Re: Demoting older Struts releases

Wed, 21 Mar 2012 20:51:37 -0700 

On 3/20/2012 3:53 PM, Łukasz Lenart wrote:

What do you propose ?



There is not a perfect solution, as Dave indicated beta may not mean 
much to managers.



A hard line approach would be to reclassify all prior releases of Struts 
2, as  beta or alpha, does Struts have a not recommended classification ?

Struts 2.3.1.1,2.3.1
Struts 2.2.3.1,2.2.3,2.2.1.1,2.2.1
Struts 2.1.8.1,2.1.8,2.1.6
Struts 2.0.14,2.0.12,2.0.11.2,2.0.11.1,2.0.11,2.0.9, 2.0.8, 2.0.6


Then change the download page,http://struts.apache.org/downloads.html, 
wording for older releases


from:

'As a courtesy, we retain archival copies of the website for each 
"General Availability" release.'


to

'As a courtesy, we retain archival copies of the website for releases 
that initially were considered "General Availability"
but which has been reclassified as "Not recommended" since they contain 
security issues'
                                                               ^ or 
beta/alpha ^




Then instead of listing just the prior version of the web site, 
explicitly list the vulnerabilities these releases are known/assumed to 
contain.


Struts 2.X Releases
           Release,           Approx Rel Date,  Vulnerability


 * Struts 2.3.1.1 <http://struts.apache.org/2.3.1.1/index.html> ,  
   2012/1/23 S2-009

   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.3.1 <http://struts.apache.org/2.3.1/index.html>,      
   2011/12/14, S2-008

   <https://cwiki.apache.org/confluence/display/WW/S2-008>  likely :
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.2.3.1 <http://struts.apache.org/2.2.3.1/index.html>,   
   2011/9/7,        likely : S2-008

   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.2.3 <http://struts.apache.org/2.2.3/index.html> ,     
   2011/5/7, S2-007

   <https://cwiki.apache.org/confluence/display/WW/S2-007>   likely :
   S2-008 <https://cwiki.apache.org/confluence/display/WW/S2-008>,
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.2.1.1 <http://struts.apache.org/2.2.1.1/index.html> , 
   2010/12/21, S2-006

   <https://cwiki.apache.org/confluence/display/WW/S2-006>   likely :
   S2-007 <https://cwiki.apache.org/confluence/display/WW/S2-007>,
   S2-008 <https://cwiki.apache.org/confluence/display/WW/S2-008>,
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.2.1 <http://struts.apache.org/2.2.1/index.html>,      
   2010/8/16       likely : S2-006

   <https://cwiki.apache.org/confluence/display/WW/S2-006>, S2-007
   <https://cwiki.apache.org/confluence/display/WW/S2-007>, S2-008
   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.1.8.1 <http://struts.apache.org/2.1.8.1/index.html>,   
   2010/8/16 S2-005

   <https://cwiki.apache.org/confluence/display/WW/S2-005>   likely :
   S2-006 <https://cwiki.apache.org/confluence/display/WW/S2-006>,
   S2-007 <https://cwiki.apache.org/confluence/display/WW/S2-007>,
   S2-008 <https://cwiki.apache.org/confluence/display/WW/S2-008>,
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.1.8 <http://struts.apache.org/2.1.8/index.html>,      
   2009/9/30,      likely : S2-005

   <https://cwiki.apache.org/confluence/display/WW/S2-005>, S2-006
   <https://cwiki.apache.org/confluence/display/WW/S2-006>, S2-007
   <https://cwiki.apache.org/confluence/display/WW/S2-007>, S2-008
   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.1.6 <http://struts.apache.org/2.1.6/index.html>,      
   2009/1/5,        likely : S2-005

   <https://cwiki.apache.org/confluence/display/WW/S2-005>, S2-006
   <https://cwiki.apache.org/confluence/display/WW/S2-006>, S2-007
   <https://cwiki.apache.org/confluence/display/WW/S2-007>, S2-008
   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.14 <http://struts.apache.org/2.0.14/index.html>,    
   2008/11/16,   likely : S2-005

   <https://cwiki.apache.org/confluence/display/WW/S2-005>, S2-006
   <https://cwiki.apache.org/confluence/display/WW/S2-006>, S2-007
   <https://cwiki.apache.org/confluence/display/WW/S2-007>, S2-008
   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.12 <http://struts.apache.org/2.0.12/index.html>,    
   2008/10/16,   likely : S2-005

   <https://cwiki.apache.org/confluence/display/WW/S2-005>, S2-006
   <https://cwiki.apache.org/confluence/display/WW/S2-006>, S2-007
   <https://cwiki.apache.org/confluence/display/WW/S2-007>, S2-008
   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.11.2 <http://struts.apache.org/2.0.11.2/index.html>, 
   2008/6/22, S2-004

