| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="UTF-8"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"/> |
| <meta name="Date-Revision-yyyymmdd" content="20140918"/> |
| <meta http-equiv="Content-Language" content="en"/> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| |
| <title>Announcements 2016</title> |
| |
| <link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css"> |
| <link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet"> |
| <link href="/css/main.css" rel="stylesheet"> |
| <link href="/css/custom.css" rel="stylesheet"> |
| <link href="/highlighter/github-theme.css" rel="stylesheet"> |
| |
| <script src="//code.jquery.com/jquery-1.11.0.min.js"></script> |
| <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script> |
| <script type="text/javascript" src="/js/community.js"></script> |
| </head> |
| <body> |
| |
| <a href="http://github.com/apache/struts" class="github-ribbon"> |
| <img style="position: absolute; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png" alt="Fork me on GitHub"> |
| </a> |
| |
| <header> |
| <nav> |
| <div role="navigation" class="navbar navbar-default navbar-fixed-top"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle"> |
| Menu |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a> |
| </div> |
| <div id="struts-menu" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav"> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Home<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/index.html">Welcome</a></li> |
| <li><a href="/download.cgi">Download</a></li> |
| <li><a href="/releases.html">Releases</a></li> |
| <li><a href="/announce-2021.html">Announcements</a></li> |
| <li><a href="http://www.apache.org/licenses/">License</a></li> |
| <li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li> |
| <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Support<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/mail.html">User Mailing List</a></li> |
| <li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li> |
| <li><a href="/security.html">Reporting Security Issues</a></li> |
| <li class="divider"></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li> |
| <li class="divider"></li> |
| <li><a href="/maven/project-info.html">Maven Project Info</a></li> |
| <li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li> |
| <li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Documentation<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/birdseye.html">Birds Eye</a></li> |
| <li><a href="/primer.html">Key Technologies</a></li> |
| <li><a href="/kickstart.html">Kickstart FAQ</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li> |
| <li class="divider"></li> |
| <li><a href="/getting-started/">Getting Started</a></li> |
| <li><a href="/security/">Security Guide</a></li> |
| <li><a href="/core-developers/">Core Developers Guide</a></li> |
| <li><a href="/tag-developers/">Tag Developers Guide</a></li> |
| <li><a href="/maven-archetypes/">Maven Archetypes</a></li> |
| <li><a href="/plugins/">Plugins</a></li> |
| <li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li> |
| <li><a href="/tag-developers/tag-reference.html">Tag reference</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li> |
| <li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a data-toggle="dropdown" href="#" class="dropdown-toggle"> |
| Contributing<b class="caret"></b> |
| </a> |
| <ul class="dropdown-menu"> |
| <li><a href="/youatstruts.html">You at Struts</a></li> |
| <li><a href="/helping.html">How to Help FAQ</a></li> |
| <li><a href="/dev-mail.html">Development Lists</a></li> |
| <li><a href="/contributors/">Contributors Guide</a></li> |
| <li class="divider"></li> |
| <li><a href="/submitting-patches.html">Submitting patches</a></li> |
| <li><a href="/builds.html">Source Code and Builds</a></li> |
| <li><a href="/coding-standards.html">Coding standards</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide">Contributors Guide</a></li> |
| <li class="divider"></li> |
| <li><a href="/release-guidelines.html">Release Guidelines</a></li> |
| <li><a href="/bylaws.html">PMC Charter</a></li> |
| <li><a href="/volunteers.html">Volunteers</a></li> |
| <li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li> |
| <li><a href="/updating-website.html">Updating the website</a></li> |
| </ul> |
| </li> |
| <li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </nav> |
| </header> |
| |
| |
| <article class="container"> |
| <section class="col-md-12"> |
| <a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2016.md" title="Edit this page on GitHub">Edit on GitHub</a> |
| |
| <h1 id="announcements-2016">Announcements 2016</h1> |
| |
