Releases: ESAPI/esapi-java-legacy
esapi-2.5.5.0
kwwall
Kevin W. Wall
Full Release Notes
Release notes for ESAPI release 2.5.5.0 are located at:
What's Changed
- Pom updates to address issue #847 by @kwwall in #848
- Update the logging properties to opt-out of the prefix events #844 by @mickeyz07 in #845
- Fix Typos by @DarioViva42 in #852
- Improved documentation by @DebajitKumarPhukan in #853
- Release prep 2.5.5.0 by @kwwall in #856
New Contributors
- @mickeyz07 made their first contribution in #845
- @DarioViva42 made their first contribution in #852
- @DebajitKumarPhukan made their first contribution in #853
Full Changelog: esapi-2.5.4.0...esapi-2.5.5.0
Configuration Jar
Note the associated file "esapi-2.5.5.0-configuration.jar" contains the default ESAPI configuration
files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file
"esapi-2.5.5.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.
Contributors
Assets 4
2.5.4.0
kwwall
Kevin W. Wall
Full release notes
Full release notes for ESAPI release 2.5.4.0 are located at:
It contains important details, which you need to read as you MUST remove (or rename) 'esapi-java-logging.properties' if you are using ESAPI's default logging, which is JUL. Otherwise ESAPI will throw a ConfigurationException (which may appear as a java.lang.ExceptionInInitializerError or as a java.lang.NoClassDefFoundError, depending on circumstances). Please refer to the "Configuring the JavaLogFactory" wiki page for additional details.
YOU HAVE BEEN WARNED!!!
What's Changed
- Bump org.owasp:dependency-check-maven from 9.0.0 to 9.0.6 by @dependabot in #825
- fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 by @mpreziuso in #833
- Issue #839 JavaLogFactory ConcMod by @jeremiahjstacey in #840
- PR to fix #824 and reference to #823 by @xeno6696 in #828
New Contributors
- @mpreziuso made their first contribution in #833
Full Changelog: esapi-2.5.3.1...esapi-2.5.4.0
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.4.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.1-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.4.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
2.5.3.1
kwwall
Kevin W. Wall
Major changes
ESAPI 2.5.3.1 is a minor point release that adds:
- Updated Javadoc for the
Validator.isValidSafeHTMLandValidationRule.getValidmethods. - Adds an always-on log message (a single time only) if either of the
isValidSafeHTMLmethods is invoked. The warning notes that the method is deprecated and provides a link to the GitHub Security Advisory.
Release Notes
The release notes for ESAPI release 2.5.3.1 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.3.1-release-notes.txt
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.3.1-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.1-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.1-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
References
- GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.
2.5.3.0
kwwall
Kevin W. Wall
Major changes
- The two
Validator.isValidSafeHTML methods were deprecated. More details on this in GitHub Security Advisory GHSA-r68h-jhhj-9jvm. - There is now a version of the ESAPI jar that should support the Jakarta Servlet API. See the release notes and the ESAPI GitHub wiki page Using ESAPI with Jakarta EE Servlet API Specification 5.0 and later for details.
- Updated to AntiSamy 1.7.4 which addresses CVE-2023-43643 , which really was not exploitable via ESAPI anyway. More details are in the release notes.
Release Notes
The release notes for ESAPI release 2.5.3.0 are located at:
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.3.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
References
- GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.
- CVE-2023-43643 was addressed by the AntiSamy 1.7.4 upgrade. Even without this AntiSamy patch, ESAPI was not impacted.
The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.3.0.
2.5.2.0
kwwall
Kevin W. Wall
Release Notes
The release notes for ESAPI release 2.5.2.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.2.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.2.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.2.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
CVEs addressed
- CVE-2023-24998 was remediated. See Security Bulletin 11 for details.
- CVE-2023-26119 was remediated. It is not yet know if it impacted ESAPI.
The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.2.0.
