[
https://issues.apache.org/jira/browse/EMPIREDB-375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494612#comment-17494612
]
Rainer Döbele commented on EMPIREDB-375:
----------------------------------------
Hello PJ,
we are currently working on a new major version 3.x for which we so far have no
plans to further include our struts2 extentions. Version 2.x is being
discontinued.
Actually I have asked our community if anyone wants to upgrade the struts
extentions for version 3.x but had no response.
Unfortunately the code in the struts extentions is so old, that it is not
possible to upgrade it to the latest stuts version with reasonable effort.
> upgrade struts version
> ----------------------
>
> Key: EMPIREDB-375
> URL: https://issues.apache.org/jira/browse/EMPIREDB-375
> Project: Empire-DB
> Issue Type: Improvement
> Affects Versions: empire-db-2.5.2
> Reporter: PJ Fanning
> Priority: Major
>
> [https://github.com/apache/empire-db/pull/8]
> also v2.2.1 in
> [https://github.com/apache/empire-db/blob/version2-legacy/pom.xml]
> master branch no longer seems to have struts at all but is version 2 is still
> being released - see
> [https://lists.apache.org/thread/3fh7djnh62o24xzvbhcqwbnsc5nd8mkx]
> struts v2.2.1 is from 2010 and has 4 CVEs open against it -
> [https://mvnrepository.com/artifact/org.apache.struts/struts2-core]
> One of the struts CVEs is the one that led to the Equifax hack -
> [https://www.synopsys.com/blogs/software-security/apache-struts-remote-code-execution-vulnerabilities/#:~:text=Apache%20published%20details%20of%20CVE,day%20Equifax%20announced%20the%20breach.&text=According%20to%20an%20Equifax%20statement,the%20attacker%20from%20mid%2DMay].
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