   <https://cwiki.apache.org/confluence/display/WW/S2-004>, S2-003
   <https://cwiki.apache.org/confluence/display/WW/S2-003>,   likely :
   S2-005 <https://cwiki.apache.org/confluence/display/WW/S2-005>,
   S2-006 <https://cwiki.apache.org/confluence/display/WW/S2-006>,
   S2-007 <https://cwiki.apache.org/confluence/display/WW/S2-007>,
   S2-008 <https://cwiki.apache.org/confluence/display/WW/S2-008>,
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.11.1 <http://struts.apache.org/2.0.11.1/index.html>, 
   2008/3/2,       likely : S2-003

   <https://cwiki.apache.org/confluence/display/WW/S2-003>, S2-004
   <https://cwiki.apache.org/confluence/display/WW/S2-004>, S2-005
   <https://cwiki.apache.org/confluence/display/WW/S2-005>, S2-006
   <https://cwiki.apache.org/confluence/display/WW/S2-006>, S2-007
   <https://cwiki.apache.org/confluence/display/WW/S2-007>, S2-008
   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.11 <http://struts.apache.org/2.0.11/index.html>,    
   2007/9/21, S2-002

   <https://cwiki.apache.org/confluence/display/WW/S2-002>   likely :
   S2-003 <https://cwiki.apache.org/confluence/display/WW/S2-003>,
   S2-004 <https://cwiki.apache.org/confluence/display/WW/S2-004>,
   S2-005 <https://cwiki.apache.org/confluence/display/WW/S2-005>,
   S2-006 <https://cwiki.apache.org/confluence/display/WW/S2-006>,
   S2-007 <https://cwiki.apache.org/confluence/display/WW/S2-007>,
   S2-008 <https://cwiki.apache.org/confluence/display/WW/S2-008>,
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.9 <http://struts.apache.org/2.0.9/index.html>,      
   2007/7/23,      likely : S2-002

   <https://cwiki.apache.org/confluence/display/WW/S2-002>, S2-003
   <https://cwiki.apache.org/confluence/display/WW/S2-003>, S2-004
   <https://cwiki.apache.org/confluence/display/WW/S2-004>, S2-005
   <https://cwiki.apache.org/confluence/display/WW/S2-005>, S2-006
   <https://cwiki.apache.org/confluence/display/WW/S2-006>, S2-007
   <https://cwiki.apache.org/confluence/display/WW/S2-007>, S2-008
   <https://cwiki.apache.org/confluence/display/WW/S2-008>, S2-009
   <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.8 <http://struts.apache.org/2.0.8/index.html>,      
   2007/6/6, S2-001

   <https://cwiki.apache.org/confluence/display/WW/S2-001>  likely :
   S2-002 <https://cwiki.apache.org/confluence/display/WW/S2-002>,
   S2-003 <https://cwiki.apache.org/confluence/display/WW/S2-003>,
   S2-004 <https://cwiki.apache.org/confluence/display/WW/S2-004>,
   S2-005 <https://cwiki.apache.org/confluence/display/WW/S2-005>,
   S2-006 <https://cwiki.apache.org/confluence/display/WW/S2-006>,
   S2-007 <https://cwiki.apache.org/confluence/display/WW/S2-007>,
   S2-008 <https://cwiki.apache.org/confluence/display/WW/S2-008>,
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>

 * Struts 2.0.6 <http://struts.apache.org/2.0.6/index.html>,      
   2007/2/18, S2-001

   <https://cwiki.apache.org/confluence/display/WW/S2-001>  likely :
   S2-002 <https://cwiki.apache.org/confluence/display/WW/S2-002>,
   S2-003 <https://cwiki.apache.org/confluence/display/WW/S2-003>,
   S2-004 <https://cwiki.apache.org/confluence/display/WW/S2-004>,
   S2-005 <https://cwiki.apache.org/confluence/display/WW/S2-005>,
   S2-006 <https://cwiki.apache.org/confluence/display/WW/S2-006>,
   S2-007 <https://cwiki.apache.org/confluence/display/WW/S2-007>,
   S2-008 <https://cwiki.apache.org/confluence/display/WW/S2-008>,
   S2-009 <https://cwiki.apache.org/confluence/display/WW/S2-009>


Struts 1.X Releases

 * Struts 1.3.8 <http://struts.apache.org/1.3.8/index.html>
 * Struts 1.3.5 <http://struts.apache.org/1.3.5/index.html>
 * Struts 1.2.9 <http://struts.apache.org/1.2.9/index.html>
 * Struts 1.2.8 <http://struts.apache.org/1.2.8/index.htm>
 * Struts 1.2.7 <http://struts.apache.org/1.2.7/index.html>
 * Struts 1.2.4 <http://struts.apache.org/1.2.4/index.html>
 * Struts 1.1 <http://struts.apache.org/1.1/index.html>
 * Struts 1.0.2 <http://struts.apache.org/1.0.2/index.html>



It may seem drastic but if the list of security issues next to releases 
doesn't encourage upgrading I don't know what will.

Now to talk to my manager :)!

-Rob





Regards
























					Reply via email to