struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yasser Zamani <>
Subject RE: Question Regarding Recent Security Announcement
Date Mon, 05 Nov 2018 06:46:39 GMT
Hi David,

That was a typo which already has fixed and re-announced. We meant 1.3.3. Thanks for your


>-----Original Message-----
>From: David Dillard <>
>Sent: Sunday, November 4, 2018 9:10 PM
>Subject: Question Regarding Recent Security Announcement
>An email<
>> was recently sent to the
>Apache Announcements list suggesting that users update to Apache Struts 2.3.36
>in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS.  I
>have a few questions about this:
>  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be
>core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  What's
>recommended doesn't seem to accomplish what the email states it will.
>  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven
>repository since Struts 2.3.30, which was released back in July 2016.
>  3.  This makes sense since the last documented DoS vulnerability in Fileupload
>was fixed in 1.3.2.
>So, given all of this, can someone explain why this recommendation was made
>and why now since the noted issues to have been resolved for a couple of years?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message