Re: [ANN] Apache Struts 2.5.13 GA with Security Fixes Release

[Lukasz Lenart]

2017-09-05 15:17 GMT+02:00 Lukasz Lenart :
> - S2-052 Possible Remote Code Execution attack when using the Struts REST 
> plugin with XStream handler to handle XML payloads
> http://struts.apache.org/docs/s2-050.html

It's supposed to be http://struts.apache.org/docs/s2-052.html


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

[ANN] Apache Struts 2.5.13 GA with Security Fixes Release

[Lukasz Lenart]

The Apache Struts group is pleased to announce that Struts 2.5.13 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release contains fixes for the following potential security
vulnerabilities:

- S2-050 A regular expression Denial of Service when using
URLValidator (similar to S2-044 & S2-047)
http://struts.apache.org/docs/s2-050.html
- S2-051 A remote attacker may create a DoS attack by sending crafted
xml request when using the Struts REST plugin
http://struts.apache.org/docs/s2-051.html
- S2-052 Possible Remote Code Execution attack when using the Struts
REST plugin with XStream handler to handle XML payloads
http://struts.apache.org/docs/s2-050.html

Except the above this release also contains several improvements just
to mention few of them:

Except the above this release also contains several improvements just
to mention few of them:

- Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is
ignored, Numeric Keys will work and mapped
- NP with TextProvider and wildcardmapping
- Threads get blocked due to unnecessary synchronization in OgnlRuntime
- Default Multipart validation regex is invalid
- Not fully initialized ObjectFactory tries to create beans
- http://struts.apache.org/dtds/struts-2.5.dtd missing
- Set a global resource bundle in class
- Override TextProvider doesnot work in struts 2.5.12
- Array-of-null parameters are converted to string “null”
- JakartaStreamMultiPartRequest Should Honor “struts.multipart.maxSize”
- Build Fails Due to Unused com.sun Import
- Struts2.5.12 - NPE in DeligatingValidatorContext
- Struts 2 Fails to Initialize with JRebel
- Allow define more than one Action suffix
- Remove jQuery from debugging interceptor views
- update dependencies page on the struts site
- Improve RegEx used to validate URLs
- Make REST ContentHandlers configurable
- expose Freemarker incompatible_improvements into FreemarkerManager
and StrutsBeansWrapper
- Upgrade Commons Collections to 3.2.2
- Upgrade Commons IO to 2.5
- Upgrade to ASM version 5.2
- Upgrade to OGNL 3.1.15
- Upgrade xstream to the latest version
- Upgrade to struts-master 11

Please read the Version Notes to find more details about performed bug
fixes and improvements.
http://struts.apache.org/docs/version-notes-2513.html

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

[ANNOUNCE] Apache Qpid Proton-J 0.21.0 released

[Robbie Gemmell]

The Apache Qpid (http://qpid.apache.org) community is pleased to announce
the immediate availability of Apache Qpid Proton-J 0.21.0.

Apache Qpid Proton-J is a messaging library for the Advanced Message Queuing
Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org). It can be used
in a wide range of messaging applications including brokers, clients,
routers, bridges, proxies, and more.

The release is available now from our website:
http://qpid.apache.org/download.html

Binaries are also available via Maven Central:
http://qpid.apache.org/maven.html

Release notes can be found at:
http://qpid.apache.org/releases/qpid-proton-j-0.21.0/release-notes.html

Thanks to all involved,
Robbie

[ANNOUNCE] Apache Olingo 4.4.0 has been released

[Christian Amend]

Hello,

we announce that Apache Olingo 4.4.0 has been released.

This is the second stable Olingo release version for OData Version 4
(see specification [1] and new features [2]).

This release is available for download:
http://olingo.apache.org/doc/odata4/download.html
New Tutorials and documentation are also available:
http://olingo.apache.org/doc/odata4/index.html
Available also in central maven repository:
http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.apache.olingo%22%20AND%20v%3A%224.4.0%22

If you would like to get involved please write to: 
Or subscribe to our mailing list: http://olingo.apache.org/support.html

Apache Olingo is a Java library which enables developers to
implement OData service providers (server) and consumers (clients).

The Open Data Protocol (OData, http://www.odata.org/) is an open protocol
to allow the creation and consumption of queryable and interoperable
RESTful APIs in a simple and standard way.


[1]: http://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html
[2]: 
http://docs.oasis-open.org/odata/new-in-odata/v4.0/cn01/new-in-odata-v4.0-cn01.html

Release Notes - Olingo - Version 4.4.0
---
Link: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12314520=12338257

