2018-03-30 12:39 GMT+02:00 song6...@gmail.com <song6...@gmail.com>: > Hi Lukasz, > Sorry I paste the wrong CVE identifier in subject, the CVE I want to check is > CVE-2018-1327(S2-056, Affected Software, Struts 2.1.1 - Struts 2.5.14.1). > > Actually, my application don't even have Struts REST plugin jars in it's > package. But seems one of my big customer have very strict security policies: > They found there's struts 2.3.x in my application, and there's vulnerability > in struts jars, so their security request operation team to shutdown the > application server before this get fixed. > > So I want to check is there any plan on 2.3.x releases?
I didn't plan a new version of 2.3.x as this can be easily fixed and also if you do not use the mentioned plugin it doesn't make sense to upgrade. The problem is that we are not able to build 2.3.x on Jenkins as Java 1.6 isn't supported, so my idea was to switch to 2.4.x with Java 7 as requirement. Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
