No worries, we'll get everything patched within six months.
The Apache Foundation is urging developers to update their Struts 2 installations and projects using the code – after a critical security flaw was found in a key component of the framework. A warning this week from Apache reveals that devs should make sure their websites and other applications are running Struts versions 2.5. …
The Apache Foundation needs to kick this project to the curb or at least remove the "Apache" part of the name. It just hurts their reputation.
Re: Bad reputation?
Easier said than done: projects within Apache have a high degree of autonomy. The only place a project gets booted is into the attic, and that's when the world (more specifically, the development community) has lost interest.
The point in the article that calls for clarification and tough questions is why and to what extent there is no easy drop-in patch path for sysops using struts. I think we should ask the team to review how that can be addressed to ensure easy fixes for future issues.
My interpretation of the notice was that the problem is in the Apache Commons Fileupload library. The Struts update is to bundle the latest version of Fileupload.
The second I saw the word "struts" the Equifax breach came immediately to mind!