Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3579 Apache Struts 2.3.x End-Of-Life (EOL) Announcement 16 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Struts Publisher: The Apache Software Foundation Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://struts.apache.org/announce#a20181114 - --------------------------BEGIN INCLUDED TEXT-------------------- The Apache Struts Project Team would like to inform you that the Struts 2.3.x web framework will reach its end of life in 6 months and won't be longer officially supported. https://struts.apache.org/announce#a20181114 This announcement takes place on 2018-11-14 and starting from that date we will only support Apache Struts 2.3.x in case of security vulnerabilities. Within those 6 months period you can expect that we do our best to keep Struts 2.3.x branch secure but some of the security related changes cannot happen without architectural changes that can affect backward compatibility. This what happened to Struts 2.5.x, we introduced some internal changes to improve overall framework'ls security. Questions and Answers With the announcement of Struts 2.3.x EOL, what happens to Struts 2.3.x resources? All resources will stay where they are. The documentation will still be accessible from the Apache Struts homepage, as well as the downloads for all released Struts 2.3.x versions. All of the Struts 2.3.x source code can be found in the Apache Struts Git repository under branch support-2-3, now and in future. All released Maven artifacts will still be accessible in Maven Central. Given a major security problem or a serious bug is reported for Struts 2.3.x in near future, can we expect a new release with fixes? Yes, we will continue to support Struts 2.3.x in case of security issues for the next 6 months, after that time we won=E2=80=99t support this branch in any case. Is there an immediate need to eliminate Struts 2.3.x from my projects? As far as the Struts team is currently aware of, there is no urgent issue posing the immediate need to eliminate Struts 2.3.x usage from your projects. However, you should consider migration to the latest available version as we stop supporting this version in 6 months. We plan to start a new project based on Struts 2.3.x. Can we still do so? Basically yes, but we would not recommend doing so. As long as no code line is written, it is very easy to conceptually select the latest version of Struts 2. My friends / colleagues and I would like to see Struts 2.3.x being maintained again. What can we do? You are free to put effort in Struts 2.3.x. There are basically one possibility: fork the existing source and support it on your own. On behalf of the Apache Struts Team Kind regards - --=20 =C5=81ukasz + 48 606 323 122 http://www.lenart.org.pl/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW+4CrWaOgq3Tt24GAQgX0BAAlCPbqk/LRNaXq92y/G/cOxyrKFgM71sc lKVgDFtT/j2PwkYlR99Ne4VakgcdeoOCBwTzCf+D831tjACnvQaK+OVJ0hBDMbHF YPEi+JGCM2kv6eEATRzern4s/rT28xXi1toh+JvgZC1wk6brsyQ5eV59xdn+HR0T tfGOukbZn3reMYiDwBMStBDJ9h4075LrtZ13pI1hOBxRzTKFN3DAGNN9jA5T8Frp XZt9AVl5B/UlpFv3U3lSeEk0FGdCpV+SaHJJpAMIXJ/pRBv/c3MmuWC5rgkEuw04 VeG9Mcawuni8Hz2aSeQJzRNd752PlXc8auKlMgerSljqwB0jIGDAZZh2p5OfsKxN 6T6XrAJSb+EwZW2ob1f2JyLvWU95N8QWRyL/LbCcbFojDZkZmYI2/WJ0CEqLNYjy ppLGtfoZmlYPmLKoCBuVaz64TxrZlxpEJCUUf70scPcznuWjJSu1JrxfAI01Ytfk 59YyPEKDEbvzuyOHjJDQVu7ovewDbbM+Etui1FqP9oBhETiBFJEhQJDOY5U552HW SJwn9TTKbbD9R3iSoicliwJy6hI1ihslLRla7L4a3v1DCpTKjmIX282a57wZk6+7 9RS0QX869v0rZzp0OEv7Dw+jkvPBj2ygq8aRBsx0kZDsb2Y/oMF4/JO6L/5bEF7l 6iLowh2FBPU= =kk4z -----END PGP SIGNATURE-----