'[struts-site] branch master updated: Update site for S2-058'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    [struts-site] branch master updated: Update site for S2-058
From:       rgielen () apache ! org
Date:       2019-08-15 7:52:05
Message-ID: 156585552501.12476.5756102053244202890 () gitbox ! apache ! org
[Download RAW message or body]

This is an automated email from the ASF dual-hosted git repository.

rgielen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 7f8994e  Update site for S2-058
7f8994e is described below

commit 7f8994e6f1f4993bbe63bc32a055cac91342ece0
Author: Rene Gielen <rene.gielen@gmail.com>
AuthorDate: Thu Aug 15 09:51:43 2019 +0200

    Update site for S2-058
---
 source/announce.md | 19 +++++++++++++++++++
 source/index.html  |  8 ++++++++
 2 files changed, 27 insertions(+)

diff --git a/source/announce.md b/source/announce.md
index 66f8957..c23fa36 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -13,6 +13,25 @@ title: Announcements 2019
   Skip to: <a href="announce-2018.html">Announcements - 2018</a>
 </p>
 
+#### 15 August 2019 - Security Advice: Announcing corrected affected version ranges \
in historic Apache Struts security bulletins and CVE entries {#a20190815} +
+The Apache Struts Security team would like to announce that a number of historic \
[Struts Security Bulletins](https://cwiki.apache.org/confluence/display/WW/Security+Bulletin) \
and related CVE database entries contained incorrect affected release version ranges. \
+ +The issue was reported by Christopher Fearon and the Black Duck Research Team \
within the Synopsys Cybersecurity Research Center. The reporting entity conducted \
thorough investigations on this matter, leading to a report to the Apache Struts \
Security Team. The Apache Struts Security Team worked with the reporters to \
cross-check said issues and map them to affected Apache Struts General Availability \
(GA) releases. +
+This effort led to the issue of Struts Security Bulletin S2-058, referencing 15 \
historic Struts Security Bulletins and [respective CVE \
entries](https://github.com/CVEProject/cvelist/pull/2423/files) that have been \
updated to reflect corrections in affected GA version ranges as well as minimum GA \
versions to contain appropriate fixes for the issues at hand. +
+The full Security Bulletin can be found here:
+
+[Apache Struts Security Buletin \
S2-058](https://cwiki.apache.org/confluence/display/WW/S2-058) +
+The Struts Security Team stresses that while the reporters reference more affected \
issues and resulting affected version ranges, the Struts Security Bulletins only \
cover GA versions designated for production use. This led to less corrected Security \
Bulletins and CVE entries compared to the number of covered issues in the original \
report. + 
+It is very important to understand that while the individual listed bulletins \
contain updated minimum fix versions, it is strongly recommended to update to the \
version recommended by the latest Security Bulletin, which is \
[S2-057](https://cwiki.apache.org/confluence/display/WW/S2-057) by the time of this \
announcement. Following this advice, the recommended minimum Struts versions to \
operate in production are Struts 2.3.35 or Struts 2.5.17. +
+The Apache Struts Security Team would like to thank the reporters for their efforts \
and their practice of responsible disclosure, as well as their help while \
investigating the report and coordinating public disclosure. +
+
 #### 14 January 2019 - Struts 2.5.20 General Availability {#a20190114}
 
 The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a \
                "General Availability"
diff --git a/source/index.html b/source/index.html
index 6084881..46636c3 100644
--- a/source/index.html
+++ b/source/index.html
@@ -66,6 +66,14 @@ title: Welcome to the Apache Struts project
         </p>
       </div>
       <div class="column col-md-4">
+        <h2>Security Advice S2-058 released</h2>
+        <p>
+            A number of historic Struts Security Bulletins and related CVE database \
entries contained incorrect affected release version ranges. +            Read more \
in +          <a href="announce#a20190815">Announcement</a>
+        </p>
+      </div>
+      <div class="column col-md-4">
       </div>
     </div>
   </div>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic