This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push: new 871b9b4 Updates production by Jenkins 871b9b4 is described below commit 871b9b498d6baefe7f8991bb0c86dd0b8c2ad502 Author: jenkins <bui...@apache.org> AuthorDate: Wed Aug 22 07:30:53 2018 +0000 Updates production by Jenkins --- content/announce.html | 72 +++++++++++++++++++++ content/core-developers/interceptors.html | 2 + content/core-developers/struts-default-xml.html | 2 + content/download.html | 84 ++++++++++++------------- content/index.html | 22 +++---- content/releases.html | 15 ++++- 6 files changed, 143 insertions(+), 54 deletions(-) diff --git a/content/announce.html b/content/announce.html index 32f7605..5faaddd 100644 --- a/content/announce.html +++ b/content/announce.html @@ -130,6 +130,9 @@ <h1 class="no_toc" id="announcements-2018">Announcements 2018</h1> <ul id="markdown-toc"> + <li><a href="#a20180822-0" id="markdown-toc-a20180822-0">22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</a></li> + <li><a href="#a20180822-1" id="markdown-toc-a20180822-1">22 August 2018 - Struts 2.5.17 General Availability</a></li> + <li><a href="#a20180822-2" id="markdown-toc-a20180822-2">22 August 2018 - Struts 2.3.35 General Availability</a></li> <li><a href="#a20180327" id="markdown-toc-a20180327">27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</a></li> <li><a href="#a20180323" id="markdown-toc-a20180323">23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3</a></li> <li><a href="#a20180316" id="markdown-toc-a20180316">16 March 2018 - Struts 2.5.16 General Availability</a></li> @@ -139,6 +142,75 @@ Skip to: <a href="announce-2017.html">Announcements - 2017</a> </p> +<h4 id="a20180822-0">22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</h4> + +<p>CVEID:CVE-2018-11776</p> + +<p>PRODUCT:Apache Struts</p> + +<p>VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</p> + +<p>PROBLEMTYPE:Remote Code Execution</p> + +<p>REFERENCES:<a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></p> + +<p>DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and +2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its +upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action +set and in same time, its upper action(s) have no or wildcard namespace.</p> + +<h4 id="a20180822-1">22 August 2018 - Struts 2.5.17 General Availability</h4> + +<p>The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a “General Availability” +release. The GA designation is our highest quality grade.</p> + +<p>In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:</p> + +<ul> + <li>Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></li> +</ul> + +<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time.</p> + +<p><strong>All developers are strongly advised to perform this action.</strong></p> + +<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 7.</p> + +<p>Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket.</p> + +<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> + +<h4 id="a20180822-2">22 August 2018 - Struts 2.3.35 General Availability</h4> + +<p>The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a “General Availability” +release. The GA designation is our highest quality grade.</p> + +<p>In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:</p> + +<ul> + <li>Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></li> +</ul> + +<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time.</p> + +<p><strong>All developers are strongly advised to perform this action.</strong></p> + +<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 6.</p> + +<p>Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket.</p> + +<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p> + <h4 id="a20180327">27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</h4> <p>The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released diff --git a/content/core-developers/interceptors.html b/content/core-developers/interceptors.html index 91095e6..5409037 100644 --- a/content/core-developers/interceptors.html +++ b/content/core-developers/interceptors.html @@ -286,6 +286,7 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t <span class="c"><!-- this is simpler version of the above used with string comparison --></span> <span class="nt"><constant</span> <span class="na">name=</span><span class="s">"struts.excludedPackageNames"</span> <span class="na">value=</span><span class="s">"</span> + <span class="err">com.opensymphony.xwork2.ognl.,</span> <span class="err">java.lang.,</span> <span class="err">ognl.,</span> <span class="err">javax,</span> @@ -293,6 +294,7 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t <span class="err">freemarker.template.,</span> <span class="err">freemarker.ext.rhino.,</span> <span class="err">freemarker.ext.beans.,</span> + <span class="err">sun.misc.,</span> <span class="err">sun.reflect.,</span> <span class="err">javassist."</span> <span class="nt">/></span> diff --git a/content/core-developers/struts-default-xml.html b/content/core-developers/struts-default-xml.html index 0c0ab39..fab4f27 100644 --- a/content/core-developers/struts-default-xml.html +++ b/content/core-developers/struts-default-xml.html @@ -201,6 +201,7 @@ setting in <a href="struts-properties.html">struts.properties</a>.</p> <span class="c"><!-- this is simpler version of the above used with string comparison --></span> <span class="nt"><constant</span> <span class="na">name=</span><span class="s">"struts.excludedPackageNames"</span> <span class="na">value=</span><span class="s">"</span> + <span class="err">com.opensymphony.xwork2.ognl.,</span> <span class="err">java.lang.,</span> <span class="err">ognl.,</span> <span class="err">javax,</span> @@ -208,6 +209,7 @@ setting in <a href="struts-properties.html">struts.properties</a>.