Google Git
Sign in
apache / struts-site / 3934264825d58c20e3df42bc34fbd081a7c615b5 / . / content / announce-2017.html
blob: f71b74369fbae1555036fdd4d5072a44bf325519 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<meta name="Date-Revision-yyyymmdd" content="20140918"/>
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Announcements 2017</title>
<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
<link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
<link href="/css/main.css" rel="stylesheet">
<link href="/css/custom.css" rel="stylesheet">
<link href="/highlighter/github-theme.css" rel="stylesheet">
<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
<script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
<script type="text/javascript" src="/js/community.js"></script>
</head>
<body>
<a href="http://github.com/apache/struts" class="github-ribbon">
<img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub">
</a>
<header>
<nav>
<div role="navigation" class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
Menu
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
</div>
<div id="struts-menu" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Home<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/index.html">Welcome</a></li>
<li><a href="/download.cgi">Download</a></li>
<li><a href="/releases.html">Releases</a></li>
<li><a href="/announce.html">Announcements</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Support<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/mail.html">User Mailing List</a></li>
<li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
<li><a href="/security.html">Reporting Security Issues</a></li>
<li class="divider"></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
<li class="divider"></li>
<li><a href="/maven/project-info.html">Maven Project Info</a></li>
<li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
<li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Documentation<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/birdseye.html">Birds Eye</a></li>
<li><a href="/primer.html">Key Technologies</a></li>
<li><a href="/kickstart.html">Kickstart FAQ</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
<li><a href="/security/">Security Guide</a></li>
<li><a href="/core-developers/">Core Developers Guide</a></li>
<li><a href="/tag-developers/">Tag Developers Guide</a></li>
<li><a href="/maven-archetypes/">Maven Archetypes</a></li>
<li><a href="/plugins/">Plugins</a></li>
<li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
<li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
<li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Contributing<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/youatstruts.html">You at Struts</a></li>
<li><a href="/helping.html">How to Help FAQ</a></li>
<li><a href="/dev-mail.html">Development Lists</a></li>
<li><a href="/contributors/">Contributors Guide</a></li>
<li class="divider"></li>
<li><a href="/submitting-patches.html">Submitting patches</a></li>
<li><a href="/builds.html">Source Code and Builds</a></li>
<li><a href="/coding-standards.html">Coding standards</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li>
<li class="divider"></li>
<li><a href="/release-guidelines.html">Release Guidelines</a></li>
<li><a href="/bylaws.html">PMC Charter</a></li>
<li><a href="/volunteers.html">Volunteers</a></li>
<li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
<li><a href="/updating-website.html">Updating the website</a></li>
</ul>
</li>
<li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
</ul>
</div>
</div>
</div>
</nav>
</header>
<article class="container">
<section class="col-md-12">
<a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2017.md" title="Edit this page on GitHub">Edit on GitHub</a>
<h1 class="no_toc" id="announcements-2017">Announcements 2017</h1>
<ul id="markdown-toc">
<li><a href="#a20171130" id="markdown-toc-a20171130">30 November 2017 - Struts 2.5.14.1 General Availability</a></li>
<li><a href="#a20171123" id="markdown-toc-a20171123">23 November 2017 - Struts 2.5.14 General Availability</a></li>
<li><a href="#a20170907" id="markdown-toc-a20170907">07 September 2017 - Struts 2.3.34 General Availability</a></li>
<li><a href="#a20170905" id="markdown-toc-a20170905">05 September 2017 - Struts 2.5.13 General Availability</a></li>
<li><a href="#a20170809" id="markdown-toc-a20170809">09 August 2017 - S2-049 Security Bulletin update</a></li>
<li><a href="#a20170707" id="markdown-toc-a20170707">07 July 2017 - Struts 2.3.33 General Availability</a></li>
<li><a href="#a20170706" id="markdown-toc-a20170706">06 July 2017 - Struts 2.5.12 General Availability</a></li>
<li><a href="#a20170707" id="markdown-toc-a20170707">9 July 2017 - Possible RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts 2.3.x series</a></li>
<li><a href="#a20170323" id="markdown-toc-a20170323">23 march 2017 - Struts Extras secure Multipart plugins General Availability - versions 1.1</a></li>
<li><a href="#a20170320" id="markdown-toc-a20170320">20 march 2017 - Struts Extras secure Multipart plugins General Availability</a></li>
<li><a href="#a20170307" id="markdown-toc-a20170307">7 march 2017 - Struts 2.5.10.1 General Availability</a></li>
