struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Question Regarding Recent Security Announcement
Date Mon, 05 Nov 2018 07:15:51 GMT
niedz., 4 lis 2018 o 18:40 David Dillard <David.Dillard@veritas.com> napisał(a):
>   1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be used<https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.36>,
not 1.3.3, so I'm confused about what's stated in the email.  What's recommended doesn't seem
to accomplish what the email states it will.

We have overlooked that when we were preparing Struts 2.3.36, this is
an easy drop-in dependency.

>   2.  The recommendation for Fileupload 1.3.2 can be found in the Maven repository since
Struts 2.3.30, which was released back in July 2016.
>   3.  This makes sense since the last documented DoS vulnerability in Fileupload was
fixed in 1.3.2.

Here is the original announcement
https://struts.apache.org/announce.html#a20180323


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message