[Stripes-users] Stripes 1.5.8
Hi! I saw that a few tracked issues have been resolved lately and only a couple remain to be addressed in 1.5.8, so I'm starting to wonder: is there a plan for a release? Also, I see that a new artifact has been published to Maven Central (1.5.7-classloaderfix), what is that? Should we update our dependencies? Regards, Alessio -- *Alessio Stalla* | Software Architect M: +39 340 7824743 | T: +39 010 566441 | F: +39 010 8900455 alessio.sta...@manydesigns.com | www.manydesigns.com MANYDESIGNS s.r.l. Via G. D'Annunzio, 2/51 | 16121 Genova (GE) | Italy -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Stripes 1.5.8
Hi Alessio, Stripers, Yeah we've been trying to resolve a few pending issues, and we're close to an 1.5.8. You can already try the 1.5.8-SNAPSHOT version in case you wanna make user the upgrade doesn't introduce regressions. There ain't no official release date though : releasing to maven is easy, but the full monty is another story (publishing to sf.net, regenerating the docs and updating the website, etc.), that's why it may take a little time to prepare all this. I'll send a separate email about 1.5.7-classloaderfix right now. Cheers Rémi 2014-04-29 9:32 GMT+02:00 Alessio Stalla alessio.sta...@manydesigns.com: Hi! I saw that a few tracked issues have been resolved lately and only a couple remain to be addressed in 1.5.8, so I'm starting to wonder: is there a plan for a release? Also, I see that a new artifact has been published to Maven Central (1.5.7-classloaderfix), what is that? Should we update our dependencies? Regards, Alessio -- *Alessio Stalla* | Software Architect M: +39 340 7824743 | T: +39 010 566441 | F: +39 010 8900455 alessio.sta...@manydesigns.com | www.manydesigns.com MANYDESIGNS s.r.l. Via G. D'Annunzio, 2/51 | 16121 Genova (GE) | Italy -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
[Stripes-users] Vulnerability in Stripes
Hi all, Fellow Stripers have recently pointed out a pretty scary security flaw in Stripes. Thanks a lot to them for the reports, we all owe you guys ! In short, it's about using Data Binding to manipulate the application's ClassLoader, and allows an attacker to execute random code on the server, or DoS it. Pretty bad stuff to say the least... It's been discovered first in Struts, and applies to Stripes too. It affects all released versions. Some info : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 If you use @StrictBinding+@Validate everywhere (which you should do anyway, classLoader manipulation or not), then you're safe : binding to getClass().getClassLoader() will be denied. If you don't, then you don't expose your data only : you have this classLoader manipulation problem too. Ben has fixed this bug for 1.5.8-SNAPSHOT and 1.6.0-SNAPSHOT, so future releases will be safe. https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a We have released a hotfix over 1.5.7 : http://repo1.maven.org/maven2/net/sourceforge/stripes/stripes/1.5.7-classloaderfix/ dependency groupIdnet.sourceforge.stripes/groupId artifactIdstripes/artifactId version1.5.7-classloaderfix/version /dependency It's just a 1.5.7 rebuilt with Ben's fix for the classLoader issue. It is a private, implementation fix (no API changed), so there should be no regressions. We encourage everybody to upgrade ASAP. Cheers Rémi - on behalf of the dev. team. -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] [Stripes-dev] Vulnerability in Stripes
I have one thing to add. While it would be best to upgrade to this hotfix release for now, if you can't do that and you're on Stripes 1.5.x and you're not already using @StrictBinding then you can add this annotation to your base ActionBean(s) to mitigate the issue. @StrictBinding(defaultPolicy = Policy.ALLOW, deny = class.**,**.class.**) This will prevent access to the class loader via the class property. If there are other paths to the class loader, they can be addressed similarly. -Ben On Tue, Apr 29, 2014 at 6:51 AM, VANKEISBELCK Remi r...@rvkb.com wrote: Hi all, Fellow Stripers have recently pointed out a pretty scary security flaw in Stripes. Thanks a lot to them for the reports, we all owe you guys ! In short, it's about using Data Binding to manipulate the application's ClassLoader, and allows an attacker to execute random code on the server, or DoS it. Pretty bad stuff to say the least... It's been discovered first in Struts, and applies to Stripes too. It affects all released versions. Some info : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 If you use @StrictBinding+@Validate everywhere (which you should do anyway, classLoader manipulation or not), then you're safe : binding to getClass().getClassLoader() will be denied. If you don't, then you don't expose your data only : you have this classLoader manipulation problem too. Ben has fixed this bug for 1.5.8-SNAPSHOT and 1.6.0-SNAPSHOT, so future releases will be safe. https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a We have released a hotfix over 1.5.7 : http://repo1.maven.org/maven2/net/sourceforge/stripes/stripes/1.5.7-classloaderfix/ dependency groupIdnet.sourceforge.stripes/groupId artifactIdstripes/artifactId version1.5.7-classloaderfix/version /dependency It's just a 1.5.7 rebuilt with Ben's fix for the classLoader issue. It is a private, implementation fix (no API changed), so there should be no regressions. We encourage everybody to upgrade ASAP. Cheers Rémi - on behalf of the dev. team. -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ Stripes-development mailing list stripes-developm...@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-development -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users