| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="UTF-8"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"/> |
| <meta name="Date-Revision-yyyymmdd" content="20140918"/> |
| <meta http-equiv="Content-Language" content="en"/> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| |
| <title>Announcements 2018</title> |
| |
| <link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css"> |
| <link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet"> |
| <link href="/css/main.css" rel="stylesheet"> |
| <link href="/css/custom.css" rel="stylesheet"> |
| <link href="/highlighter/github-theme.css" rel="stylesheet"> |
| |
| <script src="//code.jquery.com/jquery-1.11.0.min.js"></script> |
| <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script> |
| <script type="text/javascript" src="/js/community.js"></script> |
| </head> |
| <body> |
| |
| <a href="http://github.com/apache/struts" class="github-ribbon"> |
| <img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub"> |
| </a> |
| |
| <header> |
| <nav> |
| <div role="navigation" class="navbar navbar-default navbar-fixed-top"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle"> |
| Menu |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a> |
| </div> |
| <div id="struts-menu" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav"> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Home<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/index.html">Welcome</a></li> |
| <li><a href="/download.cgi">Download</a></li> |
| <li><a href="/releases.html">Releases</a></li> |
| <li><a href="/announce-2021.html">Announcements</a></li> |
| <li><a href="http://www.apache.org/licenses/">License</a></li> |
| <li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li> |
| <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Support<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/mail.html">User Mailing List</a></li> |
| <li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li> |
| <li><a href="/security.html">Reporting Security Issues</a></li> |
| <li class="divider"></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li> |
| <li class="divider"></li> |
| <li><a href="/maven/project-info.html">Maven Project Info</a></li> |
| <li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li> |
| <li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Documentation<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/birdseye.html">Birds Eye</a></li> |
| <li><a href="/primer.html">Key Technologies</a></li> |
| <li><a href="/kickstart.html">Kickstart FAQ</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li> |
| <li class="divider"></li> |
| <li><a href="/getting-started/">Getting Started</a></li> |
| <li><a href="/security/">Security Guide</a></li> |
| <li><a href="/core-developers/">Core Developers Guide</a></li> |
| <li><a href="/tag-developers/">Tag Developers Guide</a></li> |
| <li><a href="/maven-archetypes/">Maven Archetypes</a></li> |
| <li><a href="/plugins/">Plugins</a></li> |
| <li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li> |
| <li><a href="/tag-developers/tag-reference.html">Tag reference</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li> |
| <li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Contributing<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/youatstruts.html">You at Struts</a></li> |
| <li><a href="/helping.html">How to Help FAQ</a></li> |
| <li><a href="/dev-mail.html">Development Lists</a></li> |
| <li><a href="/contributors/">Contributors Guide</a></li> |
| <li class="divider"></li> |
| <li><a href="/submitting-patches.html">Submitting patches</a></li> |
| <li><a href="/builds.html">Source Code and Builds</a></li> |
| <li><a href="/coding-standards.html">Coding standards</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li> |
| <li class="divider"></li> |
| <li><a href="/release-guidelines.html">Release Guidelines</a></li> |
| <li><a href="/bylaws.html">PMC Charter</a></li> |
| <li><a href="/volunteers.html">Volunteers</a></li> |
| <li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li> |
| <li><a href="/updating-website.html">Updating the website</a></li> |
| </ul> |
| </li> |
| <li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </nav> |
| </header> |
| |
| |
| <article class="container"> |
| <section class="col-md-12"> |
| <a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2018.md" title="Edit this page on GitHub">Edit on GitHub</a> |
| |
| <h1 class="no_toc" id="announcements-2018">Announcements 2018</h1> |
| |
| <ul id="markdown-toc"> |
| <li><a href="#a20181114" id="markdown-toc-a20181114">14 November 2018 - Apache Struts 2.3.x End-Of-Life (EOL) Announcement</a></li> |
| <li><a href="#a20181015-2" id="markdown-toc-a20181015-2">15 October 2018 - Struts 2.3.36 General Availability</a></li> |
| <li><a href="#a20181015-1" id="markdown-toc-a20181015-1">15 October 2018 - Struts 2.5.18 General Availability</a></li> |