| <p class="pull-right"> |
| Skip to: <a href="announce-2015.html">Announcements - 2015</a> |
| </p> |
| |
| <h4 id="a20161219">19 December 2016 - Struts 2.5.8 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.8 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release addresses one potential security vulnerability:</p> |
| |
| <ul> |
| <li>Possible DoS attack when using URLValidator - <a href="/docs/s2-044.html">S2-044</a></li> |
| </ul> |
| |
| <p>Also this release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>Included XSL files’ URI not being resolved for actions with result <code class="highlighter-rouge">type="xslt"</code>, see WW-2561</li> |
| <li><code class="highlighter-rouge">ConcurrentModificationException</code> using <code class="highlighter-rouge">s:iterator</code> (intermittent), see WW-3019</li> |
| <li><code class="highlighter-rouge">ObjectFactory</code> reporting ERROR’s when you attempt to set parameters on a Redirect result, see WW-3170</li> |
| <li>preselect values in <code class="highlighter-rouge"><s:optgroup></code>, see WW-4367</li> |
| <li>File upload error message always in default language, see WW-4636</li> |
| <li>Can no longer clear parameter on a <code class="highlighter-rouge"><s:url></code> tag, see WW-4701</li> |
| <li>List based parameters no longer work when there is only one value, see WW-4702</li> |
| <li><code class="highlighter-rouge">NullPointerException</code> in <code class="highlighter-rouge">ActionSupport</code> when use <code class="highlighter-rouge">ModelDriven</code>, see WW-4703</li> |
| <li>Multiselect parameter behavior different between struts 2.5.5 and 2.5.1, see WW-4707</li> |
| <li>Invalid field value for field “id”, see WW-4709</li> |
| <li>Scope interceptor always resets because of <code class="highlighter-rouge">org.apache.struts2.dispatcher.HttpParameters</code>, see WW-4715</li> |
| <li><code class="highlighter-rouge">focusElement</code> form attribute not working, see WW-4718</li> |
| <li>Portlet Issue with <code class="highlighter-rouge">I18Interceptor</code>, see WW-4722</li> |
| <li>Allow <code class="highlighter-rouge"><constant/></code> value substitution in XML configuration, see WW-4698</li> |
| <li>Upgrade to latest OGNL version, see WW-4704</li> |
| <li>Add support for long type to <code class="highlighter-rouge"><s:date></code> tag, see WW-4705</li> |
| <li>Disallow access to <code class="highlighter-rouge">HttpParameters.toMap</code>, see WW-4710</li> |
| <li><code class="highlighter-rouge"><s:text/></code> tag should not evaluate <code class="highlighter-rouge">defaultMessage</code> against a <code class="highlighter-rouge">ValueStack</code> by default, see WW-4711</li> |
| <li><code class="highlighter-rouge">TextProviderHelper#getText()</code> should perform cleaning of <code class="highlighter-rouge">defaultMessage</code>, see WW-4712</li> |
| <li>Refactor file upload support to allow create virtual representation of <code class="highlighter-rouge">java.io.File</code>, see WW-4717</li> |
| <li>Move <code class="highlighter-rouge">DefaultClassFinder</code> into <code class="highlighter-rouge">Convention</code> plugin, see WW-4719</li> |
| <li><code class="highlighter-rouge">HttpParameters</code> should behave like a <code class="highlighter-rouge">Map</code>, see WW-4720</li> |
| <li>Add support for <code class="highlighter-rouge">roundingMode</code> in <code class="highlighter-rouge"><s:number/></code> tag, see WW-4721</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20161021">21 October 2016 - Struts 2.5.5 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.5 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>webconsole can always be accessed, see WW-4601</li> |
| <li>Space character and includeParams, see WW-4628</li> |
| <li>Empty <s:param name="p1" value=""></s:param> is being supressed, see WW-4631</li> |
| <li>remove ASM 3 from struts2, see WW-4646</li> |
| <li>SMI do not work with JSON plugin, see WW-4649</li> |
| <li>Concurrency issue in addDefaultResourceBundle, see WW-4652</li> |
| <li>Action parameters should be included when building the URL to action, see WW-4654</li> |
| <li>StreamResult closes outputstream early, see WW-4662</li> |
| <li>NullPointerException when displaying a form without action attribute, see WW-4663</li> |
| <li>ParametersInterceptor excludeParams only applies to first instance of params interceptor in paramsPrepareParamsStack, see WW-4667</li> |
| <li>URL validator is case sensitive, see WW-4671</li> |
| <li>Select box does not pre-select chosen values, see WW-4675</li> |
| <li>Tiles-Plugin unable to load tiles definition XML, see WW-4679</li> |
| <li>Missing brackets in checkbox.ftl of css_xhtml template, see WW-4681</li> |