Bug
[OLINGO-753] - URIUtils.buildFunctionInvokeURI() build a wrong uri
when the uri parameter contains /$count
[OLINGO-917] - $entity request with $select system option always fails to parse
[OLINGO-975] - Olingo client sends incorrect types for collection members
[OLINGO-1008] - Metadata Parser is unable to parse external references
of Microsoft dynamics CRM Odata metadata
[OLINGO-1033] - V4: @odata.type annotation incorrect for primitive types
[OLINGO-1046] - Whitespaces in functions not allowed
[OLINGO-1058] - OData V4.0: NextLink Support in streaming to enable
server side pagination
[OLINGO-1064] - ComplexType is deserialized as Primitive Type if the
value is NULL
[OLINGO-1073] - Collections with derived complex types - wrong odata.type
[OLINGO-1076] - Validating Query Options for correct syntax
[OLINGO-1080] - Support Entity Iterator in batch
[OLINGO-1083] - OData V4 Singleton has EntityType instead of Type
attribute in XML metadata
[OLINGO-1102] - ODataErrorResponseChecker.checkResponse(...) not
return detail error message for ODataServerErrorException
[OLINGO-1104] - NavigationLink missing from JSON with expand and metadata=full
[OLINGO-1107] - UriDecoder should use java.net.URLDecoder
[OLINGO-] - EntityResponse's location building not taking
property's facets in to consideration
[OLINGO-1112] - Compound Key not handled correctly EntityResponse
[OLINGO-1132] - Type information is lost when primitive properties
with null value is updated
Improvement
[OLINGO-846] - Flexible URL parsing for System Query Options
[OLINGO-1028] - V4: $filter statements on navigation properties
[OLINGO-1099] - Refactor the V4 $levels implementation
New Feature
[OLINGO-1059] - OData V4.0: Cross Service EDM
[OLINGO-1077] - OData V4.0: EntityIterator count support
Task
[OLINGO-1171] - V4: Build 4.4.0 release
Test
[OLINGO-1106] - Custom Query options in batch request

Best Regards,
Christian

Success at Apache: Lowering Barriers to Open Innovation

[Sally Khudairi]

[this announcement is available online at https://s.apache.org/dAlg ]

By Luke Han

Over the past decade, I was a Java developer using many Apache projects
such as Tomcat, Jakarta, Struts, and Velocity. In 2010 I stepped into
the Big Data field and started to actively participate in Apache
projects, and became an ASF Member 5 years ago. In addition to being the
VP of Apache Kylin, I helped projects such as Apache Eagle and
CarbonData move to the ASF, and have been a mentor for Apache Superset,
Weex, and RocketMQ. Today, I'm co-founder/CEO of Kyligence (prior to
that, I was Big Data Product Lead of eBay, and Chief Consultant of
Actuate China).

Apache Kylin, as its name may suggest, originated from China ("Kylin": A
powerful yet gentle fire-breathing creature in eastern mythology. Also
written as Qilin. "Apache Kylin": OLAP on Hadoop, capable of analyzing
petabytes of data within seconds http://kylin.apache.org/ ). I started
this project with a few members in early 2015. 

As a pioneer of the first highly-recognized Apache project from the
Eastern world, I was proud to see that, within 2 years, Kylin has helped
over 500 organizations across the globe to solve their Big Data
challenges. 

Before Kylin graduated from the Apache Incubator, the Kylin team faced a
lot of cultural challenges. Since a great number of projects from China
had failed in the past, we too received many questions and doubts from
both eastern and western worlds. As our native language is not English,
communication with mentors did become difficult during the coaching
process. Fortunately, by fully embracing The Apache Way, Kylin is able
to succeed with strong support from the Apache community members. Much
more beyond the Kylin software, our team has also worked with those
talented people in a way to spread our Chinese voice to the world. 

While developing high-quality software, we are engaging more Westerners
to understand the Eastern culture. I had many chances to travel and meet
people across the globe since I initiated Kylin. Some of them are Apache
directors and mentors, some of them are developers and contributors.
Some are from US, Australia, Canada and Chile; some are from Japan and
Taiwan. Some are impressed with Kylin, some are curious about
Easterners’ attitude toward Open Source software. I asked them a lot of
questions about The Apache Way, and they all generously coached me and
my team with lovely and detailed answers. We too could reach consensuses
after intensive and open arguments. Kylin received much more
encouragement and recognition than I expected.

As a VP of a Top-Level Project, my responsibility grew after Kylin
graduated from the Apache Incubator. Kylin faced more opportunities as
it has been bug-fixed quickly and tested frequently, with the nature of
an Open Source software. In the China’s well-knowingly-big market,
Apache Kylin has received many users’ feedback and evolved fast. We
received many suggestions from both developers’ perspective and
products’ perspective. Beyond my expectation, many community members are
passionately writing tools for Kylin and helping users better understand
and use Kylin. Assembling members’ ideas, we are also sharing our
knowledge as a way to give back to the community. 

Thanks to ASF and everyone involved in the Open Source community, I have
the opportunity to work with people that I’ve always admired and make a
difference in the world all together. I feel I and my team are deeply
connected with such warm, global, open community.

= = =

"Success at Apache" is a monthly blog series that focuses on the
processes behind why the ASF "just works". 1) Project Independence
https://s.apache.org/CE0V 2) All Carrot and No Stick
https://s.apache.org/ykoG 3) Asynchronous Decision Making
https://s.apache.org/PMvk 4) Rule of the Makers
https://s.apache.org/yFgQ 5) JFDI --the unconditional love of
contributors https://s.apache.org/4pjM 6) Meritocracy and Me
https://s.apache.org/tQQh 7) Learning to Build a Stronger Community
https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo

# # #

NOTE: you are receiving this message because you are subscribed to the
announce@apache.org distribution list. To  nsubscribe, send email from
the recipient account to announce-unsubscr...@apache.org with the word
"Unsubscribe" in the subject line.