2.5.4.0 release

[kwwall]

Full release notes

Full release notes for ESAPI release 2.5.4.0 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.4.0-release-notes.txt

It contains important details, which you need to read as you MUST remove (or rename) 'esapi-java-logging.properties' if you are using ESAPI's default logging, which is JUL. Otherwise ESAPI will throw a ConfigurationException (which may appear as a java.lang.ExceptionInInitializerError or as a java.lang.NoClassDefFoundError, depending on circumstances). Please refer to the "Configuring the JavaLogFactory" wiki page for additional details.

YOU HAVE BEEN WARNED!!!

What's Changed

• Bump org.owasp:dependency-check-maven from 9.0.0 to 9.0.6 by @dependabot in Bump org.owasp:dependency-check-maven from 9.0.0 to 9.0.6 #825
• fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 by @mpreziuso in fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 #833
• Issue ConcurrentModificationException #839 JavaLogFactory ConcMod by @jeremiahjstacey in Issue #839 JavaLogFactory ConcMod #840
• PR to fix DefaultEncoder / getCanonicalizedURI returns mix encoding for HTML special characters #824 and reference to DefaultEncoder / getCanonicalizedURI returns mix encoding for HTML special characters #823 by @xeno6696 in PR to fix #824 and reference to #823 #828

New Contributors

• @mpreziuso made their first contribution in fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 #833

Full Changelog: esapi-2.5.3.1...esapi-2.5.4.0

Configuration files located in configuration jar

Note that the attached file "esapi-2.5.4.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.1-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.4.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.

---

This discussion was created from the release 2.5.4.0.

[kwwall]

Note the important note about deleting esapi-java-logging.properties file if you are using ESAPI's default logging that uses JUL.

[kwwall]

FYI: ESAPI 2.5.4.0 is now showing up in https://central.sonatype.com/artifact/org.owasp.esapi/esapi/versions, but not yet in https://mvnrepository.com/artifact/org.owasp.esapi/esapi

[kwwall]

One last thing. I am making this known in order to support complete transparency. I do so because I think that there is little risk to ESAPI clients and I believe that it is better that you know than we attempt to cover it up. Plus we can use your assistance to determin if it is legitimate,

Anyway, just before the final release steps, I ran OWASP Dependency Check, it was flagging relatively new CVEs against Apache Commons Configuration. I believe these are false positives because we are using commons-configuration:commons-configuration:1.10 and the CVE descriptions everywhere that I read said that it affected versions 2.0 up through, but not including 2.10.1. Also, neither Snyk nor GitHub Dependabot, which we also use, are reporting this.

That said, the 2 CVEs that OWASP Dependency Check flagged were:

• CVE-2024-29131
• CVE-2024-29133

If it turns out that it by some chance that either of these CVEs does affect ESAPI (Dependency Check mentioned a CPE that referenced version 1.10), chances are still really high that you, as an ESAPI user, are not impacted, as the only part of ESAPI that uses Apache Commons Configuration is you are using ESAPI's AccessController and in 15 years that I have been working on ESAPI, I have yet to run across one place where that is used. I am attaching the Dependency Check report in case anyone wants to look at it and you don't happen to have an NVD API key to run Dependency Check yourself. (Renamed to .txt so I could upload it.)
dependency-check-report.html.txt

[kwwall]

I looked at this a bit more and ended up reporting it as a False Positive on the OWASP Dependency Check's GitHub Issues. It is reported here: jeremylong/DependencyCheck#6704

[kwwall]

Getting close; I just submitted PR #856, but ideally I would like it reviewed by one of our core team members even though mostly it's just documentation or some pom updates.

[kwwall]

Dang. I'm having a problem with the deployment to Maven Central. Specifically, I'm having the problem described here:

https://community.sonatype.com/t/401-content-access-is-protected-by-token-authentication-failure-while-performing-maven-release/12741

Bottom line it looks like Sonatype made a change and everyone didn't get notified, so it's going to take me a while to resolve this and I'm not sure how much patience I have tonight. Stay tuned.

[kwwall]

Got it to upload, but looks like there are still errors when you try to download it. Will try again tomorrow evening.