|
| 1 | +Release notes for ESAPI 2.4.0.0 |
| 2 | + Release date: 2022-04-24 |
| 3 | + Project leaders: |
| 4 | + -Kevin W. Wall < [email protected]> |
| 5 | + |
| 6 | + |
| 7 | +Previous release: ESAPI 2.3.0.0, 2022-04-18 |
| 8 | + |
| 9 | +Important Announcement |
| 10 | +---------------------- |
| 11 | +Do NOT: Do NOT use GitHub Issues to ask questions about this of future releases. That is what the ESAPI Google groups are for. (See our GitHub README.md for further details.) If you can't do the ESAPI Google groups, then drop and email to either one or both of the project leaders (email addresses provided above). We will NOT respond to questions posted in GitHub Issues. |
| 12 | + |
| 13 | + |
| 14 | +Executive Summary: Important Things to Note for this Release |
| 15 | +------------------------------------------------------------ |
| 16 | +This is a very important ESAPI release as it is the first release to be FULLY INCOMPATIBLE WITH JAVA 1.7! This was expedited in response to some dependencies to resolve prior CVEs (see release notes in 2.3.0.0) that could not be updated as those versions required a JDK > 1.7 which we were forced to. The slightly premature update to java 1.8 is done to address CVE-2022-28366 that had to be fixed with a version of the transitive depenedency via AntiSamy of NekoHTML that was java 1.8+ only. (Wrapped into issue #682) It is important to note that the solution to fix CVE-2022-28366 does not exist in ESAPI 2.3.0.0 and there is no intention to fix it for Java 1.7. |
| 17 | + |
| 18 | +================================================================================================================= |
| 19 | + |
| 20 | +Basic ESAPI facts |
| 21 | +----------------- |
| 22 | + |
| 23 | +ESAPI 2.3.0.0 release (previous release): |
| 24 | + 212 Java source files |
| 25 | + 4325 JUnit tests in 136 Java source files (1 test ignored) |
| 26 | + |
| 27 | +ESAPI 2.4.0.0 release (current / new release): |
| 28 | + 212 Java source files |
| 29 | + 4325 JUnit tests in 136 Java source files (1 test ignored) |
| 30 | + |
| 31 | +3 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). |
| 32 | +[Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2021-05-07] |
| 33 | + |
| 34 | +Issue # GitHub Issue Title |
| 35 | +---------------------------------------------------------------------------------------------- |
| 36 | +682 Update baseline to java 1.8 |
| 37 | +679 Completely remove support for fixed IVs and throw a ConfigurationException if encountered. |
| 38 | +672 (wontfix) HTMLEntityCodec Bug Decoding "Left Angular Bracket" Symbol |
| 39 | +644 Do not include a logging implementation as a dependency slf4j-simple |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +----------------------------------------------------------------------------- |
| 44 | + |
| 45 | + Changes Requiring Special Attention |
| 46 | + |
| 47 | +----------------------------------------------------------------------------- |
| 48 | + |
| 49 | +1) This is the first ESAPI release that does not support java 1.7. This library will no longer work if youre application is that old. |
| 50 | + |
| 51 | + !!!!! VULNERABILITY ALERTS !!!!! |
| 52 | + |
| 53 | +2) This release closes our implementation of fixes outlined in CVE-2022-28366 from AntiSamy. This was a DoS vulnerability discovered in HtmlUnit-Neko affecting all versions up to 2.26. Details from MITRE are here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28366 |
| 54 | + |
| 55 | +----------------------------------------------------------------------------- |
| 56 | + |
| 57 | +Developer Activity Report (Changes between release 2.3.0.0 and 2.4.0.0, i.e., between 2022-04-17 and 2022-04-24) |
| 58 | + |
| 59 | +Special thanks to Dave Wichers and Sebastian Pessaro from AntiSamy for their work to close CVE-2022-28366. |
| 60 | +Special thanks to Jeremiah J. Stacey for his work to update and prep the library to support java 1.8. (He literally created the PR the day after 2.3.0.0's release.) |
| 61 | +Special thanks to Kevin Wall for support in pushing out this release. |
| 62 | + |
| 63 | + |
| 64 | +----------------------------------------------------------------------------- |
| 65 | + |
| 66 | +CHANGELOG: Create your own. May we suggest: |
| 67 | + |
| 68 | + git log --stat --since=2021-05-07 --reverse --pretty=medium |
| 69 | + |
| 70 | + or clone the ESAPI/esapi-java-legacy repo and then run |
| 71 | + |
| 72 | + mvn site |
| 73 | + |
| 74 | + and finally, point your browser at |
| 75 | + |
| 76 | + target/site/changelog.html |
| 77 | + |
| 78 | + Both approaches should show all the commits since just after the previous (2.2.3.1) release. [Note that the both approaches may include commits after the 2.3.0.0 release, but the first allows to to easily add an end date via '--until=2022-04-17'.] |
