struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <davelnew...@gmail.com>
Subject Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin version shipped with Struts 2.3.x vulnerable?)
Date Mon, 20 Oct 2014 14:52:49 GMT
I've been an advocate of not shipping it for some time now.

The fact that it's been deprecated and uses such an old version of
Dojo should be enough to dissuade usage, IMO, especially now that
there's a jQuery-based replacement.

I'd like to see it not ship at all.

Dave


On Mon, Oct 20, 2014 at 10:49 AM, Markus Fischer
<Markus.Fischer@knipp.de> wrote:
> Hi all.
>
>>>> According to the Apache Struts 2 Documentation (see
>>>> [1]), Struts 2.3.x ships with Dojo 0.4.3, which is vulnerable to two
>>>> major security issues (CVE-2010-2276 and CVE-2010-2272, see [2]).
>
>>> Probably it's a vulnerable version
>
>> I'd add that since the plugin has been deprecated since S2.1 it's unlikely
>> anything was ever done to deal with it.
>
> Given that the plugin has been deprecated already, does anyone know for
> which release the removal is planned? I was not able to find any
> documentation regarding a Dojo plugin roadmap.
>
> Cheers,
> Markus
>
>>> [1] http://struts.apache.org/release/2.3.x/docs/dojo-head.html
>>>
>>> [2]
>>> http://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/version_id-70187/Dojotoolkit-Dojo-0.4.3.html
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>



-- 
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton
b: Bucky Bits
g: davelnewton
so: Dave Newton

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message