Google Git
Sign in
apache / struts-site / 56f3b08bc7780019c769eed45d9d80050018f567 / . / content / announce-2019.html
blob: caf8383803dd021ad221d6999c771aef2dbafa65 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<meta name="Date-Revision-yyyymmdd" content="20140918"/>
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Announcements 2019</title>
<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
<link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
<link href="/css/main.css" rel="stylesheet">
<link href="/css/custom.css" rel="stylesheet">
<link href="/highlighter/github-theme.css" rel="stylesheet">
<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
<script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
<script type="text/javascript" src="/js/community.js"></script>
</head>
<body>
<a href="http://github.com/apache/struts" class="github-ribbon">
<img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub">
</a>
<header>
<nav>
<div role="navigation" class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
Menu
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
</div>
<div id="struts-menu" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Home<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/index.html">Welcome</a></li>
<li><a href="/download.cgi">Download</a></li>
<li><a href="/releases.html">Releases</a></li>
<li><a href="/announce-2021.html">Announcements</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Support<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/mail.html">User Mailing List</a></li>
<li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
<li><a href="/security.html">Reporting Security Issues</a></li>
<li class="divider"></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
<li class="divider"></li>
<li><a href="/maven/project-info.html">Maven Project Info</a></li>
<li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
<li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Documentation<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/birdseye.html">Birds Eye</a></li>
<li><a href="/primer.html">Key Technologies</a></li>
<li><a href="/kickstart.html">Kickstart FAQ</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
<li><a href="/security/">Security Guide</a></li>
<li><a href="/core-developers/">Core Developers Guide</a></li>
<li><a href="/tag-developers/">Tag Developers Guide</a></li>
<li><a href="/maven-archetypes/">Maven Archetypes</a></li>
<li><a href="/plugins/">Plugins</a></li>
<li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
<li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
<li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Contributing<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/youatstruts.html">You at Struts</a></li>
<li><a href="/helping.html">How to Help FAQ</a></li>
<li><a href="/dev-mail.html">Development Lists</a></li>
<li><a href="/contributors/">Contributors Guide</a></li>
<li class="divider"></li>
<li><a href="/submitting-patches.html">Submitting patches</a></li>
<li><a href="/builds.html">Source Code and Builds</a></li>
<li><a href="/coding-standards.html">Coding standards</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li>
<li class="divider"></li>
<li><a href="/release-guidelines.html">Release Guidelines</a></li>
<li><a href="/bylaws.html">PMC Charter</a></li>
<li><a href="/volunteers.html">Volunteers</a></li>
<li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
<li><a href="/updating-website.html">Updating the website</a></li>
</ul>
</li>
<li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
</ul>
</div>
</div>
</div>
</nav>
</header>
<article class="container">
<section class="col-md-12">
<a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2019.md" title="Edit this page on GitHub">Edit on GitHub</a>
<h1 class="no_toc" id="announcements-2019">Announcements 2019</h1>
<ul id="markdown-toc">
<li><a href="#a20191129" id="markdown-toc-a20191129">29 November 2019 - Struts 2.5.22 General Availability</a></li>
<li><a href="#a20190912" id="markdown-toc-a20190912">12 September 2019 - Struts 2.3.x reached End-Of-Life</a></li>
<li><a href="#a20190815" id="markdown-toc-a20190815">15 August 2019 - Security Advice: Announcing corrected affected version ranges in historic Apache Struts security bulletins and CVE entries</a></li>
<li><a href="#a20190114" id="markdown-toc-a20190114">14 January 2019 - Struts 2.5.20 General Availability</a></li>
<li><a href="#a20181230" id="markdown-toc-a20181230">30 December 2018 - Struts 2.3.37 General Availability</a></li>
</ul>
<p class="pull-right">
Skip to: <a href="announce-2018.html">Announcements - 2018</a>
</p>
<h4 id="a20191129">29 November 2019 - Struts 2.5.22 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.22 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<blockquote>
<p>Please be aware of new security enhancements added to the version of Struts, they are disabled by default
but please consider enabling them to increase safety of you application. You will find more details in our
<a href="security">Security Guide</a>.</p>
</blockquote>
<p>Below is a full list of all changes:</p>
<ul>
<li>File upload fails from certain clients</li>
<li>Not existing property in listValueKey throws exception</li>
<li>Can’t get OgnlValueStack log even if enable logMissingProperties</li>
<li>No more calling of a static variable in Struts 2.8.20 available</li>
<li>NullPointerException in ProxyUtil class when accessing static member</li>
<li>EmptyStackException in JSON plugin due to concurrency</li>
<li>Tiles bug when parsing file:// URLs including # as part of the URL</li>
<li>Accessing static variable via OGNL returns nothing</li>
<li>HttpParameters.Builder can wrap objects in two layers of Parameters</li>
<li>Binding Integer Array upon form submission</li>
<li>Double-submit of TokenSessionStoreInterceptor broken since 2.5.16</li>
<li>xerces tries to load resources from the internet</li>
<li>Dispatcher prints stacktraces directly to the console</li>