| <li><a href="#a20180822-0" id="markdown-toc-a20180822-0">22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</a></li> |
| <li><a href="#a20180822-1" id="markdown-toc-a20180822-1">22 August 2018 - Struts 2.5.17 General Availability</a></li> |
| <li><a href="#a20180822-2" id="markdown-toc-a20180822-2">22 August 2018 - Struts 2.3.35 General Availability</a></li> |
| <li><a href="#a20180327" id="markdown-toc-a20180327">27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</a></li> |
| <li><a href="#a20180323" id="markdown-toc-a20180323">23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3</a></li> |
| <li><a href="#a20180316" id="markdown-toc-a20180316">16 March 2018 - Struts 2.5.16 General Availability</a></li> |
| </ul> |
| |
| <p class="pull-right"> |
| Skip to: <a href="announce-2017.html">Announcements - 2017</a> |
| </p> |
| |
| <h4 id="a20181114">14 November 2018 - Apache Struts 2.3.x End-Of-Life (EOL) Announcement</h4> |
| |
| <p>The Apache Struts Project Team would like to inform you that the Struts 2.3.x web framework will reach |
| its end of life in 6 months and won’t be longer officially supported.</p> |
| |
| <p>Please check the following reading to find more details.</p> |
| |
| <ul> |
| <li><a href="struts23-eol-announcement">Apache Struts 2.3.x EOL Announcement</a>, including a detailed Q/A section</li> |
| </ul> |
| |
| <h4 id="a20181015-2">15 October 2018 - Struts 2.3.36 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.36 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>This release addresses one backward compatibility issue:</p> |
| |
| <ul> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.36">xml-validation fails since struts 2.5.17</a></li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p> |
| |
| <h4 id="a20181015-1">15 October 2018 - Struts 2.5.18 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.18 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>Below is a full list of all changes:</p> |
| |
| <ul> |
| <li><code class="highlighter-rouge">jar_cache</code> Some jar_cache<strong>**</strong>.tmp files are generated into a temporary directory(/tmp) during web service start</li> |
| <li>Struts 2.5.16 is creating jar_cache files in temp folder</li> |
| <li>MD5 and SHA1 should no longer be provided on download pages</li> |
| <li>xml-validation fails since struts 2.5.17</li> |
| </ul> |
| |
| <p>Internal Changes:</p> |
| |
| <ul> |
| <li>XWorkList was moved into a com.opensymphony.xwork2.conversion.impl package as com.opensymphony.xwork2.util package is excluded |
| by the Internal Security Mechanism.</li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20180822-0">22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</h4> |
| |
| <p>CVEID:CVE-2018-11776</p> |
| |
| <p>PRODUCT:Apache Struts</p> |
| |
| <p>VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</p> |
| |
| <p>PROBLEMTYPE:Remote Code Execution</p> |
| |
| <p>REFERENCES:<a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></p> |
| |
| <p>DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and |
| 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its |
| upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action |
| set and in same time, its upper action(s) have no or wildcard namespace.</p> |
| |
| <h4 id="a20180822-1">22 August 2018 - Struts 2.5.17 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:</p> |
| |
| <ul> |
| <li>Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or |
| wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20180822-2">22 August 2018 - Struts 2.3.35 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:</p> |
| |
| <ul> |
| <li>Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or |
| wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></li> |
| </ul> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p> |
| |
| <h4 id="a20180327">27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</h4> |
| |
| <p>The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released |
| version of the Apache Struts. This is necessary to prevent your publicly accessible web site, which is using the Struts |
| REST plugin and performing XML serialisation, from being exposed to possible DoS attack.</p> |
| |
| <p>You can find more details in a Security Bulletin <a href="https://cwiki.apache.org/confluence/display/WW/S2-056">S2-056</a></p> |
| |
| <p>All developers are strongly advised to perform this action.</p> |
| |
| <h4 id="a20180323">23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3</h4> |
| |
| <p>The Apache Struts Team recommends to immediately upgrade your Struts 2 |
| based projects to use the latest released version of Commons |
| FileUpload library, which is currently 1.3.3. This is necessary to |
| prevent your publicly accessible web site from being exposed to |
| possible Remote Code Execution attacks (see [1] [2]).</p> |
| |
| <p>This affects any Struts version prior to <strong>2.5.12</strong> [3].</p> |