</p> <span class="err">freemarker.template.,</span> <span class="err">freemarker.ext.rhino.,</span> <span class="err">freemarker.ext.beans.,</span> + <span class="err">sun.misc.,</span> <span class="err">sun.reflect.,</span> <span class="err">javassist."</span> <span class="nt">/></span> diff --git a/content/download.html b/content/download.html index 73b1735..715ed20 100644 --- a/content/download.html +++ b/content/download.html @@ -189,26 +189,26 @@ <h2 id="struts-ga">Full Releases</h2> -<h3 id="struts2516">Struts 2.5.16</h3> +<h3 id="struts2517">Struts 2.5.17</h3> <p> - <a href="https://struts.apache.org/">Apache Struts 2.5.16</a> is an elegant, extensible + <a href="https://struts.apache.org/">Apache Struts 2.5.17</a> is an elegant, extensible framework for creating enterprise-ready Java web applications. It is available in a full distribution, or as separate library, source, example and documentation distributions. - Struts 2.5.16 is the "best available" version of Struts in the 2.5 series. + Struts 2.5.17 is the "best available" version of Struts in the 2.5 series. </p> <ul> <li> - <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16">Version Notes</a> + <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17">Version Notes</a> </li> <li>Full Distribution: <ul> <li> - <a href="[preferred]struts/2.5.16/struts-2.5.16-all.zip">struts-2.5.16-all.zip</a> (65MB) - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-all.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-all.zip.md5">MD5</a>] + <a href="[preferred]struts/2.5.17/struts-2.5.17-all.zip">struts-2.5.17-all.zip</a> (65MB) + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-all.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-all.zip.md5">MD5</a>] </li> </ul> </li> @@ -216,9 +216,9 @@ <li>Example Applications: <ul> <li> - <a href="[preferred]struts/2.5.16/struts-2.5.16-apps.zip">struts-2.5.16-apps.zip</a> (35MB) - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-apps.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-apps.zip.md5">MD5</a>] + <a href="[preferred]struts/2.5.17/struts-2.5.17-apps.zip">struts-2.5.17-apps.zip</a> (35MB) + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-apps.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-apps.zip.md5">MD5</a>] </li> </ul> </li> @@ -226,9 +226,9 @@ <li>Essential Dependencies Only: <ul> <li> - <a href="[preferred]struts/2.5.16/struts-2.5.16-min-lib.zip">struts-2.5.16-min-lib.zip</a> (4MB) - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-min-lib.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-min-lib.zip.md5">MD5</a>] + <a href="[preferred]struts/2.5.17/struts-2.5.17-min-lib.zip">struts-2.5.17-min-lib.zip</a> (4MB) + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-min-lib.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-min-lib.zip.md5">MD5</a>] </li> </ul> </li> @@ -236,9 +236,9 @@ <li>All Dependencies: <ul> <li> - <a href="[preferred]struts/2.5.16/struts-2.5.16-lib.zip">struts-2.5.16-lib.zip</a> (19MB) - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-lib.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-lib.zip.md5">MD5</a>] + <a href="[preferred]struts/2.5.17/struts-2.5.17-lib.zip">struts-2.5.17-lib.zip</a> (19MB) + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-lib.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-lib.zip.md5">MD5</a>] </li> </ul> </li> @@ -246,9 +246,9 @@ <li>Documentation: <ul> <li> - <a href="[preferred]struts/2.5.16/struts-2.5.16-docs.zip">struts-2.5.16-docs.zip</a> (13MB) - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-docs.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-docs.zip.md5">MD5</a>] + <a href="[preferred]struts/2.5.17/struts-2.5.17-docs.zip">struts-2.5.17-docs.zip</a> (13MB) + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-docs.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-docs.zip.md5">MD5</a>] </li> </ul> </li> @@ -256,28 +256,28 @@ <li>Source: <ul> <li> - <a href="[preferred]struts/2.5.16/struts-2.5.16-src.zip">struts-2.5.16-src.zip</a> (7MB) - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-src.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.5.16/struts-2.5.16-src.zip.md5">MD5</a>] + <a href="[preferred]struts/2.5.17/struts-2.5.17-src.zip">struts-2.5.17-src.zip</a> (7MB) + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-src.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.5.17/struts-2.5.17-src.zip.md5">MD5</a>] </li> </ul> </li> </ul> -<h3 id="struts-23x">Struts 2.3.34</h3> +<h3 id="struts-23x">Struts 2.3.35</h3> <ul> <li> - <a href="https://struts.apache.org/docs/version-notes-2334.html">Version Notes</a> + <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35">Version Notes</a> </li> <li>Full Distribution: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-all.zip">struts-2.3.34-all.zip</a> (65MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip.md5">MD5</a>] + <a href="[preferred]struts/2.3.35/struts-2.3.35-all.zip">struts-2.3.35-all.zip</a> (65MB) + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-all.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-all.zip.md5">MD5</a>] </li> </ul> </li> @@ -285,9 +285,9 @@ <li>Example Applications: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-apps.zip">struts-2.3.34-apps.zip</a> (35MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-apps.