<li><a href="#a20170307-2" id="markdown-toc-a20170307-2">7 march 2017 - Struts 2.3.32 General Availability</a></li>
<li><a href="#a20170203" id="markdown-toc-a20170203">3 February 2017 - Struts 2.5.10 General Availability</a></li>
</ul>
<p class="pull-right">
Skip to: <a href="announce-2016.html">Announcements - 2016</a>
</p>
<h4 id="a20171130">30 November 2017 - Struts 2.5.14.1 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.14.1 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains fixes for the following potential security vulnerabilities:</p>
<ul>
<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-054">S2-054</a>
A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin</li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-055">S2-055</a>
Vulnerability in the Jackson JSON library</li>
</ul>
<blockquote>
<p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14.1">Version Notes</a> to find more details about performed bug fixes and improvements.</p>
</blockquote>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20171123">23 November 2017 - Struts 2.5.14 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.14 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>Below is a full list of all changes:</p>
<ul>
<li>A class JSONWriter was converted into an interface with default implementation in DefaultJSONWriter class. If you were
using the class directly, you must update your code in other case it won’t compile when using Struts 2.5.14.</li>
<li>DefaultUrlHelper().buildUrl() not outputting port when used as parameter</li>
<li>Not able to convert Spring object to the JSON response</li>
<li>The if test can accidently incorrectly assign a new value to an object</li>
<li>ObjectFactory constructor signature change breaks extensions</li>
<li>Snippets in Struts documentation are missing</li>
<li>I am migrating my struts 2.2.x to 2.5.13 and where all used struts taglibs and tags UI is breaking where i have not used bootstrap there and all working fine</li>
<li>Default Multipart validation regex is invalid due to charset encoding</li>
<li>Exception starting filter struts-prepare: Unable to load configuration. - interceptor - vfs</li>
<li>createInstance method signature change of TextProviderFactory from merged xwork-core code inside struts2-core-2.5.13.jar which was present with xwork-core jar</li>
<li>Struts2.5.13 can’t run in java9 win10</li>
<li>StringConverter from OGNL 3.1.15 in Struts 2.5.13</li>
<li>Decimal converters should avoid loss of user’s data caused by rounding</li>
<li>Struts text tag doesn’t print value from Stack</li>
<li>No validations happening after upgrading to Struts 2.5.12</li>
<li>Allow to use custom JSONwriter</li>
<li>Implement Dependency Check in Maven build</li>
<li>Fallback to ActionContext if container is null in ActionSupport</li>
<li>Upgrade to the latest Jetty plugin in all examples</li>
<li>Add missing header with license to all files reported by the Rat plugin</li>
<li>Review available interceptors and document the missing ones</li>
<li>Fetch docs from new locations</li>
<li>Allow define only TextProvider instead of providing the whole TextProviderFactory</li>
<li>HTML escaping on the text tag</li>
<li>Upgrade FreeMarker to version 2.3.26-incubating</li>
<li>Upgrade to Log4j2 2.9.1</li>
<li>Upgrade com.fasterxml.jackson to version 2.8.2</li>
<li>Upgrade net.sf.json-lib to version 2.4</li>
<li>Upgrade Spring to version 4.1.9</li>
</ul>
<blockquote>
<p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14">Version Notes</a> to find more details about performed bug fixes and improvements.</p>
</blockquote>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20170907">07 September 2017 - Struts 2.3.34 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.34 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>This release addresses two potential security vulnerabilities:</p>
<ul>
<li><a href="/docs/s2-050.html">S2-050</a>
A regular expression Denial of Service when using URLValidator (similar to S2-044 &amp; S2-047)</li>
<li><a href="/docs/s2-051.html">S2-051</a>
A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin</li>
<li><a href="/docs/s2-052.html">S2-052</a>
Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads</li>
<li><a href="/docs/s2-053.html">S2-053</a>
A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals</li>
</ul>
<p>Also this version resolves the following issues:</p>
<ul>
<li>Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped</li>
<li>Threads get blocked due to unnecessary synchronization in OgnlRuntime Dependency</li>
<li>Upgrade to OGNL 3.0.21</li>
<li>Upgrade to struts-master 11</li>
<li>Improve RegEx used to validate URLs</li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p>
<h4 id="a20170905">05 September 2017 - Struts 2.5.13 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.13 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains fixes for the following potential security vulnerabilities:</p>
<ul>
<li><a href="/docs/s2-050.html">S2-050</a>
A regular expression Denial of Service when using URLValidator (similar to S2-044 &amp; S2-047)</li>
<li><a href="/docs/s2-051.html">S2-051</a>
A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin</li>
<li><a href="/docs/s2-052.html">S2-052</a>
Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads</li>