| <li>Move Struts Archetypes to dedicated project, see WW-4316</li> |
| <li>Add dedicated class to represent Http Parameters, see WW-4572</li> |
| <li>ParametersInterceptor should check collection index to against DOS, see WW-4620</li> |
| <li>Move example portlet-app into struts-examples, see WW-4660</li> |
| <li>Upgrade JFreeChart plugin to the latest version of JFreeChart, see WW-4670</li> |
| <li>StrutsPrepareAndExecuteFilter should check for response commited status, see WW-4674</li> |
| <li>ConversionErrorInterceptor to extend MethodFilterInterceptor, see WW-4676</li> |
| <li>I18N Interceptor automatically validates Locale, see WW-4677</li> |
| <li>Upgrade Tiles to 3.0.7 GA version, see WW-4680</li> |
| <li>Allow directly accessing I18N keys from Tiles defintions, see WW-4685</li> |
| <li>Merge two existing I18NInterceptors into one, see WW-4686</li> |
| <li>Exclude “java.ext.dirs” when scanning for actions, see WW-4688</li> |
| <li>CycleDetector - use enum instead of String constants, see WW-4689</li> |
| <li>Upgrade Commons Collections to 4.1, see WW-4695</li> |
| <li>Upgrade to Log4j 2.7, see WW-4696</li> |
| <li>Warn about excluded action/method only when DMI is disabled, see WW-4697</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20161018">18 October 2016 - Struts 2.3.31 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.31 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release addresses two potential security vulnerabilities:</p> |
| |
| <ul> |
| <li>Possible path traversal in the Convention plugin <a href="/docs/s2-042.html">S2-042</a></li> |
| <li>Using the Config Browser plugin in production <a href="/docs/s2-043.html">S2-043</a></li> |
| </ul> |
| |
| <p>Also this release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>webconsole can always be accessed, see WW-4601</li> |
| <li>Space character and includeParams,see WW-4628</li> |
| <li>ParametersInterceptor excludeParams only applies to first instance of params interceptor in paramsPrepareParamsStack,see WW-4667</li> |
| <li>Select box does not pre-select chosen values,see WW-4675</li> |
| <li>StrutsPrepareAndExecuteFilter should check for response committed status,see WW-4674</li> |
| <li>Allow directly accessing I18N keys from Tiles definitions,see WW-4685</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p> |
| |
| <h4 id="a20160707">7 July 2016 - Struts 2.5.2 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.2 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>Struts 2.5.2 release contains several improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>SecurityMemberAccess exclude class design issue, see WW-4645</li> |
| <li>Json deserialization does not work in 2.5.1, see WW-4650</li> |
| <li>Negative number is considered an arithmetic expression, see WW-4651</li> |
| <li>Wildcard redirect and path <code class="highlighter-rouge">/static/</code>, see WW-4656</li> |
| <li>Upgrade commons-fileupload to the latest version, see WW-4648</li> |
| <li>Cleans up logic in <code class="highlighter-rouge">StreamResult</code> and update docs, see WW-4655</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20160707-2">7 July 2016 - Struts 2.3.30 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.30 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>Pre-evaluation of “name” attribute stopped working, see WW-4641</li> |
| <li>Unable to retrieve <code class="highlighter-rouge">s:hidden</code> field values, see WW-4642</li> |
| <li>SecurityMemberAccess exclude class design issue, see WW-4645</li> |
| <li>Negative number is considered an arithmetic expression, see WW-4651</li> |
| <li>Upgrade commons-fileupload to the latest version, see WW-4648</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-2330">download</a> page.</p> |
| |
| <h4 id="a20160618">18 June 2016 - Struts 2.5.1 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5.1 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release addresses one potential security vulnerability:</p> |
| |
| <ul> |
| <li><a href="/docs/s2-041.html">S2-041</a> |
| Possible DoS attack when using URLValidator</li> |
| </ul> |
| |
| <p>Also all security patches applied to version Struts 2.3.29 were also applied to this version (just in case).</p> |
| |
| <p>This release contains several improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>contentType override ignored for JSONInterceptor - see WW-4558</li> |
| <li>MessageStorePreResultListener does not store messages for 3rd-party RedirectResult subclasses - see WW-4618</li> |
| <li>EmailValidator flags .cat emails as invalid - see WW-4626</li> |
| <li>SMI cannot be disabled - see WW-4632</li