2.2.3.1

Release notes for ESAPI release 2.x.y.z are located at:
        https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.1-release-notes.txt
This was a very minor point release.

Note the file "esapi-2.2.3.1-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.3.1-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

See also Security Bulletin 5 (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin5.pdf) for a description of why CVE-2021-29425 is NOT exploitable via ESAPI.

ESAPI 2.2.3.0

This is a patch release with the primary intent of updating some dependencies, some with known vulnerabilities. Main update are:
-- AntiSamy, from 1.5.11 to 1.6.2.
-- As a result of the AntiSamy upgrade, the transitive dependency xercesImpl was updated from 2.12.0 to 2.12.1 which should address CVE-2020-14338.
-- Apache batik-css, updated from 1.13 to 1.14.

See the ESAPI 2.2.3.0 release notes for details.

Note the configuration jar and its detached signature are also attached. Also note that the 2 security advisories are (sort of) relevant if you are either using ESAPI's deprecated log4j 1.x logging or are concerned about your SCA tools popping up warnings about ESAPI:

• Security Advisory 3
• Security Advisory 4

2.2.2.0

Release notes for ESAPI release 2.2.2.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.2.0-release-notes.txt
If you are updating from ESAPI 2.2.0.0 or earlier, be especially sure to read the release notes section "Changes Requiring Special Attention" as it describes what needs to be down to get ESAPI logging to work.

Lastly, be sure to also read Security Bulletin #3 at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin3.pdf

Note the file "esapi-2.2.2.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.2.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.

2.2.1.1

Release notes for ESAPI release 2.2.1.1 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt
Be especially sure to read the section "Changes Requiring Special Attention" as it describes what needs to be done to get ESAPI logging to work.

Note the file "esapi-2.2.1.1-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.1.1-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.

2.2.1.0

esapi-java-logging.properties.txt -- You need this file for ESAPI logging using JUL (which is the new default).

Release notes for ESAPI release 2.2.1.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.0-release-notes.txt

Be especially sure to search for and read the section "IMPORTANT WORKAROUND for 2.2.1.0 ESAPI Logging".

Note the file "esapi-2.2.1.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.1.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.

2.2.0.0

Release notes for ESAPI release 2.2.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.2.0.0-release-notes.txt

Note the file "esapi-2.2.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin Wall.