</ul>
<p>Except the above this release also contains several improvements just to mention few of them:</p>
<ul>
<li>Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped</li>
<li>NP with TextProvider and wildcardmapping</li>
<li>Threads get blocked due to unnecessary synchronization in OgnlRuntime</li>
<li>Default Multipart validation regex is invalid</li>
<li>Not fully initialized ObjectFactory tries to create beans</li>
<li>http://struts.apache.org/dtds/struts-2.5.dtd missing</li>
<li>Set a global resource bundle in class</li>
<li>Override TextProvider doesnot work in struts 2.5.12</li>
<li>Array-of-null parameters are converted to string “null”</li>
<li>JakartaStreamMultiPartRequest Should Honor “struts.multipart.maxSize”</li>
<li>Build Fails Due to Unused com.sun Import</li>
<li>Struts2.5.12 - NPE in DeligatingValidatorContext</li>
<li>Struts 2 Fails to Initialize with JRebel</li>
<li>Allow define more than one Action suffix</li>
<li>Remove jQuery from debugging interceptor views</li>
<li>update dependencies page on the struts site</li>
<li>Improve RegEx used to validate URLs</li>
<li>Make REST ContentHandlers configurable</li>
<li>expose Freemarker incompatible_improvements into FreemarkerManager and StrutsBeansWrapper</li>
<li>Upgrade Commons Collections to 3.2.2</li>
<li>Upgrade Commons IO to 2.5</li>
<li>Upgrade to ASM version 5.2</li>
<li>Upgrade to OGNL 3.1.15</li>
<li>Upgrade xstream to the latest version</li>
<li>Upgrade to struts-master 11</li>
</ul>
<blockquote>
<p>Please read the <a href="/docs/version-notes-2513.html">Version Notes</a> to find more details about performed bug fixes and improvements.</p>
</blockquote>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20170809">09 August 2017 - S2-049 Security Bulletin update</h4>
<p>This is an update of the recently announced Security Bulletin - <a href="/docs/s2-049.html">S2-049</a>.</p>
<p>The bulletin was extended with an additional information when the potential vulnerability
can be present in your application. Please re-read the mentioned bulletin and apply required
actions if needed.</p>
<p>Please report any problems back to the <a href="mailto:security@struts.apache.org">Struts Security</a> mailing list.</p>
<h4 id="a20170707">07 July 2017 - Struts 2.3.33 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.33 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>This release addresses two potential security vulnerabilities:</p>
<ul>
<li><a href="/docs/s2-049.html">S2-049</a>
A DoS attack is available for Spring secured actions</li>
<li><a href="/docs/s2-048.html">S2-048</a>
Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</li>
</ul>
<p>Also this version resolves the following issues:</p>
<ul>
<li><code class="highlighter-rouge">EmailValidator</code> does not accept new domain suffixes</li>
<li>Revision number still missing from <code class="highlighter-rouge">dojo.js</code> and <code class="highlighter-rouge">dojo.js.uncompressed.js</code></li>
<li>Strange Behavior Parsing Action Requests</li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p>
<h4 id="a20170706">06 July 2017 - Struts 2.5.12 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.12 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains fixes for the following potential security vulnerabilities:</p>
<ul>
<li><a href="/docs/s2-047.html">S2-047</a>
Possible DoS attack when using URLValidator</li>
<li><a href="/docs/s2-049.html">S2-049</a>
A DoS attack is available for Spring secured actions</li>
</ul>
<p>Except the above this release also contains several improvements just to mention few of them:</p>
<ul>
<li><code class="highlighter-rouge">double</code> and <code class="highlighter-rouge">Double</code> are not validated with the same decimal separator</li>
<li><code class="highlighter-rouge">ognl.MethodFailedException</code> when you do not enter a value for a field mapped to an int</li>
<li><code class="highlighter-rouge">Double</code> Value Conversion with requestLocale=de</li>
<li>The <code class="highlighter-rouge">TextProvider</code> injection in <code class="highlighter-rouge">ActionSupport</code> isn’t quite integrated into the framework’s core DI</li>
<li>Struts2 raise <code class="highlighter-rouge">java.lang.ClassCastException</code> when Result type is <code class="highlighter-rouge">chain</code></li>
<li><code class="highlighter-rouge">@InputConfig</code> annotation is not working when integrating with spring aop</li>
<li>Validators do not work for multiple values</li>
<li><code class="highlighter-rouge">BigDecimal</code> are not converted according context locale</li>
<li><code class="highlighter-rouge">NullPointerException</code> when displaying a form without action attribute</li>
<li>Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.</li>
<li><code class="highlighter-rouge">cssErrorClass</code> attribute has no effect on <code class="highlighter-rouge">label</code> tag</li>
<li>Why <code class="highlighter-rouge">JSONValidationInterceptor</code> return Status Code <code class="highlighter-rouge">400 BAD_REQUEST</code> instead of <code class="highlighter-rouge">200 SUCCESS</code></li>
<li>@autowired does not work since Struts 2.3.28.1</li>
<li>Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1</li>
