| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="UTF-8"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"/> |
| <meta name="Date-Revision-yyyymmdd" content="20140918"/> |
| <meta http-equiv="Content-Language" content="en"/> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| |
| <title>Announcements 2017</title> |
| |
| <link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css"> |
| <link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet"> |
| <link href="/css/main.css" rel="stylesheet"> |
| <link href="/css/custom.css" rel="stylesheet"> |
| <link href="/highlighter/github-theme.css" rel="stylesheet"> |
| |
| <script src="//code.jquery.com/jquery-1.11.0.min.js"></script> |
| <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script> |
| <script type="text/javascript" src="/js/community.js"></script> |
| </head> |
| <body> |
| |
| <a href="http://github.com/apache/struts" class="github-ribbon"> |
| <img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub"> |
| </a> |
| |
| <header> |
| <nav> |
| <div role="navigation" class="navbar navbar-default navbar-fixed-top"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle"> |
| Menu |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a> |
| </div> |
| <div id="struts-menu" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav"> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Home<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/index.html">Welcome</a></li> |
| <li><a href="/download.cgi">Download</a></li> |
| <li><a href="/releases.html">Releases</a></li> |
| <li><a href="/announce-2021.html">Announcements</a></li> |
| <li><a href="http://www.apache.org/licenses/">License</a></li> |
| <li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li> |
| <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Support<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/mail.html">User Mailing List</a></li> |
| <li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li> |
| <li><a href="/security.html">Reporting Security Issues</a></li> |
| <li class="divider"></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li> |
| <li class="divider"></li> |
| <li><a href="/maven/project-info.html">Maven Project Info</a></li> |
| <li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li> |
| <li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Documentation<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/birdseye.html">Birds Eye</a></li> |
| <li><a href="/primer.html">Key Technologies</a></li> |
| <li><a href="/kickstart.html">Kickstart FAQ</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li> |
| <li class="divider"></li> |
| <li><a href="/getting-started/">Getting Started</a></li> |
| <li><a href="/security/">Security Guide</a></li> |
| <li><a href="/core-developers/">Core Developers Guide</a></li> |
| <li><a href="/tag-developers/">Tag Developers Guide</a></li> |
| <li><a href="/maven-archetypes/">Maven Archetypes</a></li> |
| <li><a href="/plugins/">Plugins</a></li> |
| <li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li> |
| <li><a href="/tag-developers/tag-reference.html">Tag reference</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li> |
| <li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Contributing<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/youatstruts.html">You at Struts</a></li> |
| <li><a href="/helping.html">How to Help FAQ</a></li> |
| <li><a href="/dev-mail.html">Development Lists</a></li> |
| <li><a href="/contributors/">Contributors Guide</a></li> |
| <li class="divider"></li> |
| <li><a href="/submitting-patches.html">Submitting patches</a></li> |
| <li><a href="/builds.html">Source Code and Builds</a></li> |
| <li><a href="/coding-standards.html">Coding standards</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li> |
| <li class="divider"></li> |
| <li><a href="/release-guidelines.html">Release Guidelines</a></li> |
| <li><a href="/bylaws.html">PMC Charter</a></li> |
| <li><a href="/volunteers.html">Volunteers</a></li> |
| <li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li> |
| <li><a href="/updating-website.html">Updating the website</a></li> |
| </ul> |
| </li> |
| <li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </nav> |
| </header> |
| |
| |
| <article class="container"> |
| <section class="col-md-12"> |
| <a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2017.md" title="Edit this page on GitHub">Edit on GitHub</a> |
| |
| <h1 class="no_toc" id="announcements-2017">Announcements 2017</h1> |
| |
| <ul id="markdown-toc"> |
| <li><a href="#a20171130" id="markdown-toc-a20171130">30 November 2017 - Struts 2.5.14.1 General Availability</a></li> |
