www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: [ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36
Date Sun, 04 Nov 2018 15:18:31 GMT
I meant commons-fileupload version 1.3.3, sorry for that.


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

niedz., 4 lis 2018 o 10:30 Lukasz Lenart <lukaszlenart@apache.org> napisał(a):
>
> The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36
> based projects to use the latest released version of Commons
> FileUpload library, which is currently 1.3.1. This is necessary to
> prevent your publicly accessible web site from being exposed to
> possible DoS attacks [1] [2].
>
> Your project is affected if it uses the built-in file upload mechanism
> of Struts 2, which defaults to the use of commons-fileupload. The
> updated commons-fileupload library is a drop-in replacement for the
> vulnerable version. Deployed applications can be hardened by replacing
> the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
> Maven based Struts 2 projects, the following dependency needs to be
> added:
> <dependency>
>     <groupId>commons-fileupload</groupId>
>     <artifactId>commons-fileupload</artifactId>
>     <version>1.3.1</version>
> </dependency>
>
>
> More details can be found here:
> [1] http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1
> [2] http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E
>
> on behalf of the Apache Struts Team
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

Mime
View raw message