[jira] [Updated] (VELTOOLS-171) Remove Struts dependency

[Sergiu Dumitriu (JIRA)]

     [ 
https://issues.apache.org/jira/browse/VELTOOLS-171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergiu Dumitriu updated VELTOOLS-171:
-------------------------------------
    Summary: Remove Struts dependency  (was: Upgrade to supported, secure 
version of Struts)

> Remove Struts dependency
> ------------------------
>
>                 Key: VELTOOLS-171
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-171
>             Project: Velocity Tools
>          Issue Type: Bug
>          Components: VelocityStruts
>    Affects Versions: 2.0, 2.0.x, 2.x
>            Reporter: Aaron Katz
>            Assignee: Claude Brisson
>            Priority: Major
>              Labels: security
>             Fix For: 3.0
>
>
> *Please upgrade struts to a supported, secure version*.  At this time, that 
> means upgrading to 2.3.32 or 2.5.10.1
> h2. vulnerabilities
> There are publicly known high severity vulnerabilities, including remote code 
> execution vulns, affecting all versions of Struts 2 except the versions cited 
> above.
> * 
> https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aapache&cpe_product=cpe%3a%2f%3a%3astruts&cvss_version=3&cve_id=
> * (details not yet in NVD) 
> https://cwiki.apache.org/confluence/display/WW/S2-045
> h2. support
> Apache struts 1 [reached end of life in the year 
> 2000|https://struts.apache.org/struts1eol-announcement.html], but 
> [VelocityTools depends upon Struts 
> 1.3.8|http://velocity.apache.org/tools/2.0/dependencies.html].
> When vulnerabilities are discovered in unsupported software, the industry 
> standard response is "you need to patch to a supported version."  If you get 
> too far behind in patch levels, then it may be very difficult to upgrade due 
> to broken backwards compatibility.  
> Furthermore, when vulnerabilities are discovered in supported software, there 
> is no industry standard for determining if it affects unsupported versions.  
> It's entirely possible that there are known vulnerabilities that affect the 
> unsupported Struts 1.3.8 required by Velocity, and nobody will know until 
> they're breached.  On the other hand, when there's a supported major version, 
> it's a de-facto industry standard to announce all supported versions that are 
> affected.  This means that staying on a supported version increases the 
> chances of seeing vulnerability announcements for vulns that affect Velocity. 
>  It also means that staying on an unsupported version is considered 
> equivalent to staying on a known vulnerable version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org