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-apps.zip.md5">MD5</a>] + <a href="[preferred]struts/2.3.35/struts-2.3.35-apps.zip">struts-2.3.35-apps.zip</a> (35MB) + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-apps.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-apps.zip.md5">MD5</a>] </li> </ul> </li> @@ -295,9 +295,9 @@ <li>Essential Dependencies Only: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-min-lib.zip">struts-2.3.34-min-lib.zip</a> (4MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-min-lib.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-min-lib.zip.md5">MD5</a>] + <a href="[preferred]struts/2.3.35/struts-2.3.35-min-lib.zip">struts-2.3.35-min-lib.zip</a> (4MB) + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-min-lib.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-min-lib.zip.md5">MD5</a>] </li> </ul> </li> @@ -305,9 +305,9 @@ <li>All Dependencies: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-lib.zip">struts-2.3.34-lib.zip</a> (19MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.md5">MD5</a>] + <a href="[preferred]struts/2.3.35/struts-2.3.35-lib.zip">struts-2.3.35-lib.zip</a> (19MB) + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-lib.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-lib.zip.md5">MD5</a>] </li> </ul> </li> @@ -315,9 +315,9 @@ <li>Documentation: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-docs.zip">struts-2.3.34-docs.zip</a> (13MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-docs.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-docs.zip.md5">MD5</a>] + <a href="[preferred]struts/2.3.35/struts-2.3.35-docs.zip">struts-2.3.35-docs.zip</a> (13MB) + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-docs.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-docs.zip.md5">MD5</a>] </li> </ul> </li> @@ -325,9 +325,9 @@ <li>Source: <ul> <li> - <a href="[preferred]struts/2.3.34/struts-2.3.34-src.zip">struts-2.3.34-src.zip</a> (7MB) - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-src.zip.asc">PGP</a>] - [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-src.zip.md5">MD5</a>] + <a href="[preferred]struts/2.3.35/struts-2.3.35-src.zip">struts-2.3.35-src.zip</a> (7MB) + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-src.zip.asc">PGP</a>] + [<a href="https://www.apache.org/dist/struts/2.3.35/struts-2.3.35-src.zip.md5">MD5</a>] </li> </ul> </li> diff --git a/content/index.html b/content/index.html index ec24232..4479be6 100644 --- a/content/index.html +++ b/content/index.html @@ -131,7 +131,7 @@ extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. </p> - <a href="download.cgi#struts2516" class="btn btn-primary btn-large"> + <a href="download.cgi#struts2517" class="btn btn-primary btn-large"> <img src="img/download-icon.svg"> Download </a> <a href="primer.html" class="btn btn-info btn-large"> @@ -156,19 +156,19 @@ </p> </div> <div class="column col-md-4"> - <h2>Apache Struts 2.5.16 GA</h2> + <h2>Apache Struts 2.5.17 GA</h2> <p> - Apache Struts 2.5.16 GA has been released<br/>on 16 March 2018. + Apache Struts 2.5.17 GA has been released<br/>on 22 August 2018. </p> - Read more in <a href="announce.html#a20180316">Announcement</a> or in - <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16">Version notes</a> + Read more in <a href="announce.html#a20180822-1">Announcement</a> or in + <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17">Version notes</a> </div> <div class="column col-md-4"> - <h2>Apache Struts 2.3.34 GA</h2> + <h2>Apache Struts 2.3.35 GA</h2> <p> It's the latest release of Struts 2.3.x which contains the latest security fixes, - read more in <a href="announce-2017.html#a20170907">Announcement</a> or in - <a href="/docs/version-notes-2334.html">Version notes</a> + released on 22 August 2018.<br/> Read more in <a href="announce.html#a20180822-2">Announcement</a> or in + <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35">Version notes</a> </p> </div> </div> @@ -192,11 +192,11 @@ </p> </div> <div class="column col-md-4"> - <h2>A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</h2> + <h2>Immediately upgrade to version 2.5.17 or 2.3.35</h2> <p> The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use - the latest released version of the Apache Struts to prevent possible DoS attack when using the REST plugin. - <a href="announce.html#a20180327">Announcement</a> + the latest released version of the Apache Struts to prevent possible RCE attack when using results with no namespace, + reported in <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a>. Read more in <a href="announce.html#a20180822-0">Announcement</a>. </p> </div> </div> diff --git a/content/releases.html b/content/releases.html index aec9fb7..f1bd7e4 100644 --- a/content/releases.html +++ b/content/releases.html @@ -147,7 +147,7 @@ <ul> <li> <a href="/download.cgi#struts-ga"> - Struts 2.5.16 + Struts 2.5.17 </a> ("best available") </li> </ul> @@ -231,6 +231,18 @@ <tbody> <tr> <td class="no-wrap"> + Struts 2.5.16 + </td> + <td class="no-wrap">16 March 2018</td> + <td> + <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a> + </td> + <td> + <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16">Version notes</a> + </td> + </tr> + <tr> + <td class="no-wrap"> Struts 2.5.14.1 </td> <td class="no-wrap">30 November 2017</td> @@ -260,6 +272,7 @@ </td> <td class="no-wrap">7 September 2017</td> <td> + <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a> </td> <td> <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34">Version notes</a>