| <li><a href="#a20171123" id="markdown-toc-a20171123">23 November 2017 - Struts 2.5.14 General Availability</a></li> |
| <li><a href="#a20170907" id="markdown-toc-a20170907">07 September 2017 - Struts 2.3.34 General Availability</a></li> |
| <li><a href="#a20170905" id="markdown-toc-a20170905">05 September 2017 - Struts 2.5.13 General Availability</a></li> |
| <li><a href="#a20170809" id="markdown-toc-a20170809">09 August 2017 - S2-049 Security Bulletin update</a></li> |
| <li><a href="#a20170707" id="markdown-toc-a20170707">07 July 2017 - Struts 2.3.33 General Availability</a></li> |
| <li><a href="#a20170706" id="markdown-toc-a20170706">06 July 2017 - Struts 2.5.12 General Availability</a></li> |
| <li><a href="#a20170707" id="markdown-toc-a20170707">9 July 2017 - Possible RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts 2.3.x series</a></li> |
| <li><a href="#a20170323" id="markdown-toc-a20170323">23 march 2017 - Struts Extras secure Multipart plugins General Availability - versions 1.1</a></li> |
| <li><a href="#a20170320" id="markdown-toc-a20170320">20 march 2017 - Struts Extras secure Multipart plugins General Availability</a></li> |
| <li><a href="#a20170307" id="markdown-toc-a20170307">7 march 2017 - Struts 2.5.10.1 General Availability</a></li> |
| <li><a href="#a20170307-2" id="markdown-toc-a20170307-2">7 march 2017 - Struts 2.3.32 General Availability</a></li> |
| <li><a href="#a20170203" id="markdown-toc-a20170203">3 February 2017 - Struts 2.5.10 General Availability</a></li> |
| </ul> |
| |
| <p class="pull-right"> |
| Skip to: <a href="announce-2016.html">Announcements - 2016</a> |
| </p> |
| |
| <h4 id="a20171130">30 November 2017 - Struts 2.5.14.1 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.14.1 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains fixes for the following potential security vulnerabilities:</p> |
| |
| <ul> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-054">S2-054</a> |
| A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin</li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-055">S2-055</a> |
| Vulnerability in the Jackson JSON library</li> |
| </ul> |
| |
| <blockquote> |
| <p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14.1">Version Notes</a> to find more details about performed bug fixes and improvements.</p> |
| </blockquote> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20171123">23 November 2017 - Struts 2.5.14 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.14 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>Below is a full list of all changes:</p> |
| |
| <ul> |
| <li>A class JSONWriter was converted into an interface with default implementation in DefaultJSONWriter class. If you were |
| using the class directly, you must update your code in other case it won’t compile when using Struts 2.5.14.</li> |
| <li>DefaultUrlHelper().buildUrl() not outputting port when used as parameter</li> |
| <li>Not able to convert Spring object to the JSON response</li> |
| <li>The if test can accidently incorrectly assign a new value to an object</li> |
| <li>ObjectFactory constructor signature change breaks extensions</li> |
| <li>Snippets in Struts documentation are missing</li> |
| <li>I am migrating my struts 2.2.x to 2.5.13 and where all used struts taglibs and tags UI is breaking where i have not used bootstrap there and all working fine</li> |
| <li>Default Multipart validation regex is invalid due to charset encoding</li> |
| <li>Exception starting filter struts-prepare: Unable to load configuration. - interceptor - vfs</li> |
| <li>createInstance method signature change of TextProviderFactory from merged xwork-core code inside struts2-core-2.5.13.jar which was present with xwork-core jar</li> |
| <li>Struts2.5.13 can’t run in java9 win10</li> |
| <li>StringConverter from OGNL 3.1.15 in Struts 2.5.13</li> |
| <li>Decimal converters should avoid loss of user’s data caused by rounding</li> |
| <li>Struts text tag doesn’t print value from Stack</li> |
| <li>No validations happening after upgrading to Struts 2.5.12</li> |
| <li>Allow to use custom JSONwriter</li> |
| <li>Implement Dependency Check in Maven build</li> |
| <li>Fallback to ActionContext if container is null in ActionSupport</li> |
| <li>Upgrade to the latest Jetty plugin in all examples</li> |
| <li>Add missing header with license to all files reported by the Rat plugin</li> |
| <li>Review available interceptors and document the missing ones</li> |
| <li>Fetch docs from new locations</li> |
| <li>Allow define only TextProvider instead of providing the whole TextProviderFactory</li> |