| 79 | + |
| 80 | +----------------------------------------------------------------------------- |
| 81 | + |
| 82 | +Direct and Transitive Runtime and Test Dependencies: |
| 83 | + |
| 84 | + $ mvn -B dependency:tree |
| 85 | + ... |
| 86 | + [INFO] org.owasp.esapi:esapi:jar:2.4.0.0-SNAPSHOT |
| 87 | + [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided |
| 88 | + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided |
| 89 | + [INFO] +- com.io7m.xom:xom:jar:1.2.10:compile |
| 90 | + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile |
| 91 | + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile |
| 92 | + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile |
| 93 | + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile |
| 94 | + [INFO] +- commons-lang:commons-lang:jar:2.6:compile |
| 95 | + [INFO] +- commons-fileupload:commons-fileupload:jar:1.4:compile |
| 96 | + [INFO] +- log4j:log4j:jar:1.2.17:compile |
| 97 | + [INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile |
| 98 | + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile |
| 99 | + [INFO] +- org.owasp.antisamy:antisamy:jar:1.6.8:compile |
| 100 | + [INFO] | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.61.0:compile |
| 101 | + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile |
| 102 | + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile |
| 103 | + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.3:compile |
| 104 | + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile |
| 105 | + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile |
| 106 | + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile |
| 107 | + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile |
| 108 | + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile |
| 109 | + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile |
| 110 | + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile |
| 111 | + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile |
| 112 | + [INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile |
| 113 | + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile |
| 114 | + [INFO] +- commons-io:commons-io:jar:2.11.0:compile |
| 115 | + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.6.0:compile |
| 116 | + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile |
| 117 | + [INFO] +- commons-codec:commons-codec:jar:1.15:test |
| 118 | + [INFO] +- junit:junit:jar:4.13.2:test |
| 119 | + [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test |
| 120 | + [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test |
| 121 | + [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test |
| 122 | + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test |
| 123 | + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test |
| 124 | + [INFO] +- org.mockito:mockito-core:jar:3.12.4:test |
| 125 | + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test |
| 126 | + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test |
| 127 | + [INFO] | \- org.objenesis:objenesis:jar:3.2:test |
| 128 | + [INFO] +- org.powermock:powermock-core:jar:2.0.9:test |
| 129 | + [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test |
| 130 | + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test |
| 131 | + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test |
| 132 | + [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test |
| 133 | + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.35:test |
| 134 | + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test |
| 135 | + [INFO] \- org.apache.commons:commons-math3:jar:3.2:test |
| 136 | + ... |
| 137 | + |
| 138 | +----------------------------------------------------------------------------- |
| 139 | + |
| 140 | +Acknowledgments: |
| 141 | + * A special shout out to Jaroslav Lobačevski, a security researcher at GitHub Security Labs, who notified the ESAPI team via responsible disclosure and allowed us sufficient time to address GHSL-2022-008. |
| 142 | + * A huge hat-tip to Dave Wichers and Sebastian Passaro for promptly addressing vulnerabilities in AntiSamy, many of which were caused by poorly maintained dependencies of AntiSamy. |
| 143 | + * A special thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI contributors whom I've undoubtedly forgotten. |
| 144 | + * Finally, to all the ESAPI users who make our efforts worthwhile. This is for you. |
| 145 | + |
| 146 | +A special thanks to the ESAPI community from the ESAPI project co-leaders: |
| 147 | + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! |
| 148 | + Matt Seil (xeno6696) |
0 commit comments