content/announce-2014.html - struts-site - Git at Google

 <!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
   <meta name="Date-Revision-yyyymmdd" content="20140918"/>
   <meta http-equiv="Content-Language" content="en"/>
   <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

   <title>Announcements 2014</title>

   <link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
   <link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
   <link href="/css/main.css" rel="stylesheet">
   <link href="/css/custom.css" rel="stylesheet">
   <link href="/highlighter/github-theme.css" rel="stylesheet">

   <script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
   <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
   <script type="text/javascript" src="/js/community.js"></script>
 </head>
 <body>

 <a href="http://github.com/apache/struts" class="github-ribbon">
   <img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub">
 </a>

 <header>
   <nav>
     <div role="navigation" class="navbar navbar-default navbar-fixed-top">
       <div class="container">
         <div class="navbar-header">
           <button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
             Menu
             <span class="sr-only">Toggle navigation</span>
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
           </button>
           <a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
         </div>
         <div id="struts-menu" class="navbar-collapse collapse">
           <ul class="nav navbar-nav">
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Home<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/index.html">Welcome</a></li>
                 <li><a href="/download.cgi">Download</a></li>
                 <li><a href="/releases.html">Releases</a></li>
                 <li><a href="/announce-2021.html">Announcements</a></li>
                 <li><a href="http://www.apache.org/licenses/">License</a></li>
                 <li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
                 <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
               </ul>
             </li>
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Support<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/mail.html">User Mailing List</a></li>
                 <li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
                 <li><a href="/security.html">Reporting Security Issues</a></li>
                 <li class="divider"></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
                 <li class="divider"></li>
                 <li><a href="/maven/project-info.html">Maven Project Info</a></li>
                 <li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
                 <li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
               </ul>
             </li>
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Documentation<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/birdseye.html">Birds Eye</a></li>
                 <li><a href="/primer.html">Key Technologies</a></li>
                 <li><a href="/kickstart.html">Kickstart FAQ</a></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
                 <li class="divider"></li>
                 <li><a href="/getting-started/">Getting Started</a></li>
                 <li><a href="/security/">Security Guide</a></li>
                 <li><a href="/core-developers/">Core Developers Guide</a></li>
                 <li><a href="/tag-developers/">Tag Developers Guide</a></li>
                 <li><a href="/maven-archetypes/">Maven Archetypes</a></li>
                 <li><a href="/plugins/">Plugins</a></li>
                 <li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
                 <li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
                 <li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
               </ul>
             </li>
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Contributing<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/youatstruts.html">You at Struts</a></li>
                 <li><a href="/helping.html">How to Help FAQ</a></li>
                 <li><a href="/dev-mail.html">Development Lists</a></li>
                 <li><a href="/contributors/">Contributors Guide</a></li>
                 <li class="divider"></li>
                 <li><a href="/submitting-patches.html">Submitting patches</a></li>
                 <li><a href="/builds.html">Source Code and Builds</a></li>
                 <li><a href="/coding-standards.html">Coding standards</a></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li>
                 <li class="divider"></li>
                 <li><a href="/release-guidelines.html">Release Guidelines</a></li>
                 <li><a href="/bylaws.html">PMC Charter</a></li>
                 <li><a href="/volunteers.html">Volunteers</a></li>
                 <li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
                 <li><a href="/updating-website.html">Updating the website</a></li>
               </ul>
             </li>
             <li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
           </ul>
         </div>
       </div>
     </div>
   </nav>
 </header>


 <article class="container">
   <section class="col-md-12">
     <a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2014.md" title="Edit this page on GitHub">Edit on GitHub</a>

     <h1 id="announcements-2014">Announcements 2014</h1>

 <p class="pull-right">
   Skip to: <a href="announce-2013.html">Announcements - 2013</a>
 </p>

 <h4 id="a20141207">7 December 2014 - Struts 2.3.20 General Availability with Security Fix Release</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.3.20 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework is designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p>One medium security issue was solved with this release:</p>

 <ul>
   <li><a href="http://struts.apache.org/docs/s2-023.html">S2-023</a>
 Generated value of token can be predictable</li>
 </ul>

 <p>Besides that, this release contains several fixes and improvements just to mention few of them:</p>

 <ul>
   <li>merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3</li>
   <li>extended existing security mechanism to block access to given Java packages and Classes</li>
   <li>collection Parameters for <code class="highlighter-rouge">RedirectResult</code></li>
   <li>make <code class="highlighter-rouge">ParametersInterceptor</code> supports chinese in hash key by default</li>
   <li><code class="highlighter-rouge">themes.properties</code> can be loaded using <code class="highlighter-rouge">ServletContext</code> allows to put template folder under WEB-INF or on classpath</li>
   <li>new tag <code class="highlighter-rouge">datetextfield</code></li>
   <li>only valid Ognl expressions are cached</li>
   <li>custom <code class="highlighter-rouge">TextProvider</code> can be used for validation errors of model driven actions</li>
   <li><code class="highlighter-rouge">datetimepicker</code>’s label fixed</li>
   <li><code class="highlighter-rouge">PropertiesJudge</code> removed and properties are checked in <code class="highlighter-rouge">SecurityMemberAccess</code></li>
   <li>resource reloading works in IBM JVM</li>
   <li>default reloading settings were removed from default.properties</li>
   <li><code class="highlighter-rouge">commons-fileupload</code> library upgraded to version 1.3.1 to fix potential security vulnerability</li>
   <li>the scheme attribute accepts expressions in <code class="highlighter-rouge">s:url</code> tag</li>
   <li>solves problem with infinite loop in <code class="highlighter-rouge">FastByteArrayOutputStream</code></li>
   <li><code class="highlighter-rouge">LocalizedTextUtil</code> supports many ClassLoaders</li>
   <li>Bill of Materials pom was introduced</li>
   <li><code class="highlighter-rouge">debug=browser|console</code> was migrated to jQuery</li>
   <li><code class="highlighter-rouge">struts_dojo.js</code> was fixed</li>
   <li>interface <code class="highlighter-rouge">org/apache/struts2/views/TagLibrary</code> was restored and marked as <code class="highlighter-rouge">@Depreacted</code></li>
 </ul>

 <p>and many other small improvements, please careful read the <a href="http://struts.apache.org/docs/version-notes-2320.html">version notes</a>.</p>

 <p><strong>All developers are strongly advised to perform this action.</strong></p>

 <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
 Servlet API 2.4, JSP API 2.0, and Java 5.</p>

 <p>Should any issues arise with your use of any version of the Struts framework,
 please post your comments to the user list, and, if appropriate, file a tracking ticket.</p>

 <h4 id="a20140503">3 May 2014 - Struts 2.3.16.3 General Availability Release - Security Fix Release</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework is designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p>One medium security issue was solved with this release:</p>

 <ul>
   <li><a href="http://struts.apache.org/docs/s2-022.html">S2-022</a>
 Extends excluded params in CookieInterceptor to avoid manipulation of Struts’ internals</li>
 </ul>

 <p>All developers are strongly advised to perform this action.</p>

 <h4 id="a20140424">24 April 2014 - Struts 2.3.16.2 General Availability Release - Security Fix Release</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.3.16.2 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework is designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p>Two security issues were solved with this release:</p>

 <ul>
   <li><a href="http://struts.apache.org/docs/s2-021.html">S2-021</a>
 Improves excluded params to avoid ClassLoader manipulation via ParametersInterceptor</li>
   <li><a href="http://struts.apache.org/docs/s2-021.html">S2-021</a>
 Adds excluded params to CookieInterceptor to avoid ClassLoader manipulation when the interceptors is configured
 to accept all cookie names (wildcard matching via “*”)</li>
 </ul>

 <p>All developers are strongly advised to perform this action.</p>

 <h4 id="a20140424">24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation</h4>

 <p>In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately,
 the correction wasn’t sufficient.</p>

 <p>A security fix release fully addressing this issue is in preparation and will be released as soon as possible.</p>

 <p>Once the release is available, all Struts 2 users are strongly recommended to update their installations.</p>

 <p><strong>Until the release is available, all Struts 2 users are strongly recommended to apply the following mitigation:</strong></p>

 <p>In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern
 found at the beginning of the excludeParams list:</p>

 <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;interceptor-ref name="params"&gt;
    &lt;param name="excludeParams"&gt;(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*&lt;/param&gt;
 &lt;/interceptor-ref&gt;
 </code></pre></div></div>

 <p>If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration
 as in the following example. Given you are using defaultStack so far, change your packages from</p>

 <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;package name="default" namespace="/" extends="struts-default"&gt;
     &lt;default-interceptor-ref name="defaultStack" /&gt;
     ...
     ...
 &lt;/package&gt;
 </code></pre></div></div>

 <p>to</p>

 <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;package name="default" namespace="/" extends="struts-default"&gt;
     &lt;interceptors&gt;
         &lt;interceptor-stack name="secureDefaultStack"&gt;
             &lt;interceptor-ref name="defaultStack"&gt;
                 &lt;param name="params.excludeParams"&gt;(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*&lt;/param&gt;
             &lt;/interceptor-ref&gt;
         &lt;/interceptor-stack&gt;
     &lt;/interceptors&gt;

     &lt;default-interceptor-ref name="secureDefaultStack" /&gt;
     ...
 &lt;/package&gt;
 </code></pre></div></div>

 <p>Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours.
 Please prepare for upgrading all Struts 2 based production systems to the new release version once available.</p>

 <h4 id="a20140302">2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.3.16.1 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework is designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p>Two security issues were solved with this release:</p>

 <ul>
   <li><a href="http://struts.apache.org/docs/s2-020.html">S2-020</a> ClassLoader manipulation
 via request parameters</li>
   <li><a href="http://struts.apache.org/docs/s2-020.html">S2-020</a> Commons FileUpload library was upgraded
 to version 1.3.1 to prevent DoS attacks</li>
 </ul>

 <p>All developers are strongly advised to perform this action.</p>

 <h4 id="a20140221">21 February 2014 - Immediately upgrade commons-fileupload to version 1.3.1</h4>

 <p>The Apache Struts Team recommends to immediately upgrade your Struts 2
 based projects to use the latest released version of Commons
 FileUpload library, which is currently 1.3.1. This is necessary to
 prevent your publicly accessible web site from being exposed to
 possible DoS attacks (see [1] [2]).</p>

 <p>Your project is affected if it uses the built-in file upload mechanism
 of Struts 2, which defaults to the use of commons-fileupload. The
 updated commons-fileupload library is a drop-in replacement for the
 vulnerable version. Deployed applications can be hardened by replacing
 the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
 Maven based Struts 2 projects, the following dependency needs to be
 added:</p>

 <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;dependency&gt;
   &lt;groupId&gt;commons-fileupload&lt;/groupId&gt;
   &lt;artifactId&gt;commons-fileupload&lt;/artifactId&gt;
   &lt;version&gt;1.3.1&lt;/version&gt;
 &lt;/dependency&gt;
 </code></pre></div></div>

 <p>More details can be found here:</p>

 <ol>
   <li><a href="http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1">
  http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1</a></li>
   <li><a href="http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E">
  http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E</a></li>
 </ol>

 <p>All developers are strongly advised to perform this action.</p>

 <p class="pull-right">
   Skip to: <a href="announce-2013.html">Announcements - 2013</a>
 </p>

 <p class="pull-left">
   <strong>Next:</strong>
   <a href="kickstart.html">Kickstart FAQ</a>
 </p>

   </section>
 </article>


 <footer class="container">
   <div class="col-md-12">
     Copyright &copy; 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>.
     All Rights Reserved.
   </div>
   <div class="col-md-12">
     Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
     trademarks of The Apache Software Foundation.
   </div>
   <div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
 </footer>

 <script>!function (d, s, id) {
   var js, fjs = d.getElementsByTagName(s)[0];
   if (!d.getElementById(id)) {
     js = d.createElement(s);
     js.id = id;
     js.src = "//platform.twitter.com/widgets.js";
     fjs.parentNode.insertBefore(js, fjs);
   }
 }(document, "script", "twitter-wjs");</script>
 <script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>

 <div id="fb-root"></div>

 <script>(function (d, s, id) {
   var js, fjs = d.getElementsByTagName(s)[0];
   if (d.getElementById(id)) return;
   js = d.createElement(s);
   js.id = id;
   js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
   fjs.parentNode.insertBefore(js, fjs);
 }(document, 'script', 'facebook-jssdk'));</script>


