Re: [ANN] Apache Struts 2.5.13 GA with Security Fixes Release
2017-09-05 15:17 GMT+02:00 Lukasz Lenart: > - S2-052 Possible Remote Code Execution attack when using the Struts REST > plugin with XStream handler to handle XML payloads > http://struts.apache.org/docs/s2-050.html It's supposed to be http://struts.apache.org/docs/s2-052.html Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.13 GA with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.5.13 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains fixes for the following potential security vulnerabilities: - S2-050 A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047) http://struts.apache.org/docs/s2-050.html - S2-051 A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin http://struts.apache.org/docs/s2-051.html - S2-052 Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads http://struts.apache.org/docs/s2-050.html Except the above this release also contains several improvements just to mention few of them: Except the above this release also contains several improvements just to mention few of them: - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped - NP with TextProvider and wildcardmapping - Threads get blocked due to unnecessary synchronization in OgnlRuntime - Default Multipart validation regex is invalid - Not fully initialized ObjectFactory tries to create beans - http://struts.apache.org/dtds/struts-2.5.dtd missing - Set a global resource bundle in class - Override TextProvider doesnot work in struts 2.5.12 - Array-of-null parameters are converted to string “null” - JakartaStreamMultiPartRequest Should Honor “struts.multipart.maxSize” - Build Fails Due to Unused com.sun Import - Struts2.5.12 - NPE in DeligatingValidatorContext - Struts 2 Fails to Initialize with JRebel - Allow define more than one Action suffix - Remove jQuery from debugging interceptor views - update dependencies page on the struts site - Improve RegEx used to validate URLs - Make REST ContentHandlers configurable - expose Freemarker incompatible_improvements into FreemarkerManager and StrutsBeansWrapper - Upgrade Commons Collections to 3.2.2 - Upgrade Commons IO to 2.5 - Upgrade to ASM version 5.2 - Upgrade to OGNL 3.1.15 - Upgrade xstream to the latest version - Upgrade to struts-master 11 Please read the Version Notes to find more details about performed bug fixes and improvements. http://struts.apache.org/docs/version-notes-2513.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANNOUNCE] Apache Qpid Proton-J 0.21.0 released
The Apache Qpid (http://qpid.apache.org) community is pleased to announce the immediate availability of Apache Qpid Proton-J 0.21.0. Apache Qpid Proton-J is a messaging library for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org). It can be used in a wide range of messaging applications including brokers, clients, routers, bridges, proxies, and more. The release is available now from our website: http://qpid.apache.org/download.html Binaries are also available via Maven Central: http://qpid.apache.org/maven.html Release notes can be found at: http://qpid.apache.org/releases/qpid-proton-j-0.21.0/release-notes.html Thanks to all involved, Robbie
[ANNOUNCE] Apache Olingo 4.4.0 has been released
Hello, we announce that Apache Olingo 4.4.0 has been released. This is the second stable Olingo release version for OData Version 4 (see specification [1] and new features [2]). This release is available for download: http://olingo.apache.org/doc/odata4/download.html New Tutorials and documentation are also available: http://olingo.apache.org/doc/odata4/index.html Available also in central maven repository: http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.apache.olingo%22%20AND%20v%3A%224.4.0%22 If you would like to get involved please write to:Or subscribe to our mailing list: http://olingo.apache.org/support.html Apache Olingo is a Java library which enables developers to implement OData service providers (server) and consumers (clients). The Open Data Protocol (OData, http://www.odata.org/) is an open protocol to allow the creation and consumption of queryable and interoperable RESTful APIs in a simple and standard way. [1]: http://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html [2]: http://docs.oasis-open.org/odata/new-in-odata/v4.0/cn01/new-in-odata-v4.0-cn01.html Release Notes - Olingo - Version 4.4.0 --- Link: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12314520=12338257 Bug [OLINGO-753] - URIUtils.buildFunctionInvokeURI() build a wrong uri when the uri parameter contains /$count [OLINGO-917] - $entity request with $select system option always fails to parse [OLINGO-975] - Olingo client sends incorrect types for collection members [OLINGO-1008] - Metadata Parser is unable to parse external references of Microsoft dynamics CRM Odata metadata [OLINGO-1033] - V4: @odata.type annotation incorrect for primitive types [OLINGO-1046] - Whitespaces in functions not allowed [OLINGO-1058] - OData V4.0: NextLink Support in streaming to enable server side pagination [OLINGO-1064] - ComplexType is deserialized as Primitive Type if the value is NULL [OLINGO-1073] - Collections with