<li>Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin gives a NoSuchDefinitionException</li>
<li>Aspects are not executed when chaining AOPed actions</li>
<li>Duplicate hidden input field checkboxListHandler</li>
<li>The value of checkbox getted in server-side is “false” when no any checkbox been selected.</li>
<li>refactor file upload framework</li>
<li><code class="highlighter-rouge">creditCard</code> validator available in Struts 1 missing in Struts 2</li>
<li>No easy way to have an empty interceptor stack if have default stack</li>
<li><code class="highlighter-rouge">@TypeConversion</code> converter attribute to class</li>
<li>Convert <code class="highlighter-rouge">LocalizedTextUtil</code> into a bean with default implementation</li>
<li>NPE in <code class="highlighter-rouge">StrutsTilesContainerFactory</code> when resource isn’t found</li>
<li>Buffer/Flush behaviour in <code class="highlighter-rouge">FreemarkerResult</code></li>
<li>Struts2 should know and consider config time class of user’s Actions</li>
<li>getters of exclude-sets in OgnlUtil should return immutable collections</li>
<li>Mark <code class="highlighter-rouge">site-graph</code> plugin as deprecated</li>
<li>Use <code class="highlighter-rouge">TextProviderFactory</code> instead of <code class="highlighter-rouge">TextProvider</code> as bean’s dependency</li>
<li>Create <code class="highlighter-rouge">LocaleProviderFactory</code> and uses instead of <code class="highlighter-rouge">LocaleProvider</code></li>
<li>Improve error logging in <code class="highlighter-rouge">DefaultDispatcherErrorHandler</code></li>
<li>Make <code class="highlighter-rouge">jakarta-stream</code> multipart parser more extensible</li>
<li>Make Multipart parsers more extensible</li>
<li>Add proper validation if request is a multipart request</li>
<li>Make <code class="highlighter-rouge">SecurityMethodAccess</code> excluded classes &amp; packages definitions immutable</li>
<li>Upgrade to Log4j2 2.8.2</li>
<li>Allow disable file upload support via an configurable option</li>
<li>Stop using <code class="highlighter-rouge">DefaultLocalizedTextProvider#localeFromString</code> static util method</li>
<li>Don’t add <code class="highlighter-rouge">JBossFileManager</code> as a possible FileManager when not on JBoss</li>
<li>There is no <code class="highlighter-rouge">@LongRangeFieldValidator</code> annotation to support <code class="highlighter-rouge">LongRangeFieldValidator</code></li>
<li>Upgrade to commons-lang 3.6</li>
<li>Update commons-fileupload</li>
</ul>
<blockquote>
<p>Please read the <a href="/docs/version-notes-2512.html">Version Notes</a> to find more details about performed bug fixes and improvements.</p>
</blockquote>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20170707">9 July 2017 - Possible RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts 2.3.x series</h4>
<p>A potential security vulnerability was reported in the Struts 1 plugin used in the Struts 2.3.x series.
It is possible to perform a Remote Code Execution attack if given construction exists in the vulnerable
application. Please read the security bulletin for more details and inspect your application.</p>
<ul>
<li><a href="/docs/s2-048.html">S2-048</a>
Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</li>
</ul>
<p>NOTE: Please notice that this vulnerability does not affect applications using Struts 2.5.x series
or applications that do not use the Struts 1 plugin. Even if the plugin is available but certain code
construction is not present, your application is safe.</p>
<h4 id="a20170323">23 march 2017 - Struts Extras secure Multipart plugins General Availability - versions 1.1</h4>
<p>The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin 1.1
and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin 1.1 are available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>These releases address one critical security vulnerability:</p>
<ul>
<li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser
<a href="/docs/s2-045.html">S2-045</a>, <a href="/docs/s2-046.html">S2-046</a></li>
</ul>
<p>Those plugins were released to allow users running older versions of the Apache Struts secure their applications
in an easy way. You don’t have to migrate to the latest version (which is still preferable) but by applying one of those
plugins, your application won’t be vulnerable anymore.</p>
<p>Please read the <a href="https://github.com/apache/struts-extras">README</a> for more details and supported Apache Struts versions.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download those plugins from our <a href="download.cgi#struts-extras">download</a> page.</p>
<h4 id="a20170320">20 march 2017 - Struts Extras secure Multipart plugins General Availability</h4>
<p>The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin
and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin are available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>These releases address one critical security vulnerability:</p>
<ul>
<li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser
<a href="/docs/s2-045.html">S2-045</a>, <a href="/docs/s2-046.html">S2-046</a></li>
</ul>
<p>Those plugins were released to allow users running older versions of the Apache Struts secure their applications in easy way.