| <li>HTML escaping on the text tag</li> |
| <li>Upgrade FreeMarker to version 2.3.26-incubating</li> |
| <li>Upgrade to Log4j2 2.9.1</li> |
| <li>Upgrade com.fasterxml.jackson to version 2.8.2</li> |
| <li>Upgrade net.sf.json-lib to version 2.4</li> |
| <li>Upgrade Spring to version 4.1.9</li> |
| </ul> |
| |
| <blockquote> |
| <p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14">Version Notes</a> to find more details about performed bug fixes and improvements.</p> |
| </blockquote> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20170907">07 September 2017 - Struts 2.3.34 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.34 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>This release addresses two potential security vulnerabilities:</p> |
| |
| <ul> |
| <li><a href="/docs/s2-050.html">S2-050</a> |
| A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)</li> |
| <li><a href="/docs/s2-051.html">S2-051</a> |
| A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin</li> |
| <li><a href="/docs/s2-052.html">S2-052</a> |
| Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads</li> |
| <li><a href="/docs/s2-053.html">S2-053</a> |
| A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals</li> |
| </ul> |
| |
| <p>Also this version resolves the following issues:</p> |
| |
| <ul> |
| <li>Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped</li> |
| <li>Threads get blocked due to unnecessary synchronization in OgnlRuntime Dependency</li> |
| <li>Upgrade to OGNL 3.0.21</li> |
| <li>Upgrade to struts-master 11</li> |
| <li>Improve RegEx used to validate URLs</li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p> |
| |
| <h4 id="a20170905">05 September 2017 - Struts 2.5.13 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.13 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains fixes for the following potential security vulnerabilities:</p> |
| |
| <ul> |
| <li><a href="/docs/s2-050.html">S2-050</a> |
| A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)</li> |
| <li><a href="/docs/s2-051.html">S2-051</a> |
| A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin</li> |
| <li><a href="/docs/s2-052.html">S2-052</a> |
| Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads</li> |
| </ul> |
| |
| <p>Except the above this release also contains several improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped</li> |
| <li>NP with TextProvider and wildcardmapping</li> |
| <li>Threads get blocked due to unnecessary synchronization in OgnlRuntime</li> |
| <li>Default Multipart validation regex is invalid</li> |
| <li>Not fully initialized ObjectFactory tries to create beans</li> |
| <li>http://struts.apache.org/dtds/struts-2.5.dtd missing</li> |
| <li>Set a global resource bundle in class</li> |
| <li>Override TextProvider doesnot work in struts 2.5.12</li> |
| <li>Array-of-null parameters are converted to string “null”</li> |
| <li>JakartaStreamMultiPartRequest Should Honor “struts.multipart.maxSize”</li> |
| <li>Build Fails Due to Unused com.sun Import</li> |
| <li>Struts2.5.12 - NPE in DeligatingValidatorContext</li> |
| <li>Struts 2 Fails to Initialize with JRebel</li> |
| <li>Allow define more than one Action suffix</li> |
| <li>Remove jQuery from debugging interceptor views</li> |
| <li>update dependencies page on the struts site</li> |
| <li>Improve RegEx used to validate URLs</li> |
| <li>Make REST ContentHandlers configurable</li> |
| <li>expose Freemarker incompatible_improvements into FreemarkerManager and StrutsBeansWrapper</li> |
| <li>Upgrade Commons Collections to 3.2.2</li> |
| <li>Upgrade Commons IO to 2.5</li> |
| <li>Upgrade to ASM version 5.2</li> |
| <li>Upgrade to OGNL 3.1.15</li> |
| <li>Upgrade xstream to the latest version</li> |
| <li>Upgrade to struts-master 11</li> |
| </ul> |
| |
| <blockquote> |
| <p>Please read the <a href="/docs/version-notes-2513.html">Version Notes</a> to find more details about performed bug fixes and improvements.</p> |
| </blockquote> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20170809">09 August 2017 - S2-049 Security Bulletin update</h4> |
| |
| <p>This is an update of the recently announced Security Bulletin - <a href="/docs/s2-049.html">S2-049</a>.</p> |
| |
| <p>The bulletin was extended with an additional information when the potential vulnerability |
| can be present in your application. Please re-read the mentioned bulletin and apply required |
| actions if needed.</p> |
| |
| <p>Please report any problems back to the <a href="mailto:security@struts.apache.org">Struts Security</a> mailing list.</p> |
| |
