[Esapi-user] Important Notice: ESAPI code freeze on 2016/01/31 for planned ESAPI release

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jan 23 00:08:10 UTC 2016

Thanks to the fantastic help the OWASP community has recently been
ESAPI is planning a new point release including 2 dozen+ bug fixes.

For those of you who have been helping or are planning to help with ESAPI
bug fixes, I just wanted to let you know that I would like to have a
code freeze sometime on Sunday, 2016-01-31.  Therefore, if you have are
working on any pull requests that you would like merged, please get them in
before that date, otherwise then will have to wait until the following

Note this release will *NOT* be fixing the CVE-2013-5960, which requires a
design change and is only about 75% or so completed. (Mostly needs
the backward compatibility fixed in a manner to prevent roll-back
attacks and a lot more JUnit tests.) Because of the previously released
ESAPI security bulletin, the fix for CVE-2013-5960 will be put out in
release 2.1.1, and this release will be called (The current
release, which was deployed in Sept 2013, was release 2.1.0.)

Up to this point we have closed 25 issues in GitHub and a few more
are in the works by Matt Seil and Jeremiah Stacey. For a full list
of fixes planned for this release as well as other minor changes,
please see the tentative release notes for ESAPI, described here:

Shortly after this release, the GitHub 'master' branch will be frozen and
always reflect the latest official release (point release, full release, or
whatever) and we will carry on development / bug fixes on a new 'develop'
branch.  The 'develop' branch will become the new default GitHub branch for
https://github.com/ESAPI/esapi-java-legacy. We intend to more or less
follow the git work-flow described in Vincent Driessen's blog post
"A successful Git branching model", found here:

I would like to include a list of those of you who have helped make
this release a reality in the release notes, so if you have contributed
to ESAPI at any time or in any capacity since the previous 2.1.0 release
please email me (directly, NOT to the mailing list!) and how you want
you name to appear and a brief 1 line description of your contribution
and I will make sure your name gets in there. You have until the code
freeze date of Jan-31-2016 to get that information to me. (Note that
I will *NOT* be including email addresses, Twitter handles, GitHub user
names, etc.--only names. Please include at least your first initial
as I will not include just last names.)

If you have questions or comments, please reply to one (or both) of
these ESAPI mailing lists. In case someone forwarded you this email,
you can find information about subscribing to these lists at:


Thanks all for your help,
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160122/cf55a25e/attachment.html>

More information about the Esapi-user mailing list