[ https://issues.apache.org/jira/browse/WW-4849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154882#comment-16154882 ]
Lukasz Lenart commented on WW-4849: ----------------------------------- Sorry, I meant to fix the vulnerability reported in S2-052 you do not have to upgrade the whole framework, just replace the plugin. As far I understand the changes in {{ObjectFactory}} prevents you from doing the upgrade of the whole framework. The changes in {{ObjectFactory}} are related to this https://github.com/apache/struts/pull/153 and I would like to have a better fix than changing the constructor ... > ObjectFactory constructor signature change breaks extensions > ------------------------------------------------------------ > > Key: WW-4849 > URL: https://issues.apache.org/jira/browse/WW-4849 > Project: Struts 2 > Issue Type: Bug > Components: Core > Affects Versions: 2.5.13 > Reporter: Mitth'raw'nuruodo > Fix For: 2.5.14 > > > Commit {{6f91d0776a545c911ca4f2875ed9976614711ef9}} changed the signature of > the {{ObjectFactory}} constructor, breaking all classes that extend > {{ObjectFactory}} (as per https://struts.apache.org/docs/objectfactory.html). > This affects eg the [{{guice-servlet}} Struts plugin| > https://github.com/google/guice/blob/master/extensions/struts2/src/com/google/inject/struts2/Struts2Factory.java]. > This was not listed on the [2.5.13 version > notes|https://struts.apache.org/docs/version-notes-2513.html] as a breaking > change, and breaking changes should preferably be avoided in critical > security updates. -- This message was sent by Atlassian JIRA (v6.4.14#64029)