[prev in list] [next in list] [prev in thread] [next in thread]
List: struts-dev
Subject: [struts-site] branch master updated: Update site for S2-058
From: rgielen () apache ! org
Date: 2019-08-15 7:52:05
Message-ID: 156585552501.12476.5756102053244202890 () gitbox ! apache ! org
[Download RAW message or body]
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push:
new 7f8994e Update site for S2-058
7f8994e is described below
commit 7f8994e6f1f4993bbe63bc32a055cac91342ece0
Author: Rene Gielen <rene.gielen@gmail.com>
AuthorDate: Thu Aug 15 09:51:43 2019 +0200
Update site for S2-058
---
source/announce.md | 19 +++++++++++++++++++
source/index.html | 8 ++++++++
2 files changed, 27 insertions(+)
diff --git a/source/announce.md b/source/announce.md
index 66f8957..c23fa36 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -13,6 +13,25 @@ title: Announcements 2019
Skip to: <a href="announce-2018.html">Announcements - 2018</a>
</p>
+#### 15 August 2019 - Security Advice: Announcing corrected affected version ranges \
in historic Apache Struts security bulletins and CVE entries {#a20190815} +
+The Apache Struts Security team would like to announce that a number of historic \
[Struts Security Bulletins](https://cwiki.apache.org/confluence/display/WW/Security+Bulletin) \
and related CVE database entries contained incorrect affected release version ranges. \
+ +The issue was reported by Christopher Fearon and the Black Duck Research Team \
within the Synopsys Cybersecurity Research Center. The reporting entity conducted \
thorough investigations on this matter, leading to a report to the Apache Struts \
Security Team. The Apache Struts Security Team worked with the reporters to \
cross-check said issues and map them to affected Apache Struts General Availability \
(GA) releases. +
+This effort led to the issue of Struts Security Bulletin S2-058, referencing 15 \
historic Struts Security Bulletins and [respective CVE \
entries](https://github.com/CVEProject/cvelist/pull/2423/files) that have been \
updated to reflect corrections in affected GA version ranges as well as minimum GA \
versions to contain appropriate fixes for the issues at hand. +
+The full Security Bulletin can be found here:
+
+[Apache Struts Security Buletin \
S2-058](https://cwiki.apache.org/confluence/display/WW/S2-058) +
+The Struts Security Team stresses that while the reporters reference more affected \
issues and resulting affected version ranges, the Struts Security Bulletins only \
cover GA versions designated for production use. This led to less corrected Security \
Bulletins and CVE entries compared to the number of covered issues in the original \
report. +
+It is very important to understand that while the individual listed bulletins \
contain updated minimum fix versions, it is strongly recommended to update to the \
version recommended by the latest Security Bulletin, which is \
[S2-057](https://cwiki.apache.org/confluence/display/WW/S2-057) by the time of this \
announcement. Following this advice, the recommended minimum Struts versions to \
operate in production are Struts 2.3.35 or Struts 2.5.17. +
+The Apache Struts Security Team would like to thank the reporters for their efforts \
and their practice of responsible disclosure, as well as their help while \
investigating the report and coordinating public disclosure. +
+
#### 14 January 2019 - Struts 2.5.20 General Availability {#a20190114}
The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a \
"General Availability"
diff --git a/source/index.html b/source/index.html
index 6084881..46636c3 100644
--- a/source/index.html
+++ b/source/index.html
@@ -66,6 +66,14 @@ title: Welcome to the Apache Struts project
</p>
</div>
<div class="column col-md-4">
+ <h2>Security Advice S2-058 released</h2>
+ <p>
+ A number of historic Struts Security Bulletins and related CVE database \
entries contained incorrect affected release version ranges. + Read more \
in + <a href="announce#a20190815">Announcement</a>
+ </p>
+ </div>
+ <div class="column col-md-4">
</div>
</div>
</div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic