{:.no_toc}
The Apache Struts group is pleased to announce that Struts 2.5.14.1 is available as a “General Availability” release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
This release contains fixes for the following potential security vulnerabilities:
Please read the [Version Notes]({{ site.wiki_url }}/Version+Notes+2.5.14.1) to find more details about performed bug fixes and improvements.
All developers are strongly advised to perform this action.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
The Apache Struts group is pleased to announce that Struts 2.5.14 is available as a “General Availability” release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
Below is a full list of all changes:
Please read the [Version Notes]({{ site.wiki_url }}/Version+Notes+2.5.14) to find more details about performed bug fixes and improvements.
All developers are strongly advised to perform this action.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
The Apache Struts group is pleased to announce that Struts 2.3.34 is available as a “General Availability” release. The GA designation is our highest quality grade.
This release addresses two potential security vulnerabilities:
Also this version resolves the following issues:
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
All developers are strongly advised to perform this action.
The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
The Apache Struts group is pleased to announce that Struts 2.5.13 is available as a “General Availability” release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
This release contains fixes for the following potential security vulnerabilities:
Except the above this release also contains several improvements just to mention few of them:
Please read the Version Notes to find more details about performed bug fixes and improvements.
All developers are strongly advised to perform this action.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
This is an update of the recently announced Security Bulletin - S2-049.
The bulletin was extended with an additional information when the potential vulnerability can be present in your application. Please re-read the mentioned bulletin and apply required actions if needed.
Please report any problems back to the Struts Security mailing list.
The Apache Struts group is pleased to announce that Struts 2.3.33 is available as a “General Availability” release. The GA designation is our highest quality grade.
This release addresses two potential security vulnerabilities:
Also this version resolves the following issues:
EmailValidator
does not accept new domain suffixesdojo.js
and dojo.js.uncompressed.js
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
All developers are strongly advised to perform this action.
The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
The Apache Struts group is pleased to announce that Struts 2.5.12 is available as a “General Availability” release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
This release contains fixes for the following potential security vulnerabilities:
Except the above this release also contains several improvements just to mention few of them:
double
and Double
are not validated with the same decimal separatorognl.MethodFailedException
when you do not enter a value for a field mapped to an intDouble
Value Conversion with requestLocale=deTextProvider
injection in ActionSupport
isn‘t quite integrated into the framework’s core DIjava.lang.ClassCastException
when Result type is chain
@InputConfig
annotation is not working when integrating with spring aopBigDecimal
are not converted according context localeNullPointerException
when displaying a form without action attributecssErrorClass
attribute has no effect on label
tagJSONValidationInterceptor
return Status Code 400 BAD_REQUEST
instead of 200 SUCCESS
creditCard
validator available in Struts 1 missing in Struts 2@TypeConversion
converter attribute to classLocalizedTextUtil
into a bean with default implementationStrutsTilesContainerFactory
when resource isn't foundFreemarkerResult
site-graph
plugin as deprecatedTextProviderFactory
instead of TextProvider
as bean's dependencyLocaleProviderFactory
and uses instead of LocaleProvider
DefaultDispatcherErrorHandler
jakarta-stream
multipart parser more extensibleSecurityMethodAccess
excluded classes & packages definitions immutableDefaultLocalizedTextProvider#localeFromString
static util methodJBossFileManager
as a possible FileManager when not on JBoss@LongRangeFieldValidator
annotation to support LongRangeFieldValidator
Please read the Version Notes to find more details about performed bug fixes and improvements.
All developers are strongly advised to perform this action.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
A potential security vulnerability was reported in the Struts 1 plugin used in the Struts 2.3.x series. It is possible to perform a Remote Code Execution attack if given construction exists in the vulnerable application. Please read the security bulletin for more details and inspect your application.
NOTE: Please notice that this vulnerability does not affect applications using Struts 2.5.x series or applications that do not use the Struts 1 plugin. Even if the plugin is available but certain code construction is not present, your application is safe.
The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin 1.1 and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin 1.1 are available as a “General Availability” release. The GA designation is our highest quality grade.
These releases address one critical security vulnerability:
Those plugins were released to allow users running older versions of the Apache Struts secure their applications in an easy way. You don‘t have to migrate to the latest version (which is still preferable) but by applying one of those plugins, your application won’t be vulnerable anymore.
Please read the README for more details and supported Apache Struts versions.
All developers are strongly advised to perform this action.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download those plugins from our download page.
The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin are available as a “General Availability” release. The GA designation is our highest quality grade.
These releases address one critical security vulnerability:
Those plugins were released to allow users running older versions of the Apache Struts secure their applications in easy way. You don‘t have to migrate to the latest version (which is still preferable) but by applying one of those plugins, your application won’t be vulnerable anymore.
It is a drop-in installation, just select a proper jar file and copy it to WEB-INF/lib
folder. Please read the README for more details and supported Apache Struts versions.
All developers are strongly advised to perform this action.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download those plugins from our download page.
The Apache Struts group is pleased to announce that Struts 2.5.10.1 is available as a “General Availability” release. The GA designation is our highest quality grade.
This release addresses one potential security vulnerability:
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
All developers are strongly advised to perform this action.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
The Apache Struts group is pleased to announce that Struts 2.3.32 is available as a “General Availability” release. The GA designation is our highest quality grade.
This release addresses one potential security vulnerability:
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
All developers are strongly advised to perform this action.
The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.
The Apache Struts group is pleased to announce that Struts 2.5.10 is available as a “General Availability” release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
This release contains several breaking changes and improvements just to mention few of them:
MaxMultiPartUpload
limited to 2GB (Long --> Integer)JSONValidationInterceptor
change static parameters namesServletDispatcherResult
can't handle parameters anymoreTokenInterceptor
synchronized on session.getId().intern()
json
of type org.apache.struts2.json.JSONResult
I18Interceptor
ignores session or cookie Locale after first lookup failureEmailValidator
does not accept new domain suffixesAnnotationValidationInterceptor
: NullPointerException
when method is nullstruts.xml
include not loading in dependant jar filesAnnotationValidationInterceptor
should consult UnknownHandler
before throwing NoSuchMethodException
ActionSupport.LOG
should be privateStrutsObjectFactory
and define StrutsInterceptorFactory
insteadOgnlValueStack
and OgnlValueStackFactory
More ExtensibleAll developers are strongly advised to perform this action.
The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.
Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our download page.