New important ESAPI release that addresses several vulnerabilities just released

9 views
Skip to first unread message

Kevin W. Wall

unread,
Apr 17, 2022, 8:18:36 PM4/17/22
to esapi-project-users, esapi-project-dev, Matt Seil, Jeremiah J. Stacey

A new IMPORTANT release of #ESAPI (2.3.0.0) that patches several vulnerabilities is now available from Maven Central (though will be few hrs until it is searchable there).


Release notes for ESAPI release 2.3.0.0 are located at:

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt

IMPORTANT: Because this release of ESAPI fixes several vulnerabilities, it is extremely important that you actually read these release notes. Failure to do so likely will cause previous ESAPI users to miss some critical remediation steps!

Please share for reach, especially if you are aware of other projects that have forked ESAPI or are using it in important products. More details on some of the vulnerabilities will be forthcoming as they get issued CVE IDs and referenced in ESAPI and AntiSamy release documentation.


Also, note that this will be the last ESAPI release to support Java 7. Sometime this week we plan to release the first release to require Java 8 as the minimally supported JDK. That release will be called 2.4.0.0.


If you have questions:

  1. Do NOT submit them as GitHub issues. If you do, we will simply mark them as closed and not answer them. (Sorry.)
  2. Do ask in one of these 2 Google mailing lists or by sending myself and/or Matt a private email.

-kevin
--
Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
Reply all
Reply to author
Forward
0 new messages