struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yasser Zamani <yasserzam...@apache.org>
Subject RE: Question Regarding Recent Security Announcement
Date Mon, 05 Nov 2018 06:46:39 GMT
Hi David,

That was a typo which already has fixed and re-announced. We meant 1.3.3. Thanks for your
email.

Regards.

>-----Original Message-----
>From: David Dillard <David.Dillard@veritas.com>
>Sent: Sunday, November 4, 2018 9:10 PM
>To: user@struts.apache.org
>Subject: Question Regarding Recent Security Announcement
>
>Hi,
>
>An email<http://mail-archives.apache.org/mod_mbox/www-
>announce/201811.mbox/%3cCAMopvkMgZiJ+ZkT1HmkQt94q7-
>bzNWnZm0Td9vq589vz5YM=Mw@mail.gmail.com%3e> was recently sent to the
>Apache Announcements list suggesting that users update to Apache Struts 2.3.36
>in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS.  I
>have a few questions about this:
>
>
>  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be
>used<https://mvnrepository.com/artifact/org.apache.struts/struts2-
>core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  What's
>recommended doesn't seem to accomplish what the email states it will.
>  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven
>repository since Struts 2.3.30, which was released back in July 2016.
>  3.  This makes sense since the last documented DoS vulnerability in Fileupload
>was fixed in 1.3.2.
>
>So, given all of this, can someone explain why this recommendation was made
>and why now since the noted issues to have been resolved for a couple of years?
>
>
>Thanks,
>
>David


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message