Release 2.5.2.0 now available

[kwwall]

New ESAPI release available in GitHub under Releases. Also, confirmed it is now available from Maven Central, but as of Thu Apr 13 04:30:49 UTC 2023, it yet does not show up in any of the searches I've tried (e.g, from https://mvnrepository.com/artifact/org.owasp.esapi/esapi or via https://search.maven.org/search?q=ESAPI), but sometimes that takes several hours and one time it took 3 days!

Release Notes

The release notes for ESAPI release 2.5.2.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt

Configuration files located in configuration jar

Note that the attached file "esapi-2.5.2.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.2.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.2.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.

CVEs addressed

• CVE-2023-24998 was remediated. See Security Bulletin 11 for details.
• CVE-2023-26119 was remediated. It is not yet know if it impacted ESAPI.

The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.2.0.

---

This discussion was created from the release 2.5.2.0.