2.5.0.0

Release notes for ESAPI release 2.5.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt

IMPORTANT:

• This release drops all support for ESAPI Logging using Log4J 1 (except through SLF4J). If your ESAPI.Logger property is set to use Log4J and you do not change it, you will get obscure Exceptions or Errors thrown. (Generally an ExceptionInInitializerError.)
• Because we've upgraded to AntiSamy 1.7.0, there are also some potentially breaking changes in this release if you have customized your antisamy-esapi.xml file.
• As begun in the previous release, this release only supports Java 8 or later.

If you do nothing else at least read this short "Changes Requiring Special Attention" section of the 2.5.0.0 release notes. You have been warned!

Finally, note that the file "esapi-2.5.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'.

2.4.0.0

Release notes for ESAPI release 2.4.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt

IMPORTANT:

• This release is NOT compatible with Java 7. Java 8 or later is required to use this version of ESAPI. The ESAPi 2.3.0.0 release was the last release to support Java 7.
• This release of ESAPI fixes an older DoS vulnerability (CVE-2022-28366) that we were unable to patch while supporting Java 7 as the minimal JDK, as well as a newer DoS vulnerability (CVE-2022-29546) that previously did not have a CVE ID during our 2.3.0.0 release. ESAPI users might have seen either of these DoS vulnerabilities manifested via Validator.isValidSafeHTML() and Validator.getValidSafeHTML() in previous releases.

Finally, note that the file "esapi-2.4.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.4.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'.

2.3.0.0

Full release notes for ESAPI release 2.3.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt

IMPORTANT Note: Because this release of ESAPI fixes several vulnerabilities, it is extremely important that you actually read the FULL release notes and the referenced GitHub Security Advisories. Failure to do so likely will cause previous ESAPI users to miss some critical remediation steps as remediation for CVE-2022-24891 involves more than simply upgrading your dependency to ESAPI 2.3.0.0.

Remediates

• CVE-2022-23457 - See details in this GitHub Security Advisory
• CVE-2022-24891 - See details in this GitHub Security Advisory
• Several vulnerabilities via update from AntiSamy 1.6.3 (in ESAPI 2.2.3.1) to AntiSamy 1.6.7 in this release. See the AntiSamy release notes for further details of the CVEs that were addressed. (Note that there was one CVE from AntiSamy that didn't affect ESAPI, but it was a moot point because CVE-2022-23891 issue in ESAPI's antisamy-esapi.xml file.)

Finally, to fully remediate CVE-2022-23891, note that the file "esapi-2.3.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.3.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'. You NEED this jar (or a manual change) to get the important update to the antisamy-esapi.xml file.

2.2.3.1

Release notes for ESAPI release 2.x.y.z are located at:
        https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.1-release-notes.txt
This was a very minor point release.

Note the file "esapi-2.2.3.1-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.3.1-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

See also Security Bulletin 5 (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin5.pdf) for a description of why CVE-2021-29425 is NOT exploitable via ESAPI.

ESAPI 2.2.3.0

This is a patch release with the primary intent of updating some dependencies, some with known vulnerabilities. Main update are:
-- AntiSamy, from 1.5.11 to 1.6.2.
-- As a result of the AntiSamy upgrade, the transitive dependency xercesImpl was updated from 2.12.0 to 2.12.1 which should address CVE-2020-14338.
-- Apache batik-css, updated from 1.13 to 1.14.

See the ESAPI 2.2.3.0 release notes for details.

Note the configuration jar and its detached signature are also attached. Also note that the 2 security advisories are (sort of) relevant if you are either using ESAPI's deprecated log4j 1.x logging or are concerned about your SCA tools popping up warnings about ESAPI:

• Security Advisory 3
• Security Advisory 4

2.2.2.0

Release notes for ESAPI release 2.2.2.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.2.0-release-notes.txt
If you are updating from ESAPI 2.2.0.0 or earlier, be especially sure to read the release notes section "Changes Requiring Special Attention" as it describes what needs to be down to get ESAPI logging to work.

Lastly, be sure to also read Security Bulletin #3 at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf

Note the file "esapi-2.2.2.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.2.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.

2.2.1.1

Release notes for ESAPI release 2.2.1.1 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt
Be especially sure to read the section "Changes Requiring Special Attention" as it describes what needs to be done to get ESAPI logging to work.

Note the file "esapi-2.2.1.1-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.1.1-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.

2.2.1.0

esapi-java-logging.properties.txt -- You need this file for ESAPI logging using JUL (which is the new default).

Release notes for ESAPI release 2.2.1.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.0-release-notes.txt

Be especially sure to search for and read the section "IMPORTANT WORKAROUND for 2.2.1.0 ESAPI Logging".

Note the file "esapi-2.2.1.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.1.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.

2.2.0.0

Release notes for ESAPI release 2.2.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.2.0.0-release-notes.txt

Note the file "esapi-2.2.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.