Quantcast

[ANN] [SECURITY] Struts Extras secure Multipart plugins GA

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[ANN] [SECURITY] Struts Extras secure Multipart plugins GA

Lukasz Lenart
The Apache Struts group is pleased to announce that the Apache Struts
2 Secure Jakarta Multipart parser plugin and Apache Struts 2 Secure
Jakarta Stream Multipart parser plugin are available as a “General
Availability” release. The GA designation is our highest quality
grade.

These releases address one critical security vulnerability:

- Possible Remote Code Execution when performing file upload based on
Jakarta Multipart parser S2-045, S2-046 (CVE-2017-5638)

http://struts.apache.org/docs/s2-045.html
http://struts.apache.org/docs/s2-046.html

Those plugins were released to allow users running older versions of
the Apache Struts secure their applications in easy way. You don’t
have to migrate to the latest version (which is still preferable) but
by applying one of those plugins, your application won’t be vulnerable
anymore.

It is a drop-in installation, just select a proper jar file and copy
it to WEB-INF/lib folder. Please read the README
(https://github.com/apache/struts-extras) for more details and
supported Apache Struts versions.

All developers are strongly advised to perform this action.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download those plugins from our download page.
http://struts.apache.org/download.cgi#struts-extras


Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [ANN] [SECURITY] Struts Extras secure Multipart plugins GA

Paweł Wielgus
This is fantastic news!
And also shows how serious and thoughtful your work is.
--
Pozdrawiam,
Paweł Wielgus.
tel: +48 604 603 546


2017-03-20 14:38 GMT+01:00 Lukasz Lenart <[hidden email]>:

> The Apache Struts group is pleased to announce that the Apache Struts
> 2 Secure Jakarta Multipart parser plugin and Apache Struts 2 Secure
> Jakarta Stream Multipart parser plugin are available as a “General
> Availability” release. The GA designation is our highest quality
> grade.
>
> These releases address one critical security vulnerability:
>
> - Possible Remote Code Execution when performing file upload based on
> Jakarta Multipart parser S2-045, S2-046 (CVE-2017-5638)
>
> http://struts.apache.org/docs/s2-045.html
> http://struts.apache.org/docs/s2-046.html
>
> Those plugins were released to allow users running older versions of
> the Apache Struts secure their applications in easy way. You don’t
> have to migrate to the latest version (which is still preferable) but
> by applying one of those plugins, your application won’t be vulnerable
> anymore.
>
> It is a drop-in installation, just select a proper jar file and copy
> it to WEB-INF/lib folder. Please read the README
> (https://github.com/apache/struts-extras) for more details and
> supported Apache Struts versions.
>
> All developers are strongly advised to perform this action.
>
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.
>
> You can download those plugins from our download page.
> http://struts.apache.org/download.cgi#struts-extras
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...