| <h4 id="a20170707">07 July 2017 - Struts 2.3.33 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.33 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>This release addresses two potential security vulnerabilities:</p> |
| |
| <ul> |
| <li><a href="/docs/s2-049.html">S2-049</a> |
| A DoS attack is available for Spring secured actions</li> |
| <li><a href="/docs/s2-048.html">S2-048</a> |
| Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</li> |
| </ul> |
| |
| <p>Also this version resolves the following issues:</p> |
| |
| <ul> |
| <li><code class="highlighter-rouge">EmailValidator</code> does not accept new domain suffixes</li> |
| <li>Revision number still missing from <code class="highlighter-rouge">dojo.js</code> and <code class="highlighter-rouge">dojo.js.uncompressed.js</code></li> |
| <li>Strange Behavior Parsing Action Requests</li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p> |
| |
| <h4 id="a20170706">06 July 2017 - Struts 2.5.12 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.12 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains fixes for the following potential security vulnerabilities:</p> |
| |
| <ul> |
| <li><a href="/docs/s2-047.html">S2-047</a> |
| Possible DoS attack when using URLValidator</li> |
| <li><a href="/docs/s2-049.html">S2-049</a> |
| A DoS attack is available for Spring secured actions</li> |
| </ul> |
| |
| <p>Except the above this release also contains several improvements just to mention few of them:</p> |
| |
| <ul> |
| <li><code class="highlighter-rouge">double</code> and <code class="highlighter-rouge">Double</code> are not validated with the same decimal separator</li> |
| <li><code class="highlighter-rouge">ognl.MethodFailedException</code> when you do not enter a value for a field mapped to an int</li> |
| <li><code class="highlighter-rouge">Double</code> Value Conversion with requestLocale=de</li> |
| <li>The <code class="highlighter-rouge">TextProvider</code> injection in <code class="highlighter-rouge">ActionSupport</code> isn’t quite integrated into the framework’s core DI</li> |
| <li>Struts2 raise <code class="highlighter-rouge">java.lang.ClassCastException</code> when Result type is <code class="highlighter-rouge">chain</code></li> |
| <li><code class="highlighter-rouge">@InputConfig</code> annotation is not working when integrating with spring aop</li> |
| <li>Validators do not work for multiple values</li> |
| <li><code class="highlighter-rouge">BigDecimal</code> are not converted according context locale</li> |
| <li><code class="highlighter-rouge">NullPointerException</code> when displaying a form without action attribute</li> |
| <li>Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.</li> |
| <li><code class="highlighter-rouge">cssErrorClass</code> attribute has no effect on <code class="highlighter-rouge">label</code> tag</li> |
| <li>Why <code class="highlighter-rouge">JSONValidationInterceptor</code> return Status Code <code class="highlighter-rouge">400 BAD_REQUEST</code> instead of <code class="highlighter-rouge">200 SUCCESS</code></li> |
| <li>@autowired does not work since Struts 2.3.28.1</li> |
| <li>Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1</li> |
| <li>Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin gives a NoSuchDefinitionException</li> |
| <li>Aspects are not executed when chaining AOPed actions</li> |
| <li>Duplicate hidden input field checkboxListHandler</li> |
| <li>The value of checkbox getted in server-side is “false” when no any checkbox been selected.</li> |
| <li>refactor file upload framework</li> |
| <li><code class="highlighter-rouge">creditCard</code> validator available in Struts 1 missing in Struts 2</li> |
| <li>No easy way to have an empty interceptor stack if have default stack</li> |
| <li><code class="highlighter-rouge">@TypeConversion</code> converter attribute to class</li> |
| <li>Convert <code class="highlighter-rouge">LocalizedTextUtil</code> into a bean with default implementation</li> |
| <li>NPE in <code class="highlighter-rouge">StrutsTilesContainerFactory</code> when resource isn’t found</li> |
| <li>Buffer/Flush behaviour in <code class="highlighter-rouge">FreemarkerResult</code></li> |
| <li>Struts2 should know and consider config time class of user’s Actions</li> |
| <li>getters of exclude-sets in OgnlUtil should return immutable collections</li> |
| <li>Mark <code class="highlighter-rouge">site-graph</code> plugin as deprecated</li> |
| <li>Use <code class="highlighter-rouge">TextProviderFactory</code> instead of <code class="highlighter-rouge">TextProvider</code> as bean’s dependency</li> |
