> [ ] Leave at test build > [ ] Alpha > [ ] Beta > [X] General Availability (GA)
+1 (non-binding) as passes our jmeter functional integration tests On 9/6/2017 9:58 AM, Lukasz Lenart wrote: > The Apache Struts 2.3.34 test build is now available. This release > also contains backports from Struts 2.5.12 for the following security > vulnerabilities: > > - A regular expression Denial of Service when using URLValidator > (similar to S2-044 & S2-047), > see https://cwiki.apache.org/confluence/display/WW/S2-050 > - A remote attacker may create a DoS attack by sending crafted xml > request when using the Struts REST plugin, > see https://cwiki.apache.org/confluence/display/WW/S2-051 > - Possible Remote Code Execution attack when using the Struts REST > plugin with XStream handler to handle XML payloads, > see https://cwiki.apache.org/confluence/display/WW/S2-048 > > Except that, the following issues were also addressed: > > Bug > [WW-4176] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON > Action is ignored, Numeric Keys will work and mapped > [WW-4817] - Threads get blocked due to unnecessary synchronization in > OgnlRuntime > > Dependency > [WW-4832] - Upgrade to OGNL 3.0.21 > [WW-4844] - Upgrade to struts-master 11 > > Improvement > [WW-4834] - Improve RegEx used to validate URLs > > Release notes: > * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34 > > Distribution: > * https://dist.apache.org/repos/dist/dev/struts/2.3.34/ > > Maven 2 staging repository: > * https://repository.apache.org/content/repositories/staging/ > > Once you have had a chance to review the test build, please respond > with a vote on its quality: > > [ ] Leave at test build > [ ] Alpha > [ ] Beta > [ ] General Availability (GA) > > Everyone who has tested the build is invited to vote. Votes by PMC > members are considered binding. A vote passes if there are at least > three binding +1s and more +1s than -1s. > > The vote will remain open for at least 24 hours, longer upon request. > A vote can be amended at any time to upgrade or downgrade the quality > of the release based on future experience. If an initial vote > designates the build as "Beta", the release will be submitted for > mirroring and announced to the user list. Once released as a public > beta, subsequent quality votes on a build may be held on the user > list. > > As always, the act of voting carries certain obligations. A binding > vote not only states an opinion, but means that the voter is agreeing > to help do the work. > > > Kind regards >
