Or even;
* All developers using user inputted data in <s:a> and <s:url> tags are
strongly advised to upgrade in order to increase protection against cross
site scripting attacks.
That way we don't spook people into thinking there something fundamentally
wrong with the whole framework (and I prefer "cross site scripting" as
opposed to "XSS" because I just know we're going to start getting posts on
the user list asking what XSS is).
----- Original Message -----
From: "Don Brown" <[EMAIL PROTECTED]>
To: "Struts Developers List" <[email protected]>
Sent: Tuesday, March 04, 2008 8:04 AM
Subject: Re: [VOTE] Struts 2.0.11.1 Quality (fast track) - PROPOSED
ANNOUNCEMENT
What about:
* All developers are strongly advised to update Struts 2 applications
to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags.
In this way, we aren't quite so "in-your-face" and a quick summary of
the issue and what part of Struts 2 is affected is included. The
qualifier is probably important as not all apps use the affected
Struts 2 tags and since the release just includes that one fix, it is
valuable to specify exactly what has been fixed.
Still, these are all minor things - the important thing is that you
got this release out so quickly and for that, we are all very grateful
:)
Don
On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote:
Agreed. How should we put it better?
Don Brown schrieb:
> Good point. This pales in comparison to, say, the OGNL remote code
> exploit. XSS exploits, while important, just aren't anywhere near as
> big of deal.
>
> Don
>
> On Tue, Mar 4, 2008 at 12:43 PM, Jeromy Evans
> <[EMAIL PROTECTED]> wrote:
>> My opinion is that the criticality is overstated.
>> However it is useful to draw attention to the vulnerability.
>>
>>
>>
>> Don Brown wrote:
>> > Looks good. Thanks for creating a security bulletin as well.
>> >
>> > Don
>> >
>> > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote:
>> >
>> >> The release has been submitted for mirroring. Here's a draft
>> >> announcement that we could post tomorrow morning, including a
link to a
>> >> corresponding security bulletin announcement in the wiki.
Comments and
>> >> corrections to both texts are highly appreciated.
>> >>
>> >> ----
>> >>
>> >> Apache Struts 2.0.11.1 is now available from
>> >> <http://struts.apache.org/download.cgi#struts20111>.
>> >>
>> >> This release is a fast track security fix release, including
important
>> >> security fixes regarding possible cross site scripting exploits.
For
>> >> more information about the exploits, visit our security
bulletins page at
>> >> <http://cwiki.apache.org/confluence/display/WW/S2-002>.
>> >>
>> >> * ALL DEVELOPERS ARE STRONGLY ADVISED TO UPDATE TO STRUTS
2.0.11.1
>> >> IMMEDIATELY!
>> >>
>> >> For the complete release notes for Struts 2.0.11.1, see
>> >>
<http://cwiki.apache.org/confluence/display/WW/Release+Notes+2.0.11.1>.
>> >>
>>
>> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> >> For additional commands, e-mail: [EMAIL PROTECTED]
>> >>
>> >>
>> >>
>> >
>>
> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > For additional commands, e-mail: [EMAIL PROTECTED]
>> >
>> >
>> >
>> >
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
