|
| 1 | +Release notes for ESAPI 2.2.3.1 |
| 2 | + Release date: 2021-05-07 |
| 3 | + Project leaders: |
| 4 | + -Kevin W. Wall < [email protected]> |
| 5 | + |
| 6 | + |
| 7 | +Previous release: ESAPI 2.2.3.0, 2021-03-23 |
| 8 | + |
| 9 | + |
| 10 | +Executive Summary: Important Things to Note for this Release |
| 11 | +------------------------------------------------------------ |
| 12 | +This is a very small patch release with the primary intent of updating some dependencies. |
| 13 | + |
| 14 | +Major changes: |
| 15 | + * Restores Apache Commons IO from 1.3.1 (what it was in 2.2.3.0) to 2.6 (what it was in 2.2.2.0). |
| 16 | + * Updates AntiSamy from 1.6.2 to 1.6.3 |
| 17 | + |
| 18 | +Unless you have already updated to ESAPI 2.2.3.0 and read those release notes, you should read those release notes for additional details. You can find it at: |
| 19 | + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt |
| 20 | + |
| 21 | +That discusses things like security bulletins and other important details that I am not going into for this release. |
| 22 | + |
| 23 | +================================================================================================================= |
| 24 | + |
| 25 | +Basic ESAPI facts |
| 26 | +----------------- |
| 27 | + |
| 28 | +ESAPI 2.2.3.1 release (no change since last release): |
| 29 | + 212 Java source files |
| 30 | + 4316 JUnit tests in 136 Java source files |
| 31 | + |
| 32 | +3 GitHub Issues closed in this release, including those we've decided not to fix (marked '(wontfix)'). |
| 33 | +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2021-03-23) |
| 34 | + |
| 35 | +Issue # GitHub Issue Title |
| 36 | +---------------------------------------------------------------------------------------------- |
| 37 | +614 Potentlial XXE Injection vulnerability in loading XML version of ESAPI properties file |
| 38 | +617 Unresolved Reference for com.ibm.uvm.tools in an OSGI Bundle |
| 39 | +624 Update pom.xml to use AntiSamy 1.6.3 and Apache Commons IO 2.6 |
| 40 | + |
| 41 | +----------------------------------------------------------------------------- |
| 42 | + |
| 43 | + Changes Requiring Special Attention |
| 44 | + |
| 45 | +----------------------------------------------------------------------------- |
| 46 | +See this section from the previous release notes at: |
| 47 | + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt |
| 48 | + |
| 49 | +----------------------------------------------------------------------------- |
| 50 | + |
| 51 | + Remaining Known Issues / Problems |
| 52 | + |
| 53 | +----------------------------------------------------------------------------- |
| 54 | +See this section from the previous release notes at: |
| 55 | + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.0-release-notes.txt |
| 56 | + |
| 57 | +NEW since last release (ESAPI 2.2.3.0) - CVE-2021-29425 |
| 58 | + https://nvd.nist.gov/vuln/detail/CVE-2021-29425 |
| 59 | + |
| 60 | + |
| 61 | +----------------------------------------------------------------------------- |
| 62 | + |
| 63 | + Other changes in this release, some of which not tracked via GitHub issues |
| 64 | + |
| 65 | +None known. |
| 66 | +----------------------------------------------------------------------------- |
| 67 | + |
| 68 | +Developer Activity Report (Changes between release 2.2.3.0 and 2.2.3.1, i.e., between 2021-03-23 and 2021-05-07) |
| 69 | +Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. |
| 70 | + |
| 71 | +Developer Total Total Number # Merged |
| 72 | +(GitHub ID) commits of Files Changed PRs |
| 73 | +======================================================== |
| 74 | +jeremiahjstacey 8 6 1 |
| 75 | +dependabot 1 1 1 |
| 76 | +kwwall 7 8 0 |
| 77 | +======================================================== |
| 78 | + Total PRs: 2 |
| 79 | + |
| 80 | +There were also several snyk-bot PRs that were rejected for various reasons, mostly because 1) I was already making the proposed changes and preferred to do them in single commit or 2) there were other reasons for rejecting them (such as the dependency requiring Java 8). The proposed changes that were not outright rejected were included as part of commit a8a79bc5196653500ce664b7b063284e60bddaa0. |
| 81 | + |
| 82 | +----------------------------------------------------------------------------- |
| 83 | + |
| 84 | +CHANGELOG: Create your own. May I suggest: |
| 85 | + |
| 86 | + git log --stat --since=2021-03-23 --reverse --pretty=medium |
| 87 | + |
| 88 | + which will show all the commits since just after the previous (2.2.3.0) release. |
| 89 | + |
| 90 | +----------------------------------------------------------------------------- |
| 91 | + |
| 92 | +Direct and Transitive Runtime and Test Dependencies: |
