I've been an advocate of not shipping it for some time now. The fact that it's been deprecated and uses such an old version of Dojo should be enough to dissuade usage, IMO, especially now that there's a jQuery-based replacement.
I'd like to see it not ship at all. Dave On Mon, Oct 20, 2014 at 10:49 AM, Markus Fischer <markus.fisc...@knipp.de> wrote: > Hi all. > >>>> According to the Apache Struts 2 Documentation (see >>>> [1]), Struts 2.3.x ships with Dojo 0.4.3, which is vulnerable to two >>>> major security issues (CVE-2010-2276 and CVE-2010-2272, see [2]). > >>> Probably it's a vulnerable version > >> I'd add that since the plugin has been deprecated since S2.1 it's unlikely >> anything was ever done to deal with it. > > Given that the plugin has been deprecated already, does anyone know for > which release the removal is planned? I was not able to find any > documentation regarding a Dojo plugin roadmap. > > Cheers, > Markus > >>> [1] http://struts.apache.org/release/2.3.x/docs/dojo-head.html >>> >>> [2] >>> http://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/version_id-70187/Dojotoolkit-Dojo-0.4.3.html > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > -- e: davelnew...@gmail.com m: 908-380-8699 s: davelnewton_skype t: @dave_newton b: Bucky Bits g: davelnewton so: Dave Newton --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
