I will release a patched 1.5.7 today of mitigating, it'll be even faster.
The code is already fixed, all we need is a little "mvm deploy" basically.
Then people simply rebuild or wait for the central version.
I'm just waiting for a green light from Ben.
Cheers
Rémi
2014-04-27 22:10 GMT+02:00 Timothy Stone <[email protected]>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> Remi and Ben,
>
> Additionally, Struts provided a "mitigation" in the interim of a
> general release (http://struts.apache.org/announce.html#a20140424).
>
> Prior to a general release such a mitigation would be advisable if
> available.
>
> I'll be leading an effort to patch or upgrade our installations next week.
>
> Regards,
> Tim
>
> On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> > Hi folks,
> >
> > I haven't seen any communication about this fix :
> >
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
> >
> > It seems to be a quite ugly security issue actually, same as :
> > http://struts.apache.org/announce.html ClassLoader manipulation ?
> > Holy sh*t ! Running arbitrary code now ? wtf ?
> >
> > Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
> >
> > I guess we might also wanna drop an email on the users list. This
> > is something all stripes should be aware of. Good opportunity to
> > recall about @Validate and @StrictBinding, for those who don't use
> > it...
> >
> > Cheers
> >
> > Rémi
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> Start Your Social Network Today - Download eXo Platform
> > Build your Enterprise Intranet with eXo Platform Software Java
> > Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> > Started Now And Turn Your Intranet Into A Collaboration Platform
> > http://p.sf.net/sfu/ExoPlatform
> >
> >
> >
> > _______________________________________________ Stripes-development
> > mailing list [email protected]
> > https://lists.sourceforge.net/lists/listinfo/stripes-development
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: Seeking grim and perilous adventure!
> Comment: Get my public key at http://bit.ly/9UQHQv
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCgAGBQJTXWQpAAoJEHJJ3jMipSyC6hAQAKZdT4NQ12AGGrjwUIkcQJSv
> njPm3bwdExMBjqaI48426rtRT5AsF5H8AYlZNf5z2fTGerkq3vS7VR6frOsjzJzv
> PmCxU1ETFSJasI7wH/2fdE0uFvSQxuMraBW3aGW2W5ZpqIlJfKW8hnLim1033o8A
> spjlQNC044/ONZGAgCCVWgngjS/0kbuIGPEMwcHfM7pH2XUq3ikeoGU1MNQytBi7
> Ejp4OQhFZa7FQbY7VwDaTVzEZUm+5WMEZqiXcN4Pm+PXS1oRXRjlZzGRF7RC7CfJ
> DDuaOUhR2q/G98tntJWMB0cDYg1Rwkw7yQ9SM69X0icOtcqmQ1TKzZniPSuoV2VW
> kWpj7+OvaRsu+rJcPnZoL204a0p3XspiDyt9OwPil4wdIPdDhlfR0I3+lf5fIm2Q
> oaELov7fylKkiE9+J1U+8ed08z7C/OwWL3zZUK1mcdcsc2WqsIGZwVseLkZ49re8
> JQqZzTHrO/eNw8gPp1UEyHcnqB72M/NbwfOMQNVUG4NxikJOFEB2lcvQ5LRZXZEm
> 9AzImuYd+cDF0BQx4A5FggXcBHWlWeFn2YdQifmmBX3yyaVxSFkYrwVwqNHnpqiJ
> PAYBCFh/HnezY3XJFtRvuVHaywSYibvAfFvFw/5iRlhUut0CvwXdLU18wDURT2dl
> m4XZbZ66BM9fRNpXXDCX
> =Wk5D
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
> _______________________________________________
> Stripes-development mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
