-
Notifications
You must be signed in to change notification settings - Fork 365
/
Copy pathesapi4java-core-2.2.3.1-release-notes.txt
165 lines (130 loc) · 8.84 KB
/
esapi4java-core-2.2.3.1-release-notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
Release notes for ESAPI 2.2.3.1
Release date: 2021-05-07
Project leaders:
-Kevin W. Wall <kevin.w.wall@gmail.com>
-Matt Seil <matt.seil@owasp.org>
Previous release: ESAPI 2.2.3.0, 2021-03-23
Executive Summary: Important Things to Note for this Release
------------------------------------------------------------
This is a very small patch release with the primary intent of updating some dependencies.
Major changes:
* Restores Apache Commons IO from 1.3.1 (what it was in 2.2.3.0) to 2.6 (what it was in 2.2.2.0).
* Updates AntiSamy from 1.6.2 to 1.6.3
Unless you have already updated to ESAPI 2.2.3.0 and read those release notes, you should read those release notes for additional details. You can find it at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt
That discusses things like security bulletins and other important details that I am not going into for this release.
=================================================================================================================
Basic ESAPI facts
-----------------
ESAPI 2.2.3.1 release (no change since last release):
212 Java source files
4316 JUnit tests in 136 Java source files
3 GitHub Issues closed in this release, including those we've decided not to fix (marked '(wontfix)').
(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2021-03-23)
Issue # GitHub Issue Title
----------------------------------------------------------------------------------------------
614 Potentlial XXE Injection vulnerability in loading XML version of ESAPI properties file
617 Unresolved Reference for com.ibm.uvm.tools in an OSGI Bundle
624 Update pom.xml to use AntiSamy 1.6.3 and Apache Commons IO 2.6
-----------------------------------------------------------------------------
Changes Requiring Special Attention
-----------------------------------------------------------------------------
See this section from the previous release notes at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt
-----------------------------------------------------------------------------
Remaining Known Issues / Problems
-----------------------------------------------------------------------------
See this section from the previous release notes at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt
NEW since last release (ESAPI 2.2.3.0) - CVE-2021-29425
https://nvd.nist.gov/vuln/detail/CVE-2021-29425
-----------------------------------------------------------------------------
Other changes in this release, some of which not tracked via GitHub issues
None known.
-----------------------------------------------------------------------------
Developer Activity Report (Changes between release 2.2.3.0 and 2.2.3.1, i.e., between 2021-03-23 and 2021-05-07)
Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
Developer Total Total Number # Merged
(GitHub ID) commits of Files Changed PRs
========================================================
jeremiahjstacey 8 6 1
dependabot 1 1 1
kwwall 7 8 0
========================================================
Total PRs: 2
There were also several snyk-bot PRs that were rejected for various reasons, mostly because 1) I was already making the proposed changes and preferred to do them in single commit or 2) there were other reasons for rejecting them (such as the dependency requiring Java 8). The proposed changes that were not outright rejected were included as part of commit a8a79bc5196653500ce664b7b063284e60bddaa0.
-----------------------------------------------------------------------------
CHANGELOG: Create your own. May I suggest:
git log --stat --since=2021-03-23 --reverse --pretty=medium
which will show all the commits since just after the previous (2.2.3.0) release.
-----------------------------------------------------------------------------
Direct and Transitive Runtime and Test Dependencies:
$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< org.owasp.esapi:esapi >------------------------
[INFO] Building ESAPI 2.2.3.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ esapi ---
[INFO] org.owasp.esapi:esapi:jar:2.2.3.1-SNAPSHOT
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided
[INFO] +- com.io7m.xom:xom:jar:1.2.10:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-fileupload:commons-fileupload:jar:1.3.3:compile
[INFO] +- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.2:compile
[INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
[INFO] +- org.owasp.antisamy:antisamy:jar:1.6.3:compile
[INFO] | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.22:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile
[INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] | +- org.slf4j:slf4j-simple:jar:1.7.30:compile
[INFO] | +- xerces:xercesImpl:jar:2.12.1:compile
[INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- commons-io:commons-io:jar:2.6:compile
[INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.2.2:compile (optional)
[INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
[INFO] +- commons-codec:commons-codec:jar:1.15:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.68:test
[INFO] +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.7:test
[INFO] | \- org.powermock:powermock-api-support:jar:2.0.7:test
[INFO] +- org.javassist:javassist:jar:3.25.0-GA:test
[INFO] +- org.mockito:mockito-core:jar:2.28.2:test
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.9.10:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.9.10:test
[INFO] | \- org.objenesis:objenesis:jar:2.6:test
[INFO] +- org.powermock:powermock-core:jar:2.0.7:test
[INFO] +- org.powermock:powermock-module-junit4:jar:2.0.7:test
[INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.7:test
[INFO] +- org.powermock:powermock-reflect:jar:2.0.7:test
[INFO] \- org.openjdk.jmh:jmh-core:jar:1.28:test
[INFO] +- net.sf.jopt-simple:jopt-simple:jar:4.6:test
[INFO] \- org.apache.commons:commons-math3:jar:3.2:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.759 s
[INFO] Finished at: 2021-05-07T01:13:27-04:00
[INFO] ------------------------------------------------------------------------
-----------------------------------------------------------------------------
Acknowledgments:
Another hat tip to Dave Wichers for promptly releasing AntiSamy 1.6.2 and for the PR to fix GitHub issue #614. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you.
A special thanks to the ESAPI community from the ESAPI project co-leaders:
Kevin W. Wall (kwwall) <== The irresponsible party for these release notes!
Matt Seil (xeno6696)