derived complex types - wrong odata.type [OLINGO-1076] - Validating Query Options for correct syntax [OLINGO-1080] - Support Entity Iterator in batch [OLINGO-1083] - OData V4 Singleton has EntityType instead of Type attribute in XML metadata [OLINGO-1102] - ODataErrorResponseChecker.checkResponse(...) not return detail error message for ODataServerErrorException [OLINGO-1104] - NavigationLink missing from JSON with expand and metadata=full [OLINGO-1107] - UriDecoder should use java.net.URLDecoder [OLINGO-] - EntityResponse's location building not taking property's facets in to consideration [OLINGO-1112] - Compound Key not handled correctly EntityResponse [OLINGO-1132] - Type information is lost when primitive properties with null value is updated Improvement [OLINGO-846] - Flexible URL parsing for System Query Options [OLINGO-1028] - V4: $filter statements on navigation properties [OLINGO-1099] - Refactor the V4 $levels implementation New Feature [OLINGO-1059] - OData V4.0: Cross Service EDM [OLINGO-1077] - OData V4.0: EntityIterator count support Task [OLINGO-1171] - V4: Build 4.4.0 release Test [OLINGO-1106] - Custom Query options in batch request Best Regards, Christian
Success at Apache: Lowering Barriers to Open Innovation
[this announcement is available online at https://s.apache.org/dAlg ] By Luke Han Over the past decade, I was a Java developer using many Apache projects such as Tomcat, Jakarta, Struts, and Velocity. In 2010 I stepped into the Big Data field and started to actively participate in Apache projects, and became an ASF Member 5 years ago. In addition to being the VP of Apache Kylin, I helped projects such as Apache Eagle and CarbonData move to the ASF, and have been a mentor for Apache Superset, Weex, and RocketMQ. Today, I'm co-founder/CEO of Kyligence (prior to that, I was Big Data Product Lead of eBay, and Chief Consultant of Actuate China). Apache Kylin, as its name may suggest, originated from China ("Kylin": A powerful yet gentle fire-breathing creature in eastern mythology. Also written as Qilin. "Apache Kylin": OLAP on Hadoop, capable of analyzing petabytes of data within seconds http://kylin.apache.org/ ). I started this project with a few members in early 2015. As a pioneer of the first highly-recognized Apache project from the Eastern world, I was proud to see that, within 2 years, Kylin has helped over 500 organizations across the globe to solve their Big Data challenges. Before Kylin graduated from the Apache Incubator, the Kylin team faced a lot of cultural challenges. Since a great number of projects from China had failed in the past, we too received many questions and doubts from both eastern and western worlds. As our native language is not English, communication with mentors did become difficult during the coaching process. Fortunately, by fully embracing The Apache Way, Kylin is able to succeed with strong support from the Apache community members. Much more beyond the Kylin software, our team has also worked with those talented people in a way to spread our Chinese voice to the world. While developing high-quality software, we are engaging more Westerners to understand the Eastern culture. I had many chances to travel and meet people across the globe since I initiated Kylin. Some of them are Apache directors and mentors, some of them are developers and contributors. Some are from US, Australia, Canada and Chile; some are from Japan and Taiwan. Some are impressed with Kylin, some are curious about Easterners’ attitude toward Open Source software. I asked them a lot of questions about The Apache Way, and they all generously coached me and my team with lovely and detailed answers. We too could reach consensuses after intensive and open arguments. Kylin received much more encouragement and recognition than I expected. As a VP of a Top-Level Project, my responsibility grew after Kylin graduated from the Apache Incubator. Kylin faced more opportunities as it has been bug-fixed quickly and tested frequently, with the nature of an Open Source software. In the China’s well-knowingly-big market, Apache Kylin has received many users’ feedback and evolved fast. We received many suggestions from both developers’ perspective and products’ perspective. Beyond my expectation, many community members are passionately writing tools for Kylin and helping users better understand and use Kylin. Assembling members’ ideas, we are also sharing our knowledge as a way to give back to the community. Thanks to ASF and everyone involved in the Open Source community, I have the opportunity to work with people that I’ve always admired and make a difference in the world all together. I feel I and my team are deeply connected with such warm, global, open community. = = = "Success at Apache" is a monthly blog series that focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk 4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo # # # NOTE: you are receiving this message because you are subscribed to the announce@apache.org distribution list. To nsubscribe, send email from the recipient account to announce-unsubscr...@apache.org with the word "Unsubscribe" in the subject line.