| --- |
| layout: default |
| title: Announcements 2013 |
| --- |
| |
| <h1>Announcements - 2013</h1> |
| <p class="pull-right"> |
| Skip to: <a href="announce-2012.html">Announcements - 2012</a> |
| </p> |
| |
| <h4 id="a20131208">8 December 2013 - Struts 2.3.16 General Availability Release - Maintenance Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.16 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| This release contains many important improvements and doze of other small fixes, to light just few: |
| <ul> |
| <li>Merged security fix from version 2.3.15.1, 2.3.15.2 and 2.3.15.3</li> |
| <li>Solved problem with global "error" result in the Convention Plugin</li> |
| <li>The action: and method: prefixes are be by default excluded and changed order to first check |
| excludeParams and then acceptedParams in ParametersInterceptor |
| </li> |
| <li>Restored previous behaviour where both ParametersInterceptor AND ParameterNameAware must accept |
| parameter - there is no more precedence |
| </li> |
| <li>Added proper support for multiple ActionMapper's used with PrefixBasedActionMapper</li> |
| <li>Solved problem with creating empty map entries via Ognl</li> |
| <li>... and many more, please check the Version Notes</li> |
| </ul> |
| </p> |
| <p> |
| All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.16. |
| </p> |
| <p> |
| Struts 2.3.16 is available in a full distribution or as separate library, source, example |
| and documentation distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts2316">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". |
| The <a href="http://struts.apache.org/docs/version-notes-2316.html">version notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20131015">15 October 2013 - Struts 2.3.15.3 General Availability Release - Security Fix Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.15.3 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| One security issue was solved with this release: |
| <ul> |
| <li> |
| <a href="http://struts.apache.org/docs/s2-018.html">S2-018</a> |
| - Broken Access Control Vulnerability in Apache Struts2 |
| </li> |
| <li> |
| and proper support for action: prefix was restored. |
| </li> |
| </ul> |
| </p> |
| <p> |
| All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.3. |
| </p> |
| <p> |
| Struts 2.3.15.3 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts23153">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-23153.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130920">20 September 2013 - Struts 2.3.15.2 General Availability Release - Security Fix Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.15.2 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| Two security issues were solved with this release: |
| <ul> |
| <li> |
| <a href="http://struts.apache.org/docs/s2-018.html">S2-018</a> |
| - Broken Access Control Vulnerability in Apache Struts2 |
| </li> |
| <li> |
| <a href="http://struts.apache.org/docs/s2-019.html">S2-019</a> |
| - Dynamic Method Invocation disabled by default |
| </li> |
| </ul> |
| </p> |
| <p> |
| All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.2. |
| </p> |
| <p> |
| Struts 2.3.15.2 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts23152">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-23152.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130716">16 July 2013 - Struts 2.3.15.1 General Availability Release - Security Fix Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.15.1 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| Two security issues were solved with this release: |
| <ul> |
| <li> |
| <a href="http://struts.apache.org/docs/s2-016.html">S2-016</a> |
| - Remote code execution vulnerability when using short-circuit navigation |
| parameter prefixes |
| </li> |
| <li> |
| <a href="http://struts.apache.org/docs/s2-017.html">S2-017</a> |
| - Open redirect vulnerability when using short-circuit redirect |
| parameter prefixes |
| </li> |
| </ul> |
| </p> |
| <p> |
| All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.1. |
| </p> |
| <p> |
| Struts 2.3.15.1 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts23151">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-23151.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130622">22 June 2013 - Struts 2.3.15 General Availability Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.15 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| It's a mostly maintenance release but few important improvements were added as well: |
| <ul> |
| <li>Merged security fix from version 2.3.14.1, 2.3.14.2 and 2.3.14.3</li> |
| <li>Resolved problem with memory leak in ContainerHolder</li> |
| <li>Resolved bug related to struts.convention.action.includeJars</li> |
| <li>Improved OSGi support to allow work in Glassfish 3</li> |
| <li>Added support to create cookies from whitin an action</li> |
| <li>New interface - ValidationAware - was added to allow notify actions when there are action/field |
| errors |
| </li> |
| <li>and other small improvments</li> |
| </ul> |
| Please check the Version Notes to see more details. |
| </p> |
| <p> |
| All developers are recommended to update existing Struts 2 applications to Struts 2.3.15. |
| </p> |
| <p> |
| Struts 2.3.15 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts2315">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-2315.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130603">3 June 2013 - Struts 2.3.14.3 General Availability Release - Security Fix Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.14.3 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| A highly critical security vulnerability was resolved in this release: |
| <ul> |
| <li> |
| <a href="http://struts.apache.org/docs/s2-015.html">S2-015</a> |
| - A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote |
| command execution |
| </li> |
| </ul> |
| </p> |
| <p> |
| <strong>All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.3 |
| immediately.</strong> |
| </p> |
| <p> |
| Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts23143">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-23143.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130526">26 May 2013 - Struts 2.3.14.2 General Availability Release - Security Fix Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.14.2 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| A highly critical security vulnerability was resolved in this release: |
| <ul> |
| <li> |
| <a href="http://struts.apache.org/docs/s2-014.html">S2-014</a> - A vulnerability introduced by forcing |
| parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and |
| XSS attacks |
| </li> |
| </ul> |
| </p> |
| <p> |
| <strong>All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.2 |
| immediately.</strong> |
| </p> |
| <p> |
| Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts23142">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-23142.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130522">22 May 2013 - Struts 2.3.14.1 General Availability Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.14.1 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| Two security issues were solved with this release: |
| <ul> |
| <li> |
| Showcase app vulnerability allows remote command execution |
| </li> |
| <li> |
| A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution |
| </li> |
| </ul> |
| </p> |
| <p> |
| All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.1. |
| </p> |
| <p> |
| Struts 2.3.14.1 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts23141">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-23141.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130411">11 April 2013 - Struts 2.3.14 General Availability Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.14 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| It's a mostly maintenance release but few important improvements were added as well: |
| <ul> |
| <li>All the annotations related to validators were updated to match the implementing classes</li> |
| <li>The JUnit plugin supports now the Convention plugin configuration (check StrutsJUnit4ConventionTestCaseTest)</li> |
| <li>Logging support was improved and extended to allow use user custom implementation of LoggingFactory</li> |
| </ul> |
| Please check the Version Notes to see more details. |
| </p> |
| <p> |
| All developers are recommended to update existing Struts 2 applications to Struts 2.3.14. |
| </p> |
| <p> |
| Struts 2.3.14 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts2314">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-2314.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <h4 id="a20130405">5 April 2013 - Apache Struts 1 End-Of-Life (EOL) Announcement</h4> |
| <p> |
| The Apache Struts Project Team would like to inform you that the Struts 1.x web framework has |
| reached its end of life and is no longer officially supported. |
| </p> |
| <p> |
| Please check the following readings to find more details. |
| <ul> |
| <li><a href="struts1eol-announcement.html">Apache Struts 1 EOL Announcement</a>, including a detailed Q/A section</li> |
| <li><a href="struts1eol-press.html">Apache Struts 1 EOL Press Release</a></li> |
| </ul> |
| </p> |
| |
| <h4 id="a20130306">6 March 2013 - Struts 2.3.12 General Availability Release</h4> |
| <p> |
| The Apache Struts group is pleased to announce that Struts 2.3.12 is |
| available as a "General Availability" release. The GA designation is our |
| highest quality grade. |
| </p> |
| <p> |
| Apache Struts 2 is an elegant, extensible framework for creating |
| enterprise-ready Java web applications. The framework is designed to |
| streamline the full development cycle, from building, to deploying, to |
| maintaining applications over time. |
| </p> |
| <p> |
| It's a mostly maintenance release but few important improvements were added as well: |
| <ul> |
| <li>All validators were refactored and right now parameters can be set via OGNL also parameter parse was removed</li> |
| <li>Tag's required attribute was renamed to requiredLabel to allow support of Html5 required attribute in the tags |
| </li> |
| <li>New Tiles 3 plugin was added to support Tiles 3 result type</li> |
| <li>Support for JBoss 5 to work with the Convention Plugin was improved</li> |
| </ul> |
| Please check the Version Notes to see more details. |
| </p> |
| <p> |
| All developers are recommended to update existing Struts 2 applications to Struts 2.3.12. |
| </p> |
| <p> |
| Struts 2.3.12 is available in a full distribution or as separate library, source, example and documentation |
| distributions, from the |
| <a href="http://struts.apache.org/download.cgi#struts2312">releases page</a>. |
| The release is also available through the central Maven repository under Group ID "org.apache.struts". The |
| <a href="http://struts.apache.org/docs/version-notes-2312.html">release notes</a> |
| are available online. |
| </p> |
| <p> |
| The 2.3.x series of the Apache Struts framework has a minimum |
| requirement of the following specification versions: Servlet API 2.4, |
| JSP API 2.0, and Java 5. |
| </p> |
| <p> |
| Should any issues arise with your use of any version of the Struts |
| framework, please post your comments to the user list, and, if |
| appropriate, file a tracking ticket. |
| </p> |
| |
| <p class="pull-right"> |
| Skip to: <a href="announce-2012.html">Announcements - 2012</a> |
| </p> |
| |
| <p class="pull-left"> |
| <strong>Next:</strong> |
| <a href="kickstart.html">Kickstart FAQ</a> |
| </p> |