| <li>Create <code class="highlighter-rouge">LocaleProviderFactory</code> and uses instead of <code class="highlighter-rouge">LocaleProvider</code></li> |
| <li>Improve error logging in <code class="highlighter-rouge">DefaultDispatcherErrorHandler</code></li> |
| <li>Make <code class="highlighter-rouge">jakarta-stream</code> multipart parser more extensible</li> |
| <li>Make Multipart parsers more extensible</li> |
| <li>Add proper validation if request is a multipart request</li> |
| <li>Make <code class="highlighter-rouge">SecurityMethodAccess</code> excluded classes & packages definitions immutable</li> |
| <li>Upgrade to Log4j2 2.8.2</li> |
| <li>Allow disable file upload support via an configurable option</li> |
| <li>Stop using <code class="highlighter-rouge">DefaultLocalizedTextProvider#localeFromString</code> static util method</li> |
| <li>Don’t add <code class="highlighter-rouge">JBossFileManager</code> as a possible FileManager when not on JBoss</li> |
| <li>There is no <code class="highlighter-rouge">@LongRangeFieldValidator</code> annotation to support <code class="highlighter-rouge">LongRangeFieldValidator</code></li> |
| <li>Upgrade to commons-lang 3.6</li> |
| <li>Update commons-fileupload</li> |
| </ul> |
| |
| <blockquote> |
| <p>Please read the <a href="/docs/version-notes-2512.html">Version Notes</a> to find more details about performed bug fixes and improvements.</p> |
| </blockquote> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20170707">9 July 2017 - Possible RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts 2.3.x series</h4> |
| |
| <p>A potential security vulnerability was reported in the Struts 1 plugin used in the Struts 2.3.x series. |
| It is possible to perform a Remote Code Execution attack if given construction exists in the vulnerable |
| application. Please read the security bulletin for more details and inspect your application.</p> |
| |
| <ul> |
| <li><a href="/docs/s2-048.html">S2-048</a> |
| Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</li> |
| </ul> |
| |
| <p>NOTE: Please notice that this vulnerability does not affect applications using Struts 2.5.x series |
| or applications that do not use the Struts 1 plugin. Even if the plugin is available but certain code |
| construction is not present, your application is safe.</p> |
| |
| <h4 id="a20170323">23 march 2017 - Struts Extras secure Multipart plugins General Availability - versions 1.1</h4> |
| |
| <p>The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin 1.1 |
| and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin 1.1 are available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>These releases address one critical security vulnerability:</p> |
| |
| <ul> |
| <li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser |
| <a href="/docs/s2-045.html">S2-045</a>, <a href="/docs/s2-046.html">S2-046</a></li> |
| </ul> |
| |
| <p>Those plugins were released to allow users running older versions of the Apache Struts secure their applications |
| in an easy way. You don’t have to migrate to the latest version (which is still preferable) but by applying one of those |
| plugins, your application won’t be vulnerable anymore.</p> |
| |
| <p>Please read the <a href="https://github.com/apache/struts-extras">README</a> for more details and supported Apache Struts versions.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download those plugins from our <a href="download.cgi#struts-extras">download</a> page.</p> |
| |
| <h4 id="a20170320">20 march 2017 - Struts Extras secure Multipart plugins General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin |
| and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin are available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>These releases address one critical security vulnerability:</p> |
| |
| <ul> |
| <li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser |
| <a href="/docs/s2-045.html">S2-045</a>, <a href="/docs/s2-046.html">S2-046</a></li> |
| </ul> |
| |
| <p>Those plugins were released to allow users running older versions of the Apache Struts secure their applications in easy way. |
| You don’t have to migrate to the latest version (which is still preferable) but by applying one of those plugins, |
| your application won’t be vulnerable anymore.</p> |
| |
| <p>It is a drop-in installation, just select a proper jar file and copy it to <code class="highlighter-rouge">WEB-INF/lib</code> folder. |
| Please read the <a href="https://github.com/apache/struts-extras">README</a> for more details and supported Apache Struts versions.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download those plugins from our <a href="download.cgi#struts-extras">download</a> page.</p> |
