Releases: ESAPI/esapi-java-legacy
esapi-2.6.2.0
kwwall
Kevin W. Wall
Full Release Notes
Release notes for ESAPI release 2.6.2.0 are located at:
What's Changed
- This is a minor patch release with the intent of updating the Apache Commons BeanUtils dependency from v1.9.4 to v1.11.0 to CVE-2025-48734.
Full Changelog: esapi-2.6.1.0...esapi-2.6.2.0
Other Notes
You may see GHAS Dependabot references to https://github.com/ESAPI/esapi-java-legacy/security/dependabot/17 for this (and previous releases). For a more thorough discussion of this, please see Discussion #877.
Configuration Jar
Note the associated file "esapi-2.6.2.0-configuration.jar" contains the default ESAPI configuration
files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file
"esapi-2.6.2.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.
2.6.1.0
kwwall
Kevin W. Wall
Full Release Notes
Release notes for ESAPI release 2.6.1.0 are located at:
What's Changed
- Updated AntiSamy from release 1.7.7 to 1.7.8 which addresses the potentially exploitable vulnerability GHSA-73m2-qfq3-56cx. There is slim possibility that this could affect ESAPI users who have allowed certain CSS mark-up constructs to the AntiSamy policy file that they are using. However the default ESAPI AntiSamy policy file (antisamy-esapi.xml) does not permit CSS mark-up of any sort out unless it has been modified by the ESAPI client.
- Other minor updates to pom.xml
Full Changelog: esapi-2.6.0.0...esapi-2.6.1.0
Other Notes
You may see GHAS Dependabot references to https://github.com/ESAPI/esapi-java-legacy/security/dependabot/17 for this (and previous releases). For a more thorough discussion of this, please see Discussion #877.
Configuration Jar
Note the associated file "esapi-2.6.1.0-configuration.jar" contains the default ESAPI configuration
files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file
"esapi-2.6.1.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.
2.6.0.0
kwwall
Kevin W. Wall
Full Release Notes
Release notes for ESAPI release 2.6.0.0 are located at:
What's Changed
Full Changelog: esapi-2.5.5.0...esapi-2.6.0.0
Configuration Jar
Note the associated file "esapi-2.6.0.0-configuration.jar" contains the default ESAPI configuration
files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file
"esapi-2.6.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.
Contributors
Assets 4
2.5.5.0
kwwall
Kevin W. Wall
Full Release Notes
Release notes for ESAPI release 2.5.5.0 are located at:
What's Changed
- Pom updates to address issue #847 by @kwwall in #848
- Update the logging properties to opt-out of the prefix events #844 by @mickeyz07 in #845
- Fix Typos by @DarioViva42 in #852
- Improved documentation by @DebajitKumarPhukan in #853
- Release prep 2.5.5.0 by @kwwall in #856
New Contributors
- @mickeyz07 made their first contribution in #845
- @DarioViva42 made their first contribution in #852
- @DebajitKumarPhukan made their first contribution in #853
Full Changelog: esapi-2.5.4.0...esapi-2.5.5.0
Configuration Jar
Note the associated file "esapi-2.5.5.0-configuration.jar" contains the default ESAPI configuration
files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file
"esapi-2.5.5.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.
Contributors
Assets 4
2.5.4.0
kwwall
Kevin W. Wall
Full release notes
Full release notes for ESAPI release 2.5.4.0 are located at:
It contains important details, which you need to read as you MUST remove (or rename) 'esapi-java-logging.properties' if you are using ESAPI's default logging, which is JUL. Otherwise ESAPI will throw a ConfigurationException (which may appear as a java.lang.ExceptionInInitializerError or as a java.lang.NoClassDefFoundError, depending on circumstances). Please refer to the "Configuring the JavaLogFactory" wiki page for additional details.
YOU HAVE BEEN WARNED!!!