 </body>
 </html>
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8"/>
	<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
	<meta name="Date-Revision-yyyymmdd" content="20140918"/>
	<meta http-equiv="Content-Language" content="en"/>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

	<title>Announcements 2014</title>

	<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
	<link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
	<link href="/css/main.css" rel="stylesheet">
	<link href="/css/custom.css" rel="stylesheet">
	<link href="/highlighter/github-theme.css" rel="stylesheet">

	<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
	<script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
	<script type="text/javascript" src="/js/community.js"></script>
	</head>
	<body>

	<a href="http://github.com/apache/struts" class="github-ribbon">
	<img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub">
	</a>

	<header>
	<nav>
	<div role="navigation" class="navbar navbar-default navbar-fixed-top">
	<div class="container">
	<div class="navbar-header">
	<button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
	Menu
	<span class="sr-only">Toggle navigation</span>
	<span class="icon-bar"></span>
	<span class="icon-bar"></span>
	<span class="icon-bar"></span>
	</button>
	<a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
	</div>
	<div id="struts-menu" class="navbar-collapse collapse">
	<ul class="nav navbar-nav">
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Home<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/index.html">Welcome</a></li>
	<li><a href="/download.cgi">Download</a></li>
	<li><a href="/releases.html">Releases</a></li>
	<li><a href="/announce-2021.html">Announcements</a></li>
	<li><a href="http://www.apache.org/licenses/">License</a></li>
	<li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
	<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Support<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/mail.html">User Mailing List</a></li>
	<li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
	<li><a href="/security.html">Reporting Security Issues</a></li>
	<li class="divider"></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
	<li class="divider"></li>
	<li><a href="/maven/project-info.html">Maven Project Info</a></li>
	<li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
	<li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Documentation<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/birdseye.html">Birds Eye</a></li>
	<li><a href="/primer.html">Key Technologies</a></li>
	<li><a href="/kickstart.html">Kickstart FAQ</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
	<li class="divider"></li>
	<li><a href="/getting-started/">Getting Started</a></li>
	<li><a href="/security/">Security Guide</a></li>
	<li><a href="/core-developers/">Core Developers Guide</a></li>
	<li><a href="/tag-developers/">Tag Developers Guide</a></li>
	<li><a href="/maven-archetypes/">Maven Archetypes</a></li>
	<li><a href="/plugins/">Plugins</a></li>
	<li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
	<li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
	<li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Contributing<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/youatstruts.html">You at Struts</a></li>
	<li><a href="/helping.html">How to Help FAQ</a></li>
	<li><a href="/dev-mail.html">Development Lists</a></li>
	<li><a href="/contributors/">Contributors Guide</a></li>
	<li class="divider"></li>
	<li><a href="/submitting-patches.html">Submitting patches</a></li>
	<li><a href="/builds.html">Source Code and Builds</a></li>
	<li><a href="/coding-standards.html">Coding standards</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li>
	<li class="divider"></li>
	<li><a href="/release-guidelines.html">Release Guidelines</a></li>
	<li><a href="/bylaws.html">PMC Charter</a></li>
	<li><a href="/volunteers.html">Volunteers</a></li>
	<li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
	<li><a href="/updating-website.html">Updating the website</a></li>
	</ul>
	</li>
	<li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
	</ul>
	</div>
	</div>
	</div>
	</nav>
	</header>


	<article class="container">
	<section class="col-md-12">
	<a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2014.md" title="Edit this page on GitHub">Edit on GitHub</a>

	<h1 id="announcements-2014">Announcements 2014</h1>

	<p class="pull-right">
	Skip to: <a href="announce-2013.html">Announcements - 2013</a>
	</p>

	<h4 id="a20141207">7 December 2014 - Struts 2.3.20 General Availability with Security Fix Release</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.3.20 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework is designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p>One medium security issue was solved with this release:</p>

	<ul>
	<li><a href="http://struts.apache.org/docs/s2-023.html">S2-023</a>
	Generated value of token can be predictable</li>
	</ul>

	<p>Besides that, this release contains several fixes and improvements just to mention few of them:</p>

