Author: lukaszlenart
Date: Fri Jul 14 06:24:31 2017
New Revision: 1015450
Log:
Updates production
Modified:
websites/production/struts/content/announce.html
websites/production/struts/content/docs/s2-049.html
websites/production/struts/content/index.html
Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Fri Jul 14 06:24:31 2017
@@ -127,6 +127,7 @@
<ul id="markdown-toc">
<li><a href="#a20170717" id="markdown-toc-a20170717">17 July 2017 - Struts
2.5.12 General Availability</a></li>
+ <li><a href="#a20170717-2" id="markdown-toc-a20170717-2">17 July 2017 -
Struts 2.3.33 General Availability</a></li>
<li><a href="#a20170707" id="markdown-toc-a20170707">9 July 2017 - Possible
RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts
2.3.x series</a></li>
<li><a href="#a20170323" id="markdown-toc-a20170323">23 march 2017 - Struts
Extras secure Multipart plugins General Availability - versions 1.1</a></li>
<li><a href="#a20170320" id="markdown-toc-a20170320">20 march 2017 - Struts
Extras secure Multipart plugins General Availability</a></li>
@@ -154,7 +155,7 @@ to maintaining applications over time.</
<li><a href="/docs/s2-047.html">S2-047</a>
Possible DoS attack when using URLValidator</li>
<li><a href="/docs/s2-049.html">S2-049</a>
-A DoS attack is available for Spring secured actions,</li>
+A DoS attack is available for Spring secured actions</li>
</ul>
<p>Except the above this release also contains several improvements just to
mention few of them:</p>
@@ -218,6 +219,42 @@ to the user list, and, if appropriate, f
<p>You can download this version from our <a
href="download.cgi#struts-ga">download</a> page.</p>
+<h4 id="a20170717-2">17 July 2017 - Struts 2.3.33 General Availability</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.3.32 is
available as a âGeneral Availabilityâ
+release. The GA designation is our highest quality grade.</p>
+
+<p>This release addresses two potential security vulnerabilities:</p>
+
+<ul>
+ <li><a href="/docs/s2-049.html">S2-049</a>
+A DoS attack is available for Spring secured actions</li>
+ <li><a href="/docs/s2-048.html">S2-048</a>
+Possible RCE in the Struts Showcase app in the Struts 1 plugin example in
Struts 2.3.x series</li>
+</ul>
+
+<p>Also this version resolves the following issues:</p>
+
+<ul>
+ <li><code class="highlighter-rouge">EmailValidator</code> does not accept
new domain suffixes</li>
+ <li>Revision number still missing from <code
class="highlighter-rouge">dojo.js</code> and <code
class="highlighter-rouge">dojo.js.uncompressed.js</code></li>
+ <li>Strange Behavior Parsing Action Requests</li>
+</ul>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from
building, to deploying,
+to maintaining applications over time.</p>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
+<p>The 2.3.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 6.</p>
+
+<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.</p>
+
+<p>You can download this version from our <a
href="download.cgi#struts-23x">download</a> page.</p>
+
<h4 id="a20170707">9 July 2017 - Possible RCE in the Struts Showcase app in
the Struts 1 plugin example in the Struts 2.3.x series</h4>
<p>A potential security vulnerability was reported in the Struts 1 plugin used
in the Struts 2.3.x series.
Modified: websites/production/struts/content/docs/s2-049.html
==============================================================================
--- websites/production/struts/content/docs/s2-049.html (original)
+++ websites/production/struts/content/docs/s2-049.html Fri Jul 14 06:24:31 2017
@@ -139,7 +139,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-049-Summary">Summary</h2>A
DoS attack is available for Spring secured actions<div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>A DoS attack is available for Spring
secured actions</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect"
href="version-notes-2512.html">Struts 2.5.12</a></p></td></tr><tr><th
colspan="1" rowspan="1" class
="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts
2.5.10.1</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span class="Apple-tab-span"> </span>Yasser Zamani
<yasser dot zamani at live dot com></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1"
class="confluenceTd"><p> </p></td></tr></tbody></table></div><h2
id="S2-049-Problem">Problem</h2><p>When using a Spring AOP functionality to
secure Struts actions it is possible to perform a DoS attack when user was
properly authenticated</p><p><span style="font-size:
20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.12.</p><h2
id="S2-049-Backwardcompatibility">Backward compatibility</h2><p>No backward
incompatibility issues are expected.</p><h2
id="S2-049-Workaround">Workaround</h2><p>Please define the below constant in
a <code>struts.xml</code> file:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><h2 id="S2-049-Summary">Summary</h2>A
DoS attack is available for Spring secured actions<div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>A DoS attack is available for Spring
secured actions</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect"
href="version-notes-2512.html">Struts 2.5.12</a></p></td></tr><tr><th
colspan="1" rowspan="1" class
="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.32, Struts 2.5 -<span
style="color: rgb(23,35,59);"> Struts 2.5.10.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Yasser Zamani <yasser dot
zamani at live dot com></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2017-9787</p></td></tr></tbody></table></div><h2
id="S2-049-Problem">Problem</h2><p>When using a Spring AOP functionality to
secure Struts actions it is possible to perform a DoS attack when user was
properly authenticated</p><p><span style="font-size:
20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.12 or
2.3.33.</p><h2 id="S2-049-Backwardcompatibility">Backward
compatibility</h2><p>No backward incompatibility issues are expected.</
p><h2 id="S2-049-Workaround">Workaround</h2><p>Please define the below
constant in a <code>struts.xml</code> file:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><constant name="struts.additional.excludedPatterns"
value=".\.accessDecisionManager\.." /></pre>
</div></div><p> </p><p> </p></div>
</div>
Modified: websites/production/struts/content/index.html
==============================================================================
--- websites/production/struts/content/index.html (original)
+++ websites/production/struts/content/index.html Fri Jul 14 06:24:31 2017
@@ -157,11 +157,11 @@
<a href="/docs/version-notes-2512.html">Version notes</a>
</div>
<div class="column col-md-4">
- <h2>Apache Struts 2.3.32 GA</h2>
+ <h2>Apache Struts 2.3.33 GA</h2>
<p>
It's the latest release of Struts 2.3.x which contains the latest
security fix,
- read more in <a href="announce.html#a20170307-2">Announcement</a> or
in
- <a href="/docs/version-notes-2332.html">Version notes</a>
+ read more in <a href="announce.html#a20170717-2">Announcement</a> or
in
+ <a href="/docs/version-notes-2333.html">Version notes</a>
</p>
</div>
</div>