<li>The content allowed-methods tag of the XML configuration is sometimes truncated</li>
<li>OGNL: An illegal reflective access operation has occurred</li>
<li>java.lang.reflect.InvocationTargetException - Class: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector</li>
<li>Struts2 convention plugin lacks Java 11 support</li>
<li>Upgrade SLF4J to latest 1.7.x version</li>
<li>Minor enhancement/fix to AbstractLocalizedTextProvider</li>
<li>Provide mechanism to clear OgnlUtil caches</li>
<li>Struts 2 unit testing using StrutTestCase class</li>
<li>Upgrade Jackson library to the latest version</li>
<li>Upgrade to OGNL version 3.1.22</li>
<li>Update a few Struts 2.5.x libraries to more recent versions</li>
<li>Upgrade commons-beanutils to version 1.9.4</li>
<li>Upgrade jackson-databind to version 2.9.9.3</li>
<li>Upgrade to OGNL 3.1.26 and adapt to its new features</li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20190912">12 September 2019 - Struts 2.3.x reached End-Of-Life</h4>
<p>As announced over 6 months ago, Apache Struts 2.3.x web framework series reached its end of life and won’t be longer
officially supported. Please check the following reading to find more details:</p>
<p><a href="struts23-eol-announcement">Apache Struts 2.3.x EOL Announcement</a></p>
<h4 id="a20190815">15 August 2019 - Security Advice: Announcing corrected affected version ranges in historic Apache Struts security bulletins and CVE entries</h4>
<p>The Apache Struts Security team would like to announce that a number of historic <a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletin">Struts Security Bulletins</a> and related CVE database entries contained incorrect affected release version ranges.</p>
<p>The issue was reported by Christopher Fearon and the Black Duck Research Team within the Synopsys Cybersecurity Research Center. The reporting entity conducted thorough investigations on this matter, leading to a report to the Apache Struts Security Team. The Apache Struts Security Team worked with the reporters to cross-check said issues and map them to affected Apache Struts General Availability (GA) releases.</p>
<p>This effort led to the issue of Struts Security Bulletin S2-058, referencing 15 historic Struts Security Bulletins and <a href="https://github.com/CVEProject/cvelist/pull/2423/files">respective CVE entries</a> that have been updated to reflect corrections in affected GA version ranges as well as minimum GA versions to contain appropriate fixes for the issues at hand.</p>
<p>The full Security Bulletin can be found here:</p>
<p><a href="https://cwiki.apache.org/confluence/display/WW/S2-058">Apache Struts Security Buletin S2-058</a></p>
<p>The Struts Security Team stresses that while the reporters reference more affected issues and resulting affected version ranges, the Struts Security Bulletins only cover GA versions designated for production use. This led to less corrected Security Bulletins and CVE entries compared to the number of covered issues in the original report.</p>
<p>It is very important to understand that while the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the version recommended by the latest Security Bulletin, which is <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a> by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17.</p>
<p>The Apache Struts Security Team would like to thank the reporters for their efforts and their practice of responsible disclosure, as well as their help while investigating the report and coordinating public disclosure.</p>
<h4 id="a20190114">14 January 2019 - Struts 2.5.20 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>Below is a full list of all changes:</p>
<ul>
<li>s:include tag fails with truncated content in certain circumstances</li>
<li>NullPointerException in DefaultStaticContentLoader#findStaticResource</li>
<li>Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest</li>
<li>Static files like css and js files in struts-core not properly served</li>
<li>Race condition reloading config results in actions not found</li>
<li>Setting Struts2 <s:select> options Css Class</s:select></li>
<li>Enhancement for s:set tag to improve tag body whitespace control.</li>
<li>Add support for Java 11</li>
<li>Upgraded commons-fileupload to version 1.4</li>
<li>Update multiple Struts 2.5.x libraries to more recent versions</li>
<li>Update OGNL versions for 2.6 and 2.5.x builds</li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20181230">30 December 2018 - Struts 2.3.37 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.37 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>This release addresses one backward compatibility issue:</p>
<ul>
<li>Struts 2.3.36 - InvalidPathException: Illegal char <:> on JDK 9,10,11 on windows</:></li>
<li>Error when upgrading to struts2.3.35</li>
<li>Upgraded commons-fileupload to version 1.4</li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p>
<p class="pull-right">
Skip to: <a href="announce-2018.html">Announcements - 2018</a>
</p>
<p class="pull-left">
<strong>Next:</strong>
<a href="kickstart.html">Kickstart FAQ</a>
</p>
</section>
</article>
<footer class="container">
<div class="col-md-12">
Copyright &copy; 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>.
All Rights Reserved.
</div>
<div class="col-md-12">
Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
trademarks of The Apache Software Foundation.
</div>
<div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
</footer>
<script>!function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (!d.getElementById(id)) {
js = d.createElement(s);
js.id = id;
js.src = "//platform.twitter.com/widgets.js";
fjs.parentNode.insertBefore(js, fjs);
}
}(document, "script", "twitter-wjs");</script>
<script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>
<div id="fb-root"></div>
<script>(function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);
js.id = id;
js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
</body>
</html>