app +Immediately upgrade commons-fileupload to version 1.3.3 - A potential security vulnerability was reported in the Struts 1 plugin used in the Struts 2.3.x series. - Please read more in S2-048 or in the official - Announcement + The Apache Struts Team recommends to immediately upgrade your Struts 2 + based projects to use the latest released version of Commons + FileUpload library, which is currently 1.3.3. + Announcement @@ -181,18 +182,12 @@ The Struts Extras secure Multipart plugins General Availability - versions 1.1, use them to secure your application against critical security vulnerability reported in S2-045, - S2-046, read more in Announcement + S2-046, read more in Announcement or in https://github.com/apache/struts-extras";>README -New documentation - - We have started working on a new documentation, the main task is to port existing Confluence based pages - to Markdown, thus will allow for easier deployment and maintenance. - You can help us by contributing via GitHub https://github.com/apache/struts-site";>struts-site - project. The first migrated part is the Getting started guide. - + diff --git a/content/security/index.html b/content/security/index.html index 0050ca4..7ccc60f 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -140,6 +140,7 @@ Use UTF-8 encoding Do not define setters when not needed Do not use incoming values as an input for localisation logic + Use Struts tags instead of raw EL expressioncommons-fileupload +commons-fileupload +1.3.3 +
[struts-site] 01/01: Merge pull request #113 from lukaszlenart/jackson-xml
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git commit 3f4ee920106c106de7a036cede971479d04ea3d6 Merge: 1cc8e74 3e3770e Author: Lukasz Lenart AuthorDate: Tue Mar 27 12:13:29 2018 +0200 Merge pull request #113 from lukaszlenart/jackson-xml Jackson xml source/announce.md | 10 ++ source/index.html | 7 ++- 2 files changed, 16 insertions(+), 1 deletion(-) -- To stop receiving notification emails like this one, please contact lukaszlen...@apache.org.
[struts-site] branch master updated (1cc8e74 -> 3f4ee92)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git. from 1cc8e74 Merge pull request #112 from lukaszlenart/dependencies add 27505bc Adds info about XML serialisation add 3e3770e Adds info to the front page new 3f4ee92 Merge pull request #113 from lukaszlenart/jackson-xml The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: source/announce.md | 10 ++ source/index.html | 7 ++- 2 files changed, 16 insertions(+), 1 deletion(-) -- To stop receiving notification emails like this one, please contact lukaszlen...@apache.org.
[struts-site] branch asf-site updated: Updates production by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 8d4f5a5 Updates production by Jenkins 8d4f5a5 is described below commit 8d4f5a5f0693580d28b7168139e2b344009c020c Author: jenkins AuthorDate: Tue Mar 27 10:30:45 2018 + Updates production by Jenkins --- content/announce.html | 11 +++ content/index.html| 7 ++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/content/announce.html b/content/announce.html index 18a3ebe..ad5b1ee 100644 --- a/content/announce.html +++ b/content/announce.html @@ -130,6 +130,7 @@ Announcements 2018 + 27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin 23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3 16 March 2018 - Struts 2.5.16 General Availability @@ -138,6 +139,16 @@ Skip to: Announcements - 2017 +27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin + +The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released +version of the Apache Struts. This is necessary to prevent your publicly accessible web site, which is using the Struts +REST plugin and performing XML serialisation, from being exposed to possible DoS attack. + +You can find more details in a Security Bulletin https://cwiki.apache.org/confluence/display/WW/S2-056";>S2-056 + +All developers are strongly advised to perform this action. + 23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3 The Apache Struts Team recommends to immediately upgrade your Struts 2 diff --git a/content/index.html b/content/index.html index 08e39a7..6eadc78 100644 --- a/content/index.html +++ b/content/index.html @@ -187,7 +187,12 @@ - +A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin + + The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use + the latest released version of the Apache Struts to prevent possible DoS attack when using the REST plugin. + Announcement + -- To stop receiving notification emails like this one, please contact git-site-r...@apache.org.
