Quantcast

[VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Lukasz Lenart
The Apache Struts Extras Secure Jakarta Multipart parser plugin 1.0
and Secure Jakarta Stream Multipart parser plugin 1.0 test builds are
now available. They provider multipart parser implementations to fix
the latest critical security vulnerability:

- Possible Remote Code Execution when performing file upload based on
Jakarta plugin

For details and the rationale behind these changes, please consult the
corresponding security bulletins:
* https://cwiki.apache.org/confluence/display/WW/S2-045
* https://cwiki.apache.org/confluence/display/WW/S2-046

Release notes:
* https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md
* https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/struts-extras/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

This is a "fast-track" release vote. If we have a positive vote within
24 hours (at least three binding +1s and more +1s than -1s), the
release may be submitted for mirroring and announced to the usual
channels.

The website download link will include the mirroring timestamp
parameter [1], which limits the selection of mirrors to those that
have been refreshed since the indicated time and date. (After 24
hours, we *must* remove the timestamp parameter from the website link,
to avoid unnecessary server load.) In the case of a fast-track
release, the email announcement will not link directly to
<download.cgi>, but to <downloads.html>, so that we can control use of
the timestamp parameter.

[1] http://apache.org/dev/mirrors.html#use

- The Apache Struts group.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Lukasz Lenart
2017-03-20 9:25 GMT+01:00 Lukasz Lenart <[hidden email]>:
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [X] General Availability (GA)

+1 (binding)


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Greg Huber
In reply to this post by Lukasz Lenart
They build OK, although the version is 1.1.  The upload still works after
applying the to a v2.5.10 /lib folder.

struts2-secure-jakarta-multipart-parser-plugin-1.1-SNAPSHOT.jar
struts2-secure-jakarta-stream-multipart-parser-plugin-1.1-SNAPSHOT.jar

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[x] General Availability (GA)

On 20 March 2017 at 08:25, Lukasz Lenart <[hidden email]> wrote:

> The Apache Struts Extras Secure Jakarta Multipart parser plugin 1.0
> and Secure Jakarta Stream Multipart parser plugin 1.0 test builds are
> now available. They provider multipart parser implementations to fix
> the latest critical security vulnerability:
>
> - Possible Remote Code Execution when performing file upload based on
> Jakarta plugin
>
> For details and the rationale behind these changes, please consult the
> corresponding security bulletins:
> * https://cwiki.apache.org/confluence/display/WW/S2-045
> * https://cwiki.apache.org/confluence/display/WW/S2-046
>
> Release notes:
> * https://github.com/apache/struts-extras/blob/master/
> struts2-secure-jakarta-multipart-parser-plugin/README.md
> * https://github.com/apache/struts-extras/blob/master/
> struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/struts-extras/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> This is a "fast-track" release vote. If we have a positive vote within
> 24 hours (at least three binding +1s and more +1s than -1s), the
> release may be submitted for mirroring and announced to the usual
> channels.
>
> The website download link will include the mirroring timestamp
> parameter [1], which limits the selection of mirrors to those that
> have been refreshed since the indicated time and date. (After 24
> hours, we *must* remove the timestamp parameter from the website link,
> to avoid unnecessary server load.) In the case of a fast-track
> release, the email announcement will not link directly to
> <download.cgi>, but to <downloads.html>, so that we can control use of
> the timestamp parameter.
>
> [1] http://apache.org/dev/mirrors.html#use
>
> - The Apache Struts group.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Lukasz Lenart
2017-03-20 10:17 GMT+01:00 Greg Huber <[hidden email]>:
> They build OK, although the version is 1.1.  The upload still works after
> applying the to a v2.5.10 /lib folder.

Those plugins are only for specific versions, when you already on
Struts 2.5.10, you must migrate to Struts 2.5.10.1

https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md#supported-versions
https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md#supported-versions

> struts2-secure-jakarta-multipart-parser-plugin-1.1-SNAPSHOT.jar
> struts2-secure-jakarta-stream-multipart-parser-plugin-1.1-SNAPSHOT.jar

Here you can find the JARs under vote
https://dist.apache.org/repos/dist/dev/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/
https://dist.apache.org/repos/dist/dev/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Christoph Nenning
In reply to this post by Lukasz Lenart
[ ] Leave at test build
[ ] Alpha
[ ] Beta
[X] General Availability (GA)


+1, binding

When I pull them in my project they are actually handling uploads.

We should point out on the website that those plugins are available.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Lukasz Lenart
2017-03-20 10:40 GMT+01:00 Christoph Nenning <[hidden email]>:
> We should point out on the website that those plugins are available.