| |
| <h4 id="a20170307">7 march 2017 - Struts 2.5.10.1 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.10.1 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>This release addresses one potential security vulnerability:</p> |
| |
| <ul> |
| <li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser - <a href="/docs/s2-045.html">S2-045</a></li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20170307-2">7 march 2017 - Struts 2.3.32 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.32 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>This release addresses one potential security vulnerability:</p> |
| |
| <ul> |
| <li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser - <a href="/docs/s2-045.html">S2-045</a></li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p> |
| |
| <h4 id="a20170203">3 February 2017 - Struts 2.5.10 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.10 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>How to handle 404 when using wildcard instead of error 500 when the wildcard method doesn’t exist</li> |
| <li>MessageStoreInterceptor must handle all redirects</li> |
| <li><code class="highlighter-rouge">MaxMultiPartUpload</code> limited to 2GB (Long –> Integer)</li> |
| <li><code class="highlighter-rouge">JSONValidationInterceptor</code> change static parameters names</li> |
| <li><code class="highlighter-rouge">ServletDispatcherResult</code> can’t handle parameters anymore</li> |
| <li><code class="highlighter-rouge">TokenInterceptor</code> synchronized on <code class="highlighter-rouge">session.getId().intern()</code></li> |
| <li>XSLT error during transformation</li> |
| <li>No default parameter defined for result <code class="highlighter-rouge">json</code> of type <code class="highlighter-rouge">org.apache.struts2.json.JSONResult</code></li> |
| <li><code class="highlighter-rouge">I18Interceptor</code> ignores session or cookie Locale after first lookup failure</li> |
| <li><code class="highlighter-rouge">EmailValidator</code> does not accept new domain suffixes</li> |
| <li><code class="highlighter-rouge">AnnotationValidationInterceptor</code> : <code class="highlighter-rouge">NullPointerException</code> when method is null</li> |
| <li><code class="highlighter-rouge">struts.xml</code> include not loading in dependant jar files</li> |
| <li><code class="highlighter-rouge">AnnotationValidationInterceptor</code> should consult <code class="highlighter-rouge">UnknownHandler</code> before throwing <code class="highlighter-rouge">NoSuchMethodException</code></li> |
| <li><code class="highlighter-rouge">ActionSupport.LOG</code> should be private</li> |
| <li>Remove <code class="highlighter-rouge">StrutsObjectFactory</code> and define <code class="highlighter-rouge">StrutsInterceptorFactory</code> instead</li> |
| <li>Make <code class="highlighter-rouge">OgnlValueStack</code> and <code class="highlighter-rouge">OgnlValueStackFactory</code> More Extensible</li> |
| <li>Make interceptor parameters dynamic</li> |
| <li>allow include other config files from classpath</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <p class="pull-right"> |
| Skip to: <a href="announce-2016.html">Announcements - 2016</a> |
| </p> |
| |
| <p class="pull-left"> |
| <strong>Next:</strong> |
| <a href="kickstart.html">Kickstart FAQ</a> |
| </p> |
| |
| </section> |
| </article> |
| |
| |
| <footer class="container"> |
| <div class="col-md-12"> |
| Copyright © 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>. |
| All Rights Reserved. |
| </div> |
| <div class="col-md-12"> |
| Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are |
| trademarks of The Apache Software Foundation. |
| </div> |
| <div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div> |
| </footer> |
| |
| <script>!function (d, s, id) { |
| var js, fjs = d.getElementsByTagName(s)[0]; |
| if (!d.getElementById(id)) { |
| js = d.createElement(s); |
| js.id = id; |
| js.src = "//platform.twitter.com/widgets.js"; |
| fjs.parentNode.insertBefore(js, fjs); |
| } |
| }(document, "script", "twitter-wjs");</script> |
| <script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script> |
| |
| <div id="fb-root"></div> |
| |
| <script>(function (d, s, id) { |
| var js, fjs = d.getElementsByTagName(s)[0]; |
| if (d.getElementById(id)) return; |
| js = d.createElement(s); |
| js.id = id; |
| js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1"; |
| fjs.parentNode.insertBefore(js, fjs); |
| }(document, 'script', 'facebook-jssdk'));</script> |
| |
| |
| </body> |
| </html> |