You don’t have to migrate to the latest version (which is still preferable) but by applying one of those plugins,
your application won’t be vulnerable anymore.</p>
<p>It is a drop-in installation, just select a proper jar file and copy it to <code class="highlighter-rouge">WEB-INF/lib</code> folder.
Please read the <a href="https://github.com/apache/struts-extras">README</a> for more details and supported Apache Struts versions.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download those plugins from our <a href="download.cgi#struts-extras">download</a> page.</p>
<h4 id="a20170307">7 march 2017 - Struts 2.5.10.1 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.10.1 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>This release addresses one potential security vulnerability:</p>
<ul>
<li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser - <a href="/docs/s2-045.html">S2-045</a></li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20170307-2">7 march 2017 - Struts 2.3.32 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.32 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>This release addresses one potential security vulnerability:</p>
<ul>
<li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser - <a href="/docs/s2-045.html">S2-045</a></li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p>
<h4 id="a20170203">3 February 2017 - Struts 2.5.10 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.10 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>This release contains several breaking changes and improvements just to mention few of them:</p>
<ul>
<li>How to handle 404 when using wildcard instead of error 500 when the wildcard method doesn’t exist</li>
<li>MessageStoreInterceptor must handle all redirects</li>
<li><code class="highlighter-rouge">MaxMultiPartUpload</code> limited to 2GB (Long –&gt; Integer)</li>
<li><code class="highlighter-rouge">JSONValidationInterceptor</code> change static parameters names</li>
<li><code class="highlighter-rouge">ServletDispatcherResult</code> can’t handle parameters anymore</li>
<li><code class="highlighter-rouge">TokenInterceptor</code> synchronized on <code class="highlighter-rouge">session.getId().intern()</code></li>
<li>XSLT error during transformation</li>
<li>No default parameter defined for result <code class="highlighter-rouge">json</code> of type <code class="highlighter-rouge">org.apache.struts2.json.JSONResult</code></li>
<li><code class="highlighter-rouge">I18Interceptor</code> ignores session or cookie Locale after first lookup failure</li>
<li><code class="highlighter-rouge">EmailValidator</code> does not accept new domain suffixes</li>
<li><code class="highlighter-rouge">AnnotationValidationInterceptor</code> : <code class="highlighter-rouge">NullPointerException</code> when method is null</li>
<li><code class="highlighter-rouge">struts.xml</code> include not loading in dependant jar files</li>
<li><code class="highlighter-rouge">AnnotationValidationInterceptor</code> should consult <code class="highlighter-rouge">UnknownHandler</code> before throwing <code class="highlighter-rouge">NoSuchMethodException</code></li>
<li><code class="highlighter-rouge">ActionSupport.LOG</code> should be private</li>
<li>Remove <code class="highlighter-rouge">StrutsObjectFactory</code> and define <code class="highlighter-rouge">StrutsInterceptorFactory</code> instead</li>
<li>Make <code class="highlighter-rouge">OgnlValueStack</code> and <code class="highlighter-rouge">OgnlValueStackFactory</code> More Extensible</li>
<li>Make interceptor parameters dynamic</li>
<li>allow include other config files from classpath</li>
</ul>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<p class="pull-right">
Skip to: <a href="announce-2016.html">Announcements - 2016</a>
</p>
<p class="pull-left">
<strong>Next:</strong>
<a href="kickstart.html">Kickstart FAQ</a>
</p>
</section>
</article>
<footer class="container">
<div class="col-md-12">
Copyright &copy; 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>.
All Rights Reserved.
</div>
<div class="col-md-12">
Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
trademarks of The Apache Software Foundation.
</div>
<div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
</footer>
<script>!function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (!d.getElementById(id)) {
js = d.createElement(s);
js.id = id;
js.src = "//platform.twitter.com/widgets.js";
fjs.parentNode.insertBefore(js, fjs);
}
}(document, "script", "twitter-wjs");</script>
<script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>
<div id="fb-root"></div>
<script>(function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);
js.id = id;
js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
</body>
</html>