Yes, sounds good to me. How about the criticality rating in the bulletin? "Critical" was - I have to admit :) - just copied from 001, what would be a fitting rating here?
Don Brown schrieb: > What about: > > * All developers are strongly advised to update Struts 2 applications > to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags. > > In this way, we aren't quite so "in-your-face" and a quick summary of > the issue and what part of Struts 2 is affected is included. The > qualifier is probably important as not all apps use the affected > Struts 2 tags and since the release just includes that one fix, it is > valuable to specify exactly what has been fixed. > > Still, these are all minor things - the important thing is that you > got this release out so quickly and for that, we are all very grateful > :) > > Don > > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: >> Agreed. How should we put it better? >> >> Don Brown schrieb: >> >>> Good point. This pales in comparison to, say, the OGNL remote code >> > exploit. XSS exploits, while important, just aren't anywhere near as >> > big of deal. >> > >> > Don >> > >> > On Tue, Mar 4, 2008 at 12:43 PM, Jeromy Evans >> > <[EMAIL PROTECTED]> wrote: >> >> My opinion is that the criticality is overstated. >> >> However it is useful to draw attention to the vulnerability. >> >> >> >> >> >> >> >> Don Brown wrote: >> >> > Looks good. Thanks for creating a security bulletin as well. >> >> > >> >> > Don >> >> > >> >> > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: >> >> > >> >> >> The release has been submitted for mirroring. Here's a draft >> >> >> announcement that we could post tomorrow morning, including a link >> to a >> >> >> corresponding security bulletin announcement in the wiki. Comments >> and >> >> >> corrections to both texts are highly appreciated. >> >> >> >> >> >> ---- >> >> >> >> >> >> Apache Struts 2.0.11.1 is now available from >> >> >> <http://struts.apache.org/download.cgi#struts20111>. >> >> >> >> >> >> This release is a fast track security fix release, including >> important >> >> >> security fixes regarding possible cross site scripting exploits. For >> >> >> more information about the exploits, visit our security bulletins >> page at >> >> >> <http://cwiki.apache.org/confluence/display/WW/S2-002>. >> >> >> >> >> >> * ALL DEVELOPERS ARE STRONGLY ADVISED TO UPDATE TO STRUTS 2.0.11.1 >> >> >> IMMEDIATELY! >> >> >> >> >> >> For the complete release notes for Struts 2.0.11.1, see >> >> >> >> <http://cwiki.apache.org/confluence/display/WW/Release+Notes+2.0.11.1>. >> >> >> >> >> >> >> --------------------------------------------------------------------- >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> >> >> >> >> >> > >> >> > --------------------------------------------------------------------- >> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> > For additional commands, e-mail: [EMAIL PROTECTED] >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
