Title: Bump org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0 by dependabot[bot] · Pull Request #333 · OWASP-Benchmark/BenchmarkJava · GitHub
Open Graph Title: Bump org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0 by dependabot[bot] · Pull Request #333 · OWASP-Benchmark/BenchmarkJava
X Title: Bump org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0 by dependabot[bot] · Pull Request #333 · OWASP-Benchmark/BenchmarkJava
Description: Bumps org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0.
Release notes
Sourced from org.owasp.esapi:esapi's releases.
esapi-2.7.0.0
Full Release Notes
Release notes for ESAPI release 2.7.00 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.7.0.0-release-notes.txt
What's Changed
This is a major patch release with the primary intent of addressing CVE-2025-5878, the details of which are spelled out in [Security Bulletin #13](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf).
Major Javadoc enhancements, corrections, and clarifications.
Deprecated methods, interfaces, and classes.
The reference implementation for the Encoder.encodeForSQL interface is now disabled by default and must be explicitly enabled if you absolutely much use it. (WARNING: You shouldn't!) Instructions on how to enable it are provided in Appendix B of [Security Bulletin #13](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf). You will find the updated ESAPI.properties file in the configuration jar helpful.
This release also updates Apache Commons FileUploads to 1.6.0 to address CVE-2025-48976. That CVE likely does not affect the HTTP.getFileUloads interfaces (which is the only methods that use that library), but we have not had time to analyze it fully given the CVE cited against ESAPI.
Apache Commons BeanUtils was also updated to 1.11.0 to address CVE-2025-48734 which potentially could anyone using ESAPI's AccessController and has placed their access control policy in a place where an attacker may be overwrite it. That is highly unlikely, but better safe than sorry.
Full Changelog: ESAPI/esapi-java-legacy@esapi-2.6.2.0...esapi-2.7.0.0
Configuration Jar
Note the associated file "esapi-2.7.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.7.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall. If you were using ESAPI's Encoder.encodeForSQL interface, you will want to use its updated ESAPI.properties file.
Commits
0fa4c0f Remove '-SNAPSHOT' from release # to prep official release.
f75ac2c Merging Private Branch contents from Kevin's Repo. (#888)
e232291 Merge pull request #886 from kwwall/develop
23a2b76 Added Javadoc to encodeForSQL method regarding how to enabled it.
0129740 Added 2 new field names whose values are the 2 new property names.
eb425bb New property file for testing DefaultEncoder.encodeForSQL when it's
844eb0c Add missing newline.
a10e323 hanged the tongue-in-cheek property names to the actual ones we are using.
06d0ff2 Changed the tongue-in-cheek property names to the actual ones we are using.
61de71f Changed the tongue-in-cheek propert names to the actual ones we are using.
Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show
Open Graph Description: Bumps org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0. Release notes Sourced from org.owasp.esapi:esapi's releases. esapi-2.7.0.0 Full Release Notes Release notes for ESAPI release 2.7.00 are l...
X Description: Bumps org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0. Release notes Sourced from org.owasp.esapi:esapi's releases. esapi-2.7.0.0 Full Release Notes Release notes for ESAPI release 2.7.00 a...
Opengraph URL: https://github.com/OWASP-Benchmark/BenchmarkJava/pull/333
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:54150798-2253-dc6e-69e6-edeaeffe3463 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | E60A:2F6413:32FCEC2:424FABD:6A5CE30D |
| html-safe-nonce | a5a858225c7d99c2ee2fcd5fa9495127961aec20cc352b6b1b7d1f8b0271b567 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFNjBBOjJGNjQxMzozMkZDRUMyOjQyNEZBQkQ6NkE1Q0UzMEQiLCJ2aXNpdG9yX2lkIjoiNTI1MDM2NjY0OTQ3MjQ0MzE0OSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 54eb572fe5f6d4e86d9d35b992e53c3a7d6dad820bf2418bf2a2cdbb1b8e38cf |
| hovercard-subject-tag | pull_request:2629108639 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/OWASP-Benchmark/BenchmarkJava/pull/333/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0. Release notes Sourced from org.owasp.esapi:esapi's releases. esapi-2.7.0.0 Full Release Notes Release notes for ESAPI release 2.7.00 are l... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5290d7e14309ad1e76106a9c4237bd1041517e83ea182c8ab756752cb0c6940b |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/OWASP-Benchmark/BenchmarkJava git https://github.com/OWASP-Benchmark/BenchmarkJava.git |
| octolytics-dimension-user_id | 80600360 |
| octolytics-dimension-user_login | OWASP-Benchmark |
| octolytics-dimension-repository_id | 33565372 |
| octolytics-dimension-repository_nwo | OWASP-Benchmark/BenchmarkJava |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 33565372 |
| octolytics-dimension-repository_network_root_nwo | OWASP-Benchmark/BenchmarkJava |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 9c975978430e9ad293956f2bbdaf153b1bd84a99 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width