	<ul>
	<li>merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3</li>
	<li>extended existing security mechanism to block access to given Java packages and Classes</li>
	<li>collection Parameters for <code class="highlighter-rouge">RedirectResult</code></li>
	<li>make <code class="highlighter-rouge">ParametersInterceptor</code> supports chinese in hash key by default</li>
	<li><code class="highlighter-rouge">themes.properties</code> can be loaded using <code class="highlighter-rouge">ServletContext</code> allows to put template folder under WEB-INF or on classpath</li>
	<li>new tag <code class="highlighter-rouge">datetextfield</code></li>
	<li>only valid Ognl expressions are cached</li>
	<li>custom <code class="highlighter-rouge">TextProvider</code> can be used for validation errors of model driven actions</li>
	<li><code class="highlighter-rouge">datetimepicker</code>’s label fixed</li>
	<li><code class="highlighter-rouge">PropertiesJudge</code> removed and properties are checked in <code class="highlighter-rouge">SecurityMemberAccess</code></li>
	<li>resource reloading works in IBM JVM</li>
	<li>default reloading settings were removed from default.properties</li>
	<li><code class="highlighter-rouge">commons-fileupload</code> library upgraded to version 1.3.1 to fix potential security vulnerability</li>
	<li>the scheme attribute accepts expressions in <code class="highlighter-rouge">s:url</code> tag</li>
	<li>solves problem with infinite loop in <code class="highlighter-rouge">FastByteArrayOutputStream</code></li>
	<li><code class="highlighter-rouge">LocalizedTextUtil</code> supports many ClassLoaders</li>
	<li>Bill of Materials pom was introduced</li>
	<li><code class="highlighter-rouge">debug=browser\|console</code> was migrated to jQuery</li>
	<li><code class="highlighter-rouge">struts_dojo.js</code> was fixed</li>
	<li>interface <code class="highlighter-rouge">org/apache/struts2/views/TagLibrary</code> was restored and marked as <code class="highlighter-rouge">@Depreacted</code></li>
	</ul>

	<p>and many other small improvements, please careful read the <a href="http://struts.apache.org/docs/version-notes-2320.html">version notes</a>.</p>

	<p><strong>All developers are strongly advised to perform this action.</strong></p>

	<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
	Servlet API 2.4, JSP API 2.0, and Java 5.</p>

	<p>Should any issues arise with your use of any version of the Struts framework,
	please post your comments to the user list, and, if appropriate, file a tracking ticket.</p>

	<h4 id="a20140503">3 May 2014 - Struts 2.3.16.3 General Availability Release - Security Fix Release</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework is designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p>One medium security issue was solved with this release:</p>

	<ul>
	<li><a href="http://struts.apache.org/docs/s2-022.html">S2-022</a>
	Extends excluded params in CookieInterceptor to avoid manipulation of Struts’ internals</li>
	</ul>

	<p>All developers are strongly advised to perform this action.</p>

	<h4 id="a20140424">24 April 2014 - Struts 2.3.16.2 General Availability Release - Security Fix Release</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.3.16.2 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework is designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p>Two security issues were solved with this release:</p>

	<ul>
	<li><a href="http://struts.apache.org/docs/s2-021.html">S2-021</a>
	Improves excluded params to avoid ClassLoader manipulation via ParametersInterceptor</li>
	<li><a href="http://struts.apache.org/docs/s2-021.html">S2-021</a>
	Adds excluded params to CookieInterceptor to avoid ClassLoader manipulation when the interceptors is configured
	to accept all cookie names (wildcard matching via “*”)</li>
	</ul>

	<p>All developers are strongly advised to perform this action.</p>

	<h4 id="a20140424">24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation</h4>

	<p>In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately,
	the correction wasn’t sufficient.</p>

	<p>A security fix release fully addressing this issue is in preparation and will be released as soon as possible.</p>

	<p>Once the release is available, all Struts 2 users are strongly recommended to update their installations.</p>

	<p><strong>Until the release is available, all Struts 2 users are strongly recommended to apply the following mitigation:</strong></p>

	<p>In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern
	found at the beginning of the excludeParams list:</p>

	<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code><interceptor-ref name="params">
	<param name="excludeParams">(.\.\|^\|.\|\[('\|"))(c\|C)lass(\.\|('\|")]\|\[).,^dojo\..,^struts\..,^session\..,^request\..,^application\..,^servlet(Request\|Response)\..,^parameters\..,^action:.,^method:.</param>
	</interceptor-ref>
	</code></pre></div></div>