| 93 | + |
| 94 | + $ mvn dependency:tree |
| 95 | + [INFO] Scanning for projects... |
| 96 | + [INFO] |
| 97 | + [INFO] -----------------------< org.owasp.esapi:esapi >------------------------ |
| 98 | + [INFO] Building ESAPI 2.2.3.1-SNAPSHOT |
| 99 | + [INFO] --------------------------------[ jar ]--------------------------------- |
| 100 | + [INFO] |
| 101 | + [INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ esapi --- |
| 102 | + [INFO] org.owasp.esapi:esapi:jar:2.2.3.1-SNAPSHOT |
| 103 | + [INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided |
| 104 | + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided |
| 105 | + [INFO] +- com.io7m.xom:xom:jar:1.2.10:compile |
| 106 | + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile |
| 107 | + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile |
| 108 | + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile |
| 109 | + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile |
| 110 | + [INFO] +- commons-lang:commons-lang:jar:2.6:compile |
| 111 | + [INFO] +- commons-fileupload:commons-fileupload:jar:1.3.3:compile |
| 112 | + [INFO] +- log4j:log4j:jar:1.2.17:compile |
| 113 | + [INFO] +- org.apache.commons:commons-collections4:jar:4.2:compile |
| 114 | + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile |
| 115 | + [INFO] +- org.owasp.antisamy:antisamy:jar:1.6.3:compile |
| 116 | + [INFO] | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.22:compile |
| 117 | + [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile |
| 118 | + [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile |
| 119 | + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile |
| 120 | + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile |
| 121 | + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile |
| 122 | + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile |
| 123 | + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile |
| 124 | + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile |
| 125 | + [INFO] | +- org.slf4j:slf4j-simple:jar:1.7.30:compile |
| 126 | + [INFO] | +- xerces:xercesImpl:jar:2.12.1:compile |
| 127 | + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile |
| 128 | + [INFO] +- org.slf4j:slf4j-api:jar:1.7.30:compile |
| 129 | + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile |
| 130 | + [INFO] +- commons-io:commons-io:jar:2.6:compile |
| 131 | + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.2.2:compile (optional) |
| 132 | + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional) |
| 133 | + [INFO] +- commons-codec:commons-codec:jar:1.15:test |
| 134 | + [INFO] +- junit:junit:jar:4.13.2:test |
| 135 | + [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.68:test |
| 136 | + [INFO] +- org.hamcrest:hamcrest-core:jar:1.3:test |
| 137 | + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.7:test |
| 138 | + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.7:test |
| 139 | + [INFO] +- org.javassist:javassist:jar:3.25.0-GA:test |
| 140 | + [INFO] +- org.mockito:mockito-core:jar:2.28.2:test |
| 141 | + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.9.10:test |
| 142 | + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.9.10:test |
| 143 | + [INFO] | \- org.objenesis:objenesis:jar:2.6:test |
| 144 | + [INFO] +- org.powermock:powermock-core:jar:2.0.7:test |
| 145 | + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.7:test |
| 146 | + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.7:test |
| 147 | + [INFO] +- org.powermock:powermock-reflect:jar:2.0.7:test |
| 148 | + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.28:test |
| 149 | + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:4.6:test |
| 150 | + [INFO] \- org.apache.commons:commons-math3:jar:3.2:test |
| 151 | + [INFO] ------------------------------------------------------------------------ |
| 152 | + [INFO] BUILD SUCCESS |
| 153 | + [INFO] ------------------------------------------------------------------------ |
| 154 | + [INFO] Total time: 0.759 s |
| 155 | + [INFO] Finished at: 2021-05-07T01:13:27-04:00 |
| 156 | + [INFO] ------------------------------------------------------------------------ |
| 157 | + |
| 158 | +----------------------------------------------------------------------------- |
| 159 | + |
| 160 | +Acknowledgments: |
| 161 | + Another hat tip to Dave Wichers for promptly releasing AntiSamy 1.6.2 and for the PR to fix GitHub issue #614. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. |
| 162 | + |
| 163 | +A special thanks to the ESAPI community from the ESAPI project co-leaders: |
| 164 | + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! |
| 165 | + Matt Seil (xeno6696) |
0 commit comments