The Apache Struts 2.5.17 test build is now available. In addition to critical overall proactive security improvements, it includes the latest security patch which fixes one possible vulnerability: - Possible Remote Code Execution when using results with no namespace.
For details and the rationale behind these changes, please consult the corresponding security bulletins: * https://cwiki.apache.org/confluence/display/WW/S2-057 Release notes: * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17 Distribution: * https://dist.apache.org/repos/dist/dev/struts/2.5.17/ Maven 2 staging repository: * https://repository.apache.org/content/repositories/staging/ Once you have had a chance to review the test build, please respond with a vote on its quality: [ ] Leave at test build [ ] Alpha [ ] Beta [ ] General Availability (GA) Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s. This is a "fast-track" release vote. If we have a positive vote after 24 hours (at least three binding +1s and more +1s than -1s), the release may be submitted for mirroring and announced to the usual channels. The website download link will include the mirroring timestamp parameter [1], which limits the selection of mirrors to those that have been refreshed since the indicated time and date. (After 24 hours, we *must* remove the timestamp parameter from the website link, to avoid unnecessary server load.) In the case of a fast-track release, the email announcement will not link directly to <download.cgi>, but to <downloads.html>, so that we can control use of the timestamp parameter. [1] http://apache.org/dev/mirrors.html#use - The Apache Struts group. Regards. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