	<p>If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration
	as in the following example. Given you are using defaultStack so far, change your packages from</p>

	<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code><package name="default" namespace="/" extends="struts-default">
	<default-interceptor-ref name="defaultStack" />
	...
	...
	</package>
	</code></pre></div></div>

	<p>to</p>

	<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code><package name="default" namespace="/" extends="struts-default">
	<interceptors>
	<interceptor-stack name="secureDefaultStack">
	<interceptor-ref name="defaultStack">
	<param name="params.excludeParams">(.\.\|^\|.\|\[('\|"))(c\|C)lass(\.\|('\|")]\|\[).,^dojo\..,^struts\..,^session\..,^request\..,^application\..,^servlet(Request\|Response)\..,^parameters\..,^action:.,^method:.</param>
	</interceptor-ref>
	</interceptor-stack>
	</interceptors>

	<default-interceptor-ref name="secureDefaultStack" />
	...
	</package>
	</code></pre></div></div>

	<p>Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours.
	Please prepare for upgrading all Struts 2 based production systems to the new release version once available.</p>

	<h4 id="a20140302">2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.3.16.1 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework is designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p>Two security issues were solved with this release:</p>

	<ul>
	<li><a href="http://struts.apache.org/docs/s2-020.html">S2-020</a> ClassLoader manipulation
	via request parameters</li>
	<li><a href="http://struts.apache.org/docs/s2-020.html">S2-020</a> Commons FileUpload library was upgraded
	to version 1.3.1 to prevent DoS attacks</li>
	</ul>

	<p>All developers are strongly advised to perform this action.</p>

	<h4 id="a20140221">21 February 2014 - Immediately upgrade commons-fileupload to version 1.3.1</h4>

	<p>The Apache Struts Team recommends to immediately upgrade your Struts 2
	based projects to use the latest released version of Commons
	FileUpload library, which is currently 1.3.1. This is necessary to
	prevent your publicly accessible web site from being exposed to
	possible DoS attacks (see [1] [2]).</p>

	<p>Your project is affected if it uses the built-in file upload mechanism
	of Struts 2, which defaults to the use of commons-fileupload. The
	updated commons-fileupload library is a drop-in replacement for the
	vulnerable version. Deployed applications can be hardened by replacing
	the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
	Maven based Struts 2 projects, the following dependency needs to be
	added:</p>

	<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code><dependency>
	<groupId>commons-fileupload</groupId>
	<artifactId>commons-fileupload</artifactId>
	<version>1.3.1</version>
	</dependency>
	</code></pre></div></div>

	<p>More details can be found here:</p>

	<ol>
	<li><a href="http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1">
	http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1</a></li>
	<li><a href="http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E">
	http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E</a></li>
	</ol>

	<p>All developers are strongly advised to perform this action.</p>

	<p class="pull-right">
	Skip to: <a href="announce-2013.html">Announcements - 2013</a>
	</p>

	<p class="pull-left">
	<strong>Next:</strong>
	<a href="kickstart.html">Kickstart FAQ</a>
	</p>

	</section>
	</article>


	<footer class="container">
	<div class="col-md-12">
	Copyright © 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>.
	All Rights Reserved.
	</div>
	<div class="col-md-12">
	Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
	trademarks of The Apache Software Foundation.
	</div>
	<div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
	</footer>

	<script>!function (d, s, id) {
	var js, fjs = d.getElementsByTagName(s)[0];
	if (!d.getElementById(id)) {
	js = d.createElement(s);
	js.id = id;
	js.src = "//platform.twitter.com/widgets.js";
	fjs.parentNode.insertBefore(js, fjs);
	}
	}(document, "script", "twitter-wjs");</script>
	<script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>

	<div id="fb-root"></div>

	<script>(function (d, s, id) {
	var js, fjs = d.getElementsByTagName(s)[0];
	if (d.getElementById(id)) return;
	js = d.createElement(s);
	js.id = id;
	js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
	fjs.parentNode.insertBefore(js, fjs);
	}(document, 'script', 'facebook-jssdk'));</script>


	</body>
	</html>