Saturday, August 28, 2010

ESAPI 2.0 rc7 (for Java 1.5+) is now live!

ESAPI 2.0 rc7 for Java 1.5 and above is now live!

You can download the complete zip file here:

You can browse the ESAPI 2.0 rc7 Javadocs here:

Additional online project documentation can be found here:

Major enhancements include:
  1. Several fixes to SecurityWrapperRequest.
  2. Overhauled Singleton implementations to make the ObjFactory create instances or singletons rather than having ESAPI manage unreliably.
  3. Changes to get rid of deprecated Encryptor encrypt() / decrypt() methods and replace them with the new, stronger encrypt() / decrypt() methods.
  4. Several Validation fixes around returning consistent error states.
  5. Made changes t0 the Encryptor so that it is no longer vulnerable to "padding oracle attacks" (issue #120)
  6. Fixes to seal() so that it now properly works if the message being sealed contains a ":" (issue #28).
  7. Examples should now work (if you follow directions in README.txt)
    whether ESAPI has been pulled from the SVN repository or downloaded
    from the zip file. (Issue #114.)
Please see changelog.txt at the root of the zip file for more information.

Thanks to Kevin Wall, Chris “Beef” Schmidt, Jonathon Ruckwood and Ed Schaller for their contributions in this release.

Malama Pono Aloha,

Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager

No comments: