blob: edebbaecc40b63cae9a040a2bc8136fc67102f70 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<meta name="Date-Revision-yyyymmdd" content="20140918"/>
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Announcements 2016</title>
<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
<link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
<link href="/css/main.css" rel="stylesheet">
<link href="/css/custom.css" rel="stylesheet">
<link href="/highlighter/github-theme.css" rel="stylesheet">
<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
<script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
<script type="text/javascript" src="/js/community.js"></script>
</head>
<body>
<a href="http://github.com/apache/struts" class="github-ribbon">
<img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub">
</a>
<header>
<nav>
<div role="navigation" class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
Menu
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
</div>
<div id="struts-menu" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Home<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/index.html">Welcome</a></li>
<li><a href="/download.cgi">Download</a></li>
<li><a href="/releases.html">Releases</a></li>
<li><a href="/announce.html">Announcements</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Support<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/mail.html">User Mailing List</a></li>
<li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
<li><a href="/security.html">Reporting Security Issues</a></li>
<li class="divider"></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
<li class="divider"></li>
<li><a href="/maven/project-info.html">Maven Project Info</a></li>
<li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
<li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Documentation<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/birdseye.html">Birds Eye</a></li>
<li><a href="/primer.html">Key Technologies</a></li>
<li><a href="/kickstart.html">Kickstart FAQ</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
<li><a href="/security/">Security Guide</a></li>
<li><a href="/core-developers/">Core Developers Guide</a></li>
<li><a href="/tag-developers/">Tag Developers Guide</a></li>
<li><a href="/maven-archetypes/">Maven Archetypes</a></li>
<li><a href="/plugins/">Plugins</a></li>
<li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
<li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
<li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Contributing<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/youatstruts.html">You at Struts</a></li>
<li><a href="/helping.html">How to Help FAQ</a></li>
<li><a href="/dev-mail.html">Development Lists</a></li>
<li><a href="/contributors/">Contributors Guide</a></li>
<li class="divider"></li>
<li><a href="/submitting-patches.html">Submitting patches</a></li>
<li><a href="/builds.html">Source Code and Builds</a></li>
<li><a href="/coding-standards.html">Coding standards</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li>
<li class="divider"></li>
<li><a href="/release-guidelines.html">Release Guidelines</a></li>
<li><a href="/bylaws.html">PMC Charter</a></li>
<li><a href="/volunteers.html">Volunteers</a></li>
<li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
<li><a href="/updating-website.html">Updating the website</a></li>
</ul>
</li>
<li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
</ul>
</div>
</div>
</div>
</nav>
</header>
<article class="container">
<section class="col-md-12">
<a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2016.md" title="Edit this page on GitHub">Edit on GitHub</a>
<h1 id="announcements-2016">Announcements 2016</h1>
<p class="pull-right">
Skip to: <a href="announce-2015.html">Announcements - 2015</a>
</p>
<h4 id="a20161219">19 December 2016 - Struts 2.5.8 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.8 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release addresses one potential security vulnerability:</p>
<ul>
<li>Possible DoS attack when using URLValidator - <a href="/docs/s2-044.html">S2-044</a></li>
</ul>
<p>Also this release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>Included XSL files’ URI not being resolved for actions with result <code class="highlighter-rouge">type="xslt"</code>, see WW-2561</li>
<li><code class="highlighter-rouge">ConcurrentModificationException</code> using <code class="highlighter-rouge">s:iterator</code> (intermittent), see WW-3019</li>
<li><code class="highlighter-rouge">ObjectFactory</code> reporting ERROR’s when you attempt to set parameters on a Redirect result, see WW-3170</li>
<li>preselect values in <code class="highlighter-rouge">&lt;s:optgroup&gt;</code>, see WW-4367</li>
<li>File upload error message always in default language, see WW-4636</li>
<li>Can no longer clear parameter on a <code class="highlighter-rouge">&lt;s:url&gt;</code> tag, see WW-4701</li>
<li>List based parameters no longer work when there is only one value, see WW-4702</li>
<li><code class="highlighter-rouge">NullPointerException</code> in <code class="highlighter-rouge">ActionSupport</code> when use <code class="highlighter-rouge">ModelDriven</code>, see WW-4703</li>
<li>Multiselect parameter behavior different between struts 2.5.5 and 2.5.1, see WW-4707</li>
<li>Invalid field value for field “id”, see WW-4709</li>
<li>Scope interceptor always resets because of <code class="highlighter-rouge">org.apache.struts2.dispatcher.HttpParameters</code>, see WW-4715</li>
<li><code class="highlighter-rouge">focusElement</code> form attribute not working, see WW-4718</li>
<li>Portlet Issue with <code class="highlighter-rouge">I18Interceptor</code>, see WW-4722</li>
<li>Allow <code class="highlighter-rouge">&lt;constant/&gt;</code> value substitution in XML configuration, see WW-4698</li>
<li>Upgrade to latest OGNL version, see WW-4704</li>
<li>Add support for long type to <code class="highlighter-rouge">&lt;s:date&gt;</code> tag, see WW-4705</li>
<li>Disallow access to <code class="highlighter-rouge">HttpParameters.toMap</code>, see WW-4710</li>
<li><code class="highlighter-rouge">&lt;s:text/&gt;</code> tag should not evaluate <code class="highlighter-rouge">defaultMessage</code> against a <code class="highlighter-rouge">ValueStack</code> by default, see WW-4711</li>
<li><code class="highlighter-rouge">TextProviderHelper#getText()</code> should perform cleaning of <code class="highlighter-rouge">defaultMessage</code>, see WW-4712</li>
<li>Refactor file upload support to allow create virtual representation of <code class="highlighter-rouge">java.io.File</code>, see WW-4717</li>
<li>Move <code class="highlighter-rouge">DefaultClassFinder</code> into <code class="highlighter-rouge">Convention</code> plugin, see WW-4719</li>
<li><code class="highlighter-rouge">HttpParameters</code> should behave like a <code class="highlighter-rouge">Map</code>, see WW-4720</li>
<li>Add support for <code class="highlighter-rouge">roundingMode</code> in <code class="highlighter-rouge">&lt;s:number/&gt;</code> tag, see WW-4721</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20161021">21 October 2016 - Struts 2.5.5 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.5 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>webconsole can always be accessed, see WW-4601</li>
<li>Space character and includeParams, see WW-4628</li>
<li>Empty <s:param name="p1" value=""></s:param> is being supressed, see WW-4631</li>
<li>remove ASM 3 from struts2, see WW-4646</li>
<li>SMI do not work with JSON plugin, see WW-4649</li>
<li>Concurrency issue in addDefaultResourceBundle, see WW-4652</li>
<li>Action parameters should be included when building the URL to action, see WW-4654</li>
<li>StreamResult closes outputstream early, see WW-4662</li>
<li>NullPointerException when displaying a form without action attribute, see WW-4663</li>
<li>ParametersInterceptor excludeParams only applies to first instance of params interceptor in paramsPrepareParamsStack, see WW-4667</li>
<li>URL validator is case sensitive, see WW-4671</li>
<li>Select box does not pre-select chosen values, see WW-4675</li>
<li>Tiles-Plugin unable to load tiles definition XML, see WW-4679</li>
<li>Missing brackets in checkbox.ftl of css_xhtml template, see WW-4681</li>
<li>Move Struts Archetypes to dedicated project, see WW-4316</li>
<li>Add dedicated class to represent Http Parameters, see WW-4572</li>
<li>ParametersInterceptor should check collection index to against DOS, see WW-4620</li>
<li>Move example portlet-app into struts-examples, see WW-4660</li>
<li>Upgrade JFreeChart plugin to the latest version of JFreeChart, see WW-4670</li>
<li>StrutsPrepareAndExecuteFilter should check for response commited status, see WW-4674</li>
<li>ConversionErrorInterceptor to extend MethodFilterInterceptor, see WW-4676</li>
<li>I18N Interceptor automatically validates Locale, see WW-4677</li>
<li>Upgrade Tiles to 3.0.7 GA version, see WW-4680</li>
<li>Allow directly accessing I18N keys from Tiles defintions, see WW-4685</li>
<li>Merge two existing I18NInterceptors into one, see WW-4686</li>
<li>Exclude “java.ext.dirs” when scanning for actions, see WW-4688</li>
<li>CycleDetector - use enum instead of String constants, see WW-4689</li>
<li>Upgrade Commons Collections to 4.1, see WW-4695</li>
<li>Upgrade to Log4j 2.7, see WW-4696</li>
<li>Warn about excluded action/method only when DMI is disabled, see WW-4697</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20161018">18 October 2016 - Struts 2.3.31 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.31 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release addresses two potential security vulnerabilities:</p>
<ul>
<li>Possible path traversal in the Convention plugin <a href="/docs/s2-042.html">S2-042</a></li>
<li>Using the Config Browser plugin in production <a href="/docs/s2-043.html">S2-043</a></li>
</ul>
<p>Also this release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>webconsole can always be accessed, see WW-4601</li>
<li>Space character and includeParams,see WW-4628</li>
<li>ParametersInterceptor excludeParams only applies to first instance of params interceptor in paramsPrepareParamsStack,see WW-4667</li>
<li>Select box does not pre-select chosen values,see WW-4675</li>
<li>StrutsPrepareAndExecuteFilter should check for response committed status,see WW-4674</li>
<li>Allow directly accessing I18N keys from Tiles definitions,see WW-4685</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p>
<h4 id="a20160707">7 July 2016 - Struts 2.5.2 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.2 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>Struts 2.5.2 release contains several improvements just to mention few of them:</p>
<ul>
<li>SecurityMemberAccess exclude class design issue, see WW-4645</li>
<li>Json deserialization does not work in 2.5.1, see WW-4650</li>
<li>Negative number is considered an arithmetic expression, see WW-4651</li>
<li>Wildcard redirect and path <code class="highlighter-rouge">/static/</code>, see WW-4656</li>
<li>Upgrade commons-fileupload to the latest version, see WW-4648</li>
<li>Cleans up logic in <code class="highlighter-rouge">StreamResult</code> and update docs, see WW-4655</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20160707-2">7 July 2016 - Struts 2.3.30 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.30 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>Pre-evaluation of “name” attribute stopped working, see WW-4641</li>
<li>Unable to retrieve <code class="highlighter-rouge">s:hidden</code> field values, see WW-4642</li>
<li>SecurityMemberAccess exclude class design issue, see WW-4645</li>
<li>Negative number is considered an arithmetic expression, see WW-4651</li>
<li>Upgrade commons-fileupload to the latest version, see WW-4648</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-2330">download</a> page.</p>
<h4 id="a20160618">18 June 2016 - Struts 2.5.1 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.1 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release addresses one potential security vulnerability:</p>
<ul>
<li><a href="/docs/s2-041.html">S2-041</a>
Possible DoS attack when using URLValidator</li>
</ul>
<p>Also all security patches applied to version Struts 2.3.29 were also applied to this version (just in case).</p>
<p>This release contains several improvements just to mention few of them:</p>
<ul>
<li>contentType override ignored for JSONInterceptor - see WW-4558</li>
<li>MessageStorePreResultListener does not store messages for 3rd-party RedirectResult subclasses - see WW-4618</li>
<li>EmailValidator flags .cat emails as invalid - see WW-4626</li>
<li>SMI cannot be disabled - see WW-4632</li>
<li>Centre alignment does not seem to work in Velocity tags - see WW-4634</li>
<li>Unable to process Jar entry (javassist-3.20.0-GA.jar) - see WW-4637</li>
<li>Strict Method Invocation breaks Action-Less Results - see WW-4643</li>
<li>When method is not allowed throw exception with meaningful message - see WW-4640</li>
<li>update struts2 bom - see WW-4644</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20160617">17 June 2016 - Struts 2.3.29 General Availability with Security Fixes Release</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.29 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release addresses these potential security vulnerabilities:</p>
<ul>
<li>
<p><a href="/docs/s2-035.html">S2-035</a>
Action name clean up is error prone</p>
</li>
<li>
<p><a href="/docs/s2-036.html">S2-036</a>
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes,
may lead to remote code execution (similar to S2-029)</p>
</li>
<li>
<p><a href="/docs/s2-037.html">S2-037</a>
Remote Code Execution can be performed when using REST Plugin.</p>
</li>
<li>
<p><a href="/docs/s2-038.html">S2-038</a>
It is possible to bypass token validation and perform a CSRF attack</p>
</li>
<li>
<p><a href="/docs/s2-039.html">S2-039</a>
Getter as action method leads to security bypass</p>
</li>
<li>
<p><a href="/docs/s2-040.html">S2-040</a>
Input validation bypass using existing default action method.</p>
</li>
<li>
<p><a href="/docs/s2-041.html">S2-041</a>
Possible DoS attack when using URLValidator</p>
</li>
</ul>
<p>This release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>Json result type breaks</li>
<li>MessageStorePreResultListener doesn’t store messages for 3rd-party RedirectResult subclasses</li>
<li>Multiple tiles.xml in web.xml</li>
<li>New Tiles version can not find tiles*.xml files in sub-directories</li>
<li>EmailValidator flags .cat emails as invalid</li>
<li>Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80</li>
<li>Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+</li>
<li><code class="highlighter-rouge">&lt;s:submit&gt;</code> generates a value attribute for type=image which violates W3C</li>
<li>ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20160601">1 June 2016 - Two security vulnerabilities reported</h4>
<p>Two potential security vulnerabilities were reported which were already addressed in the latest Apache Struts 2 versions.
Those reports just added other vectors of attack.</p>
<ul>
<li>
<p><a href="/docs/s2-033.html">S2-033</a>
Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled</p>
</li>
<li>
<p><a href="/docs/s2-034.html">S2-034</a>
OGNL cache poisoning can lead to DoS vulnerability</p>
</li>
</ul>
<p>Please read carefully the Security Bulletins and take suggested actions. The simplest way to avoid those vulnerabilities
in your application is to upgrade the Apache Struts to latest available version in 2.3.x series or to the Apache Struts 2.5.</p>
<p>You can download those versions from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20160509">9 May 2016 - Struts 2.5 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>XWork source was merged into Struts Core source, it means that there be no more xwork artifact nor dedicated jar</li>
<li>Spring dependency for tests and spring plugin was upgraded to version 4.1.6, see WW-4510.</li>
<li>Struts2 internal logging api was marked as deprecated and was replaced with new Log4j2 api as logging layer, see WW-4504.</li>
<li>Struts2 is now build with JDK7, see WW-4503.</li>
<li>New plugin to support bean validation is now part of the distribution, see WW-4505.</li>
<li>Deprecated plugins are now removed from the distribution and are not longer supported anymore.
<ul>
<li>Dojo Plugin</li>
<li>Codebehind Plugin</li>
<li>JSF Plugin</li>
<li>Struts1 Plugin</li>
</ul>
</li>
<li>New security option was added - Strict Method Invocation (also known as Strict DMI), see WW-4540</li>
<li>Added support for latest stable AngularJS in Maven archetype, see WW-4522</li>
<li>Dropped support for id and name - replaced with var, see WW-2069</li>
<li>Dedicated archive with a minimal set of dependencies was introduced, see WW-4570</li>
<li>It is possible to use multiple names when defining a result, see WW-4590</li>
<li>Rest plugin honors Accept header, see WW-4588</li>
<li>New result ‘JSONActionRedirectResult’ in json-plugin was defined, see WW-4591</li>
<li>Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was dropped, see WW-4584</li>
<li>JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381</li>
<li>OGNL was upgraded to version 3.1.4 and it breaks access to properties as it follows Java Bean Specification, see WW-4207 and WW-3909</li>
<li>Annotations to configure Tiles, see WW-4594 and Tiles Plugin</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20160419">19 April 2016 - Struts 2.3.28.1 General Availability with Security Fixes Release</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.28.1 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release addresses two potential security vulnerabilities:</p>
<ul>
<li>
<p><a href="/docs/s2-031.html">S2-031</a>
Possible RCE vulnerability in <code class="highlighter-rouge">XSLTResult</code> was fixed.</p>
</li>
<li>
<p><a href="/docs/s2-032.html">S2-032</a>
Prevents execution of chained expressions based on new <code class="highlighter-rouge">isSequence</code> flag introduce in appropriated OGNL versions.</p>
</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20160419-1">19 April 2016 - Struts 2.3.20.3 &amp; 2.3.24.3 General Availability with Security Fixes Release</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.20.3 &amp; Struts 2.3.24.3 are available as a “General Availability”
releases. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>These releases address three potential security vulnerabilities:</p>
<ul>
<li>
<p><a href="/docs/s2-029.html">S2-029</a>
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</p>
</li>
<li>
<p><a href="/docs/s2-031.html">S2-031</a>
Possible RCE vulnerability in <code class="highlighter-rouge">XSLTResult</code> was fixed.</p>
</li>
<li>
<p><a href="/docs/s2-032.html">S2-032</a>
Prevents execution of chained expressions based on new <code class="highlighter-rouge">isSequence</code> flag introduce in appropriated OGNL versions.</p>
</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download these versions from our <a href="download.cgi#prior-releases">download</a> page.</p>
<h4 id="a20160318">18 March 2016 - Struts 2.3.28 General Availability with Security Fix Release</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.28 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release addresses three potential security vulnerabilities:</p>
<ul>
<li>
<p><a href="/docs/s2-028.html">S2-028</a>
Possible XSS vulnerability in pages not using UTF-8 was fixed.</p>
</li>
<li>
<p><a href="/docs/s2-029.html">S2-029</a>
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</p>
</li>
<li>
<p><a href="/docs/s2-030.html">S2-030</a>
I18NInterceptor narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability.</p>
</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>This release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>New Configurationprovider type was introduced - ServletContextAwareConfigurationProvider, see WW-4410</li>
<li>Setting status code in HttpHeaders isn’t ignored anymore, see WW-4545</li>
<li>Spring BeanPostProcessor(s) are called only once to constructed objects., see WW-4554</li>
<li>OGNL was upgraded to version 3.0.13, see WW-4562</li>
<li>Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568</li>
<li>A dedicated assembly with minimal set of jars was defined, see WW-4570</li>
<li>Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585</li>
<li>Improved the Struts2 Rest plugin to honor Accept header, see WW-4588</li>
<li>MessageStoreInterceptor was refactored to use PreResultListener to store messages, see WW-4605</li>
<li>A new annotation was added to support configuring Tiles - @TilesDefinition, see WW-4606</li>
</ul>
<p>and many other improvements, please check the version notes</p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<h4 id="a20160126">26 January 2016 - Struts 2.5-BETA3 (BETA)</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5-BETA3 is available as a “BETA” release.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>Dropped support for id and name - replaced with var, see WW-2069</li>
<li>Dedicated archive with a minimal set of dependencies was introduced, see WW-4570</li>
<li>It is possible to use multiple names when defining a result, see WW-4590</li>
<li>Rest plugin honors Accept header, see WW-4588</li>
<li>New result ‘JSONActionRedirectResult’ in json-plugin was defined, see WW-4591</li>
<li>Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was dropped, see WW-4584</li>
<li>JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381</li>
<li>OGNL was upgraded to version 3.0.11 and it breaks access to properties as it follows Java Bean Specification,
see WW-4207 and WW-3909
<ul>
<li>and then OGNL was upgraded to version 3.1.1, see WW-4561</li>
<li>and then OGNL was upgraded to version 3.2.1, see WW-4577</li>
</ul>
</li>
</ul>
<p>and many other improvements, please check the version notes</p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p class="pull-right">
Skip to: <a href="announce-2015.html">Announcements - 2015</a>
</p>
<p class="pull-left">
<strong>Next:</strong>
<a href="kickstart.html">Kickstart FAQ</a>
</p>
</section>
</article>
<footer class="container">
<div class="col-md-12">
Copyright &copy; 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>.
All Rights Reserved.
</div>
<div class="col-md-12">
Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
trademarks of The Apache Software Foundation.
</div>
<div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
</footer>
<script>!function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (!d.getElementById(id)) {
js = d.createElement(s);
js.id = id;
js.src = "//platform.twitter.com/widgets.js";
fjs.parentNode.insertBefore(js, fjs);
}
}(document, "script", "twitter-wjs");</script>
<script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>
<div id="fb-root"></div>
<script>(function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);
js.id = id;
js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
</body>
</html>