The Apache Struts 2.3.34 test build is now available. This release also contains backports from Struts 2.5.12 for the following security vulnerabilities:
- A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047), see https://cwiki.apache.org/confluence/display/WW/S2-050 - A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin, see https://cwiki.apache.org/confluence/display/WW/S2-051 - Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see https://cwiki.apache.org/confluence/display/WW/S2-048 Except that, the following issues were also addressed: Bug [WW-4176] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped [WW-4817] - Threads get blocked due to unnecessary synchronization in OgnlRuntime Dependency [WW-4832] - Upgrade to OGNL 3.0.21 [WW-4844] - Upgrade to struts-master 11 Improvement [WW-4834] - Improve RegEx used to validate URLs Release notes: * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34 Distribution: * https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Maven 2 staging repository: * https://repository.apache.org/content/repositories/staging/ Once you have had a chance to review the test build, please respond with a vote on its quality: [ ] Leave at test build [ ] Alpha [ ] Beta [ ] General Availability (GA) Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s. The vote will remain open for at least 24 hours, longer upon request. A vote can be amended at any time to upgrade or downgrade the quality of the release based on future experience. If an initial vote designates the build as "Beta", the release will be submitted for mirroring and announced to the user list. Once released as a public beta, subsequent quality votes on a build may be held on the user list. As always, the act of voting carries certain obligations. A binding vote not only states an opinion, but means that the voter is agreeing to help do the work. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