Yes, I will update the website when vote is done.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Lukasz Lenart
In reply to this post by Lukasz Lenart
This Vote already got 3x +1 (binding) votes but I'm going to wait a
bit to see if there be no objections to push out the releases.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2017-03-20 9:25 GMT+01:00 Lukasz Lenart <[hidden email]>:

> The Apache Struts Extras Secure Jakarta Multipart parser plugin 1.0
> and Secure Jakarta Stream Multipart parser plugin 1.0 test builds are
> now available. They provider multipart parser implementations to fix
> the latest critical security vulnerability:
>
> - Possible Remote Code Execution when performing file upload based on
> Jakarta plugin
>
> For details and the rationale behind these changes, please consult the
> corresponding security bulletins:
> * https://cwiki.apache.org/confluence/display/WW/S2-045
> * https://cwiki.apache.org/confluence/display/WW/S2-046
>
> Release notes:
> * https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md
> * https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/struts-extras/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> This is a "fast-track" release vote. If we have a positive vote within
> 24 hours (at least three binding +1s and more +1s than -1s), the
> release may be submitted for mirroring and announced to the usual
> channels.
>
> The website download link will include the mirroring timestamp
> parameter [1], which limits the selection of mirrors to those that
> have been refreshed since the indicated time and date. (After 24
> hours, we *must* remove the timestamp parameter from the website link,
> to avoid unnecessary server load.) In the case of a fast-track
> release, the email announcement will not link directly to
> <download.cgi>, but to <downloads.html>, so that we can control use of
> the timestamp parameter.
>
> [1] http://apache.org/dev/mirrors.html#use
>
> - The Apache Struts group.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Stefaan Dutry-2
[ ] Leave at test build
[ ] Alpha
[ ] Beta
[X] General Availability (GA)

Could it be that there's 2 typos in the README.md of
struts2-secure-jakarta-stream-multipart-parser-plugin:
  * supported verions: versions 2.5.20 till 2.5.5
  * double '-' in artifactid inside POM snippet

https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md

Regards,

Stefaan Dutry (sdutry)


2017-03-20 11:02 GMT+01:00 Lukasz Lenart <[hidden email]>:

> This Vote already got 3x +1 (binding) votes but I'm going to wait a
> bit to see if there be no objections to push out the releases.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2017-03-20 9:25 GMT+01:00 Lukasz Lenart <[hidden email]>:
>> The Apache Struts Extras Secure Jakarta Multipart parser plugin 1.0
>> and Secure Jakarta Stream Multipart parser plugin 1.0 test builds are
>> now available. They provider multipart parser implementations to fix
>> the latest critical security vulnerability:
>>
>> - Possible Remote Code Execution when performing file upload based on
>> Jakarta plugin
>>
>> For details and the rationale behind these changes, please consult the
>> corresponding security bulletins:
>> * https://cwiki.apache.org/confluence/display/WW/S2-045
>> * https://cwiki.apache.org/confluence/display/WW/S2-046
>>
>> Release notes:
>> * https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-multipart-parser-plugin/README.md
>> * https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
>>
>> Distribution:
>> * https://dist.apache.org/repos/dist/dev/struts/struts-extras/
>>
>> Maven 2 staging repository:
>> * https://repository.apache.org/content/repositories/staging/
>>
>> Once you have had a chance to review the test build, please respond
>> with a vote on its quality:
>>
>> [ ] Leave at test build
>> [ ] Alpha
>> [ ] Beta
>> [ ] General Availability (GA)
>>
>> Everyone who has tested the build is invited to vote. Votes by PMC
>> members are considered binding. A vote passes if there are at least
>> three binding +1s and more +1s than -1s.
>>
>> This is a "fast-track" release vote. If we have a positive vote within
>> 24 hours (at least three binding +1s and more +1s than -1s), the
>> release may be submitted for mirroring and announced to the usual
>> channels.
>>
>> The website download link will include the mirroring timestamp
>> parameter [1], which limits the selection of mirrors to those that
>> have been refreshed since the indicated time and date. (After 24
>> hours, we *must* remove the timestamp parameter from the website link,
>> to avoid unnecessary server load.) In the case of a fast-track
>> release, the email announcement will not link directly to
>> <download.cgi>, but to <downloads.html>, so that we can control use of
>> the timestamp parameter.
>>
>> [1] http://apache.org/dev/mirrors.html#use
>>
>> - The Apache Struts group.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Lukasz Lenart
2017-03-20 11:36 GMT+01:00 Stefaan Dutry <[hidden email]>:
> Could it be that there's 2 typos in the README.md of
> struts2-secure-jakarta-stream-multipart-parser-plugin:
>   * supported verions: versions 2.5.20 till 2.5.5
>   * double '-' in artifactid inside POM snippet
>
> https://github.com/apache/struts-extras/blob/master/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md

Thanks, fixed!


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [VOTE][FASTTRACK] Apache Struts Extras - Multipart parser plugins 1.0

Johannes Geppert-3
[ ] Leave at test build
[ ] Alpha
[ ] Beta
[x] General Availability (GA)

+1 (binding)

Best Regards

Johannes

#################################################
web: http://www.jgeppert.com
twitter: http://twitter.com/jogep

2017-03-20 11:40 GMT+01:00 Lukasz Lenart <[hidden email]>:

> 2017-03-20 11:36 GMT+01:00 Stefaan Dutry <[hidden email]>:
> > Could it be that there's 2 typos in the README.md of
> > struts2-secure-jakarta-stream-multipart-parser-plugin:
> >   * supported verions: versions 2.5.20 till 2.5.5
> >   * double '-' in artifactid inside POM snippet
> >
> > https://github.com/apache/struts-extras/blob/master/
> struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
>
> Thanks, fixed!
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Loading...