[
https://issues.apache.org/jira/browse/WW-4849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154843#comment-16154843
]
Lukasz Lenart commented on WW-4849:
-----------------------------------
You can always just drop in the plugin itself, you do not need to upgrade the
whole framework (we must release the whole framework just because there is no
way to release a plugin itself). Also the plugin breaks backward compatibility
anyway as there was no other way to fix the vulnerability.
> ObjectFactory constructor signature change breaks extensions
> ------------------------------------------------------------
>
> Key: WW-4849
> URL: https://issues.apache.org/jira/browse/WW-4849
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.5.13
> Reporter: Mitth'raw'nuruodo
>
> Commit {{6f91d0776a545c911ca4f2875ed9976614711ef9}} changed the signature of
> the {{ObjectFactory}} constructor, breaking all classes that extend
> {{ObjectFactory}} (as per https://struts.apache.org/docs/objectfactory.html).
> This affects eg the [{{guice-servlet}} Struts plugin|
> https://github.com/google/guice/blob/master/extensions/struts2/src/com/google/inject/struts2/Struts2Factory.java].
> This was not listed on the [2.5.13 version
> notes|https://struts.apache.org/docs/version-notes-2513.html] as a breaking
> change, and breaking changes should preferably be avoided in critical
> security updates.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