2.5.1.0
kwwall
Kevin W. Wall
Update summary
- Updates to latest versions of direct dependencies, including:
- An update to AntiSamy: 1.7.0 --> 1.7.2
- An update to SLFJ4 API: 1.7.36 --> 2.0.4 (Note: 2.0.5 is available and likely would would result in "convergence" issues with the version AntiSamy 1.7.2 pulls in)
- A new codec (
org.owasp.esapi.codecs.JSONCodec) is provided that provides JSON output encoding as per section 7 of RFC 8259. It is made available viaEncoder.encodeForJSON(). (Note unlike other encoders, there is no corresponding decoder (i.e.,decodeForJSON()) made available. Since that would normally be done by your JavaScript code, it wasn't deemed essential. - Executing 'mvn site' now creates Javadoc for the ESAPI tag library (GitHub issue #733).
Details
For full details, please see the release notes for ESAPI release 2.5.1.0 located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.1.0-release-notes.txt
Note the file "esapi-2.5.1.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.1.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'.
2.5.0.0
kwwall
Kevin W. Wall
Release notes for ESAPI release 2.5.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt
IMPORTANT:
- This release drops all support for ESAPI Logging using Log4J 1 (except through SLF4J). If your ESAPI.Logger property is set to use Log4J and you do not change it, you will get obscure Exceptions or Errors thrown. (Generally an
ExceptionInInitializerError.) - Because we've upgraded to AntiSamy 1.7.0, there are also some potentially breaking changes in this release if you have customized your antisamy-esapi.xml file.
- As begun in the previous release, this release only supports Java 8 or later.
If you do nothing else at least read this short "Changes Requiring Special Attention" section of the 2.5.0.0 release notes. You have been warned!
Finally, note that the file "esapi-2.5.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'.
2.4.0.0
Release notes for ESAPI release 2.4.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt
IMPORTANT:
- This release is NOT compatible with Java 7. Java 8 or later is required to use this version of ESAPI. The ESAPi 2.3.0.0 release was the last release to support Java 7.
- This release of ESAPI fixes an older DoS vulnerability (CVE-2022-28366) that we were unable to patch while supporting Java 7 as the minimal JDK, as well as a newer DoS vulnerability (CVE-2022-29546) that previously did not have a CVE ID during our 2.3.0.0 release. ESAPI users might have seen either of these DoS vulnerabilities manifested via
Validator.isValidSafeHTML()andValidator.getValidSafeHTML()in previous releases.
Finally, note that the file "esapi-2.4.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.4.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'.
2.3.0.0
kwwall
Kevin W. Wall
Full release notes for ESAPI release 2.3.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
IMPORTANT Note: Because this release of ESAPI fixes several vulnerabilities, it is extremely important that you actually read the FULL release notes and the referenced GitHub Security Advisories. Failure to do so likely will cause previous ESAPI users to miss some critical remediation steps as remediation for CVE-2022-24891 involves more than simply upgrading your dependency to ESAPI 2.3.0.0.
Remediates
- CVE-2022-23457 - See details in this GitHub Security Advisory
- CVE-2022-24891 - See details in this GitHub Security Advisory
- Several vulnerabilities via update from AntiSamy 1.6.3 (in ESAPI 2.2.3.1) to AntiSamy 1.6.7 in this release. See the AntiSamy release notes for further details of the CVEs that were addressed. (Note that there was one CVE from AntiSamy that didn't affect ESAPI, but it was a moot point because CVE-2022-23891 issue in ESAPI's antisamy-esapi.xml file.)
Finally, to fully remediate CVE-2022-23891, note that the file "esapi-2.3.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.3.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'. You NEED this jar (or a manual change) to get the important update to the antisamy-esapi.xml file.
2.2.3.1
kwwall
Kevin W. Wall
Release notes for ESAPI release 2.x.y.z are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.1-release-notes.txt
This was a very minor point release.
Note the file "esapi-2.2.3.1-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.3.1-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.
See also Security Bulletin 5 (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin5.pdf) for a description of why CVE-2021-29425 is NOT exploitable via ESAPI.