+1 GA (binding)
Am 6. September 2017 07:28:10 MESZ schrieb Lukasz Lenart <lukaszlen...@apache.org>: >The Apache Struts 2.3.34 test build is now available. This release >also contains backports from Struts 2.5.12 for the following security >vulnerabilities: > >- A regular expression Denial of Service when using URLValidator >(similar to S2-044 & S2-047), > see https://cwiki.apache.org/confluence/display/WW/S2-050 >- A remote attacker may create a DoS attack by sending crafted xml >request when using the Struts REST plugin, > see https://cwiki.apache.org/confluence/display/WW/S2-051 >- Possible Remote Code Execution attack when using the Struts REST >plugin with XStream handler to handle XML payloads, > see https://cwiki.apache.org/confluence/display/WW/S2-048 > >Except that, the following issues were also addressed: > >Bug >[WW-4176] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON >Action is ignored, Numeric Keys will work and mapped >[WW-4817] - Threads get blocked due to unnecessary synchronization in >OgnlRuntime > >Dependency >[WW-4832] - Upgrade to OGNL 3.0.21 >[WW-4844] - Upgrade to struts-master 11 > >Improvement >[WW-4834] - Improve RegEx used to validate URLs > >Release notes: >* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34 > >Distribution: >* https://dist.apache.org/repos/dist/dev/struts/2.3.34/ > >Maven 2 staging repository: >* https://repository.apache.org/content/repositories/staging/ > >Once you have had a chance to review the test build, please respond >with a vote on its quality: > >[ ] Leave at test build >[ ] Alpha >[ ] Beta >[ ] General Availability (GA) > >Everyone who has tested the build is invited to vote. Votes by PMC >members are considered binding. A vote passes if there are at least >three binding +1s and more +1s than -1s. > >The vote will remain open for at least 24 hours, longer upon request. >A vote can be amended at any time to upgrade or downgrade the quality >of the release based on future experience. If an initial vote >designates the build as "Beta", the release will be submitted for >mirroring and announced to the user list. Once released as a public >beta, subsequent quality votes on a build may be held on the user >list. > >As always, the act of voting carries certain obligations. A binding >vote not only states an opinion, but means that the voter is agreeing >to help do the work. > > >Kind regards >-- >Łukasz >+ 48 606 323 122 http://www.lenart.org.pl/ > >--------------------------------------------------------------------- >To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >For additional commands, e-mail: dev-h...@struts.apache.org