| |
| <p>Your project is affected if it uses the built-in file upload mechanism |
| of Struts 2, which defaults to the use of commons-fileupload. The |
| updated commons-fileupload library is a drop-in replacement for the |
| vulnerable version. Deployed applications can be hardened by replacing |
| the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For |
| Maven based Struts 2 projects, the following dependency needs to be |
| added:</p> |
| |
| <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><dependency></span> |
| <span class="nt"><groupId></span>commons-fileupload<span class="nt"></groupId></span> |
| <span class="nt"><artifactId></span>commons-fileupload<span class="nt"></artifactId></span> |
| <span class="nt"><version></span>1.3.3<span class="nt"></version></span> |
| <span class="nt"></dependency></span> |
| </code></pre></div></div> |
| |
| <p>More details can be found here:</p> |
| |
| <ol> |
| <li><a href="https://issues.apache.org/jira/browse/FILEUPLOAD-279">https://issues.apache.org/jira/browse/FILEUPLOAD-279</a></li> |
| <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000031">https://nvd.nist.gov/vuln/detail/CVE-2016-1000031</a></li> |
| <li><a href="https://issues.apache.org/jira/browse/WW-4812">https://issues.apache.org/jira/browse/WW-4812</a></li> |
| </ol> |
| |
| <p>All developers are strongly advised to perform this action.</p> |
| |
| <h4 id="a20180316">16 March 2018 - Struts 2.5.16 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.16 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>Below is a full list of all changes:</p> |
| |
| <ul> |
| <li>unclosed instantiation of PrintWriter</li> |
| <li>Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.</li> |
| <li>NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper</li> |
| <li>NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait |
| interceptor</li> |
| <li>ClassCastException in JarEntryRevision</li> |
| <li>Dependency Mapping Exception When Using PrefixBasedActionProxyFactory</li> |
| <li>The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this |
| method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.</li> |
| <li>Conversion by annotation does not work</li> |
| <li>List of Boolean is not populated in Action class</li> |
| <li>JSONResult exception in struts2-json-plugin-2.5.14.1.jar</li> |
| <li>buttons with name=”method:METHODNAME” sometimes ignore global-allowed-methods defined in struts.xml</li> |
| <li>Could not create JarEntryRevision for [zip:C:/…. unknown protocol c</li> |
| <li>NPE in I18nInterceptor$SessionLocaleHandler.read</li> |
| <li>JasperReportResult: NPE When Not Using SQL Connection</li> |
| <li>support JSR 303 Validation Groups in BeanValidation-Plugin</li> |
| <li>Debug tag should not display anything when not in dev mode</li> |
| <li>Allow using of Initializable interface on an implementation level</li> |
| <li>Allowed methods inheritance</li> |
| <li>Allow use Jackson XML bindings to serialise / deserialise XML</li> |
| <li>when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into |
| custom array but populating in String array or array list</li> |
| <li>Upgrade Spring to version 4.3.13</li> |
| <li>Update Log4j2 to 2.10.0</li> |
| </ul> |
| |
| <blockquote> |
| <p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16">Version Notes</a> to find more details about performed bug fixes and improvements.</p> |
| </blockquote> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <p class="pull-right"> |
| Skip to: <a href="announce-2017.html">Announcements - 2017</a> |
| </p> |
| |
| <p class="pull-left"> |
| <strong>Next:</strong> |
| <a href="kickstart.html">Kickstart FAQ</a> |
| </p> |
| |
| </section> |
| </article> |
| |
| |
| <footer class="container"> |
| <div class="col-md-12"> |
| Copyright © 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>. |
| All Rights Reserved. |
| </div> |
| <div class="col-md-12"> |
| Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are |
| trademarks of The Apache Software Foundation. |
| </div> |
| <div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div> |
| </footer> |
| |
| <script>!function (d, s, id) { |
| var js, fjs = d.getElementsByTagName(s)[0]; |
| if (!d.getElementById(id)) { |
| js = d.createElement(s); |
| js.id = id; |
| js.src = "//platform.twitter.com/widgets.js"; |
| fjs.parentNode.insertBefore(js, fjs); |
| } |
| }(document, "script", "twitter-wjs");</script> |
| <script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script> |
| |
| <div id="fb-root"></div> |
| |
| <script>(function (d, s, id) { |
| var js, fjs = d.getElementsByTagName(s)[0]; |
| if (d.getElementById(id)) return; |
| js = d.createElement(s); |
| js.id = id; |
| js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1"; |
| fjs.parentNode.insertBefore(js, fjs); |
| }(document, 'script', 'facebook-jssdk'));</script> |
| |
| |
| </body> |
| </html> |