[Esapi-user] [Esapi-dev] Important Notice: ESAPI code freeze on 2016/01/31 for planned ESAPI release

Jim Manico jim.manico at owasp.org
Sat Jan 23 00:36:30 UTC 2016


You folks should be very proud of this work. I'm thrilled to see these 
updates get pushed live.

It definitely changes my thoughts about recommending ESAPI for Java.

Aloha,
Jim


On 1/22/16 7:08 PM, Kevin W. Wall wrote:
> Thanks to the fantastic help the OWASP community has recently been 
> providing,
> ESAPI is planning a new point release including 2 dozen+ bug fixes.
>
> For those of you who have been helping or are planning to help with ESAPI
> bug fixes, I just wanted to let you know that I would like to have a 
> tentative
> code freeze sometime on Sunday, 2016-01-31.  Therefore, if you have are
> working on any pull requests that you would like merged, please get 
> them in
> before that date, otherwise then will have to wait until the following
> release.
>
> Note this release will *NOT* be fixing the CVE-2013-5960, which requires a
> design change and is only about 75% or so completed. (Mostly needs
> the backward compatibility fixed in a manner to prevent roll-back
> attacks and a lot more JUnit tests.) Because of the previously released
> ESAPI security bulletin, the fix for CVE-2013-5960 will be put out in
> release 2.1.1, and this release will be called 2.1.0.1. (The current
> release, which was deployed in Sept 2013, was release 2.1.0.)
>
> Up to this point we have closed 25 issues in GitHub and a few more
> are in the works by Matt Seil and Jeremiah Stacey. For a full list
> of fixes planned for this release as well as other minor changes,
> please see the tentative release notes for ESAPI 2.1.0.1, described here:
> https://drive.google.com/file/d/0B3Yc2oc1Z9n5OVhiNWJJbDltSlk/view?usp=sharing
>
> Shortly after this release, the GitHub 'master' branch will be frozen 
> and will
> always reflect the latest official release (point release, full 
> release, or
> whatever) and we will carry on development / bug fixes on a new 'develop'
> branch.  The 'develop' branch will become the new default GitHub 
> branch for
> https://github.com/ESAPI/esapi-java-legacy. We intend to more or less
> follow the git work-flow described in Vincent Driessen's blog post
> "A successful Git branching model", found here:
> http://nvie.com/posts/a-successful-git-branching-model/
>
> I would like to include a list of those of you who have helped make
> this release a reality in the release notes, so if you have contributed
> to ESAPI at any time or in any capacity since the previous 2.1.0 release
> please email me (directly, NOT to the mailing list!) and how you want
> you name to appear and a brief 1 line description of your contribution
> and I will make sure your name gets in there. You have until the code
> freeze date of Jan-31-2016 to get that information to me. (Note that
> I will *NOT* be including email addresses, Twitter handles, GitHub user
> names, etc.--only names. Please include at least your first initial
> as I will not include just last names.)
>
> If you have questions or comments, please reply to one (or both) of
> these ESAPI mailing lists. In case someone forwarded you this email,
> you can find information about subscribing to these lists at:
>
> https://lists.owasp.org/listinfo/esapi-dev
> https://lists.owasp.org/listinfo/esapi-user
>
> Thanks all for your help,
> -kevin
> -- 
> Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
> NSA: All your crypto bit are belong to us.
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160122/8590074c/attachment.html>


More information about the Esapi-user mailing list