What's Changed
- Bump org.owasp:dependency-check-maven from 9.0.0 to 9.0.6 by @dependabot in #825
- fix: upgrade Antisamy to 1.7.5 to resolve CVE-2024-23635 by @mpreziuso in #833
- Issue #839 JavaLogFactory ConcMod by @jeremiahjstacey in #840
- PR to fix #824 and reference to #823 by @xeno6696 in #828
New Contributors
- @mpreziuso made their first contribution in #833
Full Changelog: esapi-2.5.3.1...esapi-2.5.4.0
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.4.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.1-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.4.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
Contributors
Assets 4
2.5.3.1
kwwall
Kevin W. Wall
Major changes
ESAPI 2.5.3.1 is a minor point release that adds:
- Updated Javadoc for the
Validator.isValidSafeHTMLandValidationRule.getValidmethods. - Adds an always-on log message (a single time only) if either of the
isValidSafeHTMLmethods is invoked. The warning notes that the method is deprecated and provides a link to the GitHub Security Advisory.
Release Notes
The release notes for ESAPI release 2.5.3.1 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.3.1-release-notes.txt
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.3.1-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.1-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.1-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
References
- GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.
2.5.3.0
kwwall
Kevin W. Wall
Major changes
- The two
Validator.isValidSafeHTML methods were deprecated. More details on this in GitHub Security Advisory GHSA-r68h-jhhj-9jvm. - There is now a version of the ESAPI jar that should support the Jakarta Servlet API. See the release notes and the ESAPI GitHub wiki page Using ESAPI with Jakarta EE Servlet API Specification 5.0 and later for details.
- Updated to AntiSamy 1.7.4 which addresses CVE-2023-43643 , which really was not exploitable via ESAPI anyway. More details are in the release notes.
Release Notes
The release notes for ESAPI release 2.5.3.0 are located at:
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.3.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
References
- GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.
- CVE-2023-43643 was addressed by the AntiSamy 1.7.4 upgrade. Even without this AntiSamy patch, ESAPI was not impacted.
The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.3.0.
2.5.2.0
kwwall
Kevin W. Wall
Release Notes
The release notes for ESAPI release 2.5.2.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.2.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.2.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.2.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
CVEs addressed
- CVE-2023-24998 was remediated. See Security Bulletin 11 for details.
- CVE-2023-26119 was remediated. It is not yet know if it impacted ESAPI.
The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.2.0.
2.5.1.0
kwwall
Kevin W. Wall
Update summary
- Updates to latest versions of direct dependencies, including:
- An update to AntiSamy: 1.7.0 --> 1.7.2
- An update to SLFJ4 API: 1.7.36 --> 2.0.4 (Note: 2.0.5 is available and likely would would result in "convergence" issues with the version AntiSamy 1.7.2 pulls in)
- A new codec (
org.owasp.esapi.codecs.JSONCodec) is provided that provides JSON output encoding as per section 7 of RFC 8259. It is made available viaEncoder.encodeForJSON(). (Note unlike other encoders, there is no corresponding decoder (i.e.,decodeForJSON()) made available. Since that would normally be done by your JavaScript code, it wasn't deemed essential. - Executing 'mvn site' now creates Javadoc for the ESAPI tag library (GitHub issue #733).
Details
For full details, please see the release notes for ESAPI release 2.5.1.0 located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.1.0-release-notes.txt
Note the file "esapi-2.5.1.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.1.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) kevin.w.wall@gmail.com'.
2.5.0.0
kwwall
Kevin W. Wall
Release notes for ESAPI release 2.5.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt
IMPORTANT:
- This release drops all support for ESAPI Logging using Log4J 1 (except through SLF4J). If your ESAPI.Logger property is set to use Log4J and you do not change it, you will get obscure Exceptions or Errors thrown. (Generally an
ExceptionInInitializerError.) - Because we've upgraded to AntiSamy 1.7.0, there are also some potentially breaking changes in this release if you have customized your antisamy-esapi.xml file.
- As begun in the previous release, this release only supports Java 8 or later.
If you do nothing else at least read this short "Changes Requiring Special Attention" section of the 2.5.0.0 release notes. You have been warned!
Finally, note that the file "esapi-2.5.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) kevin.w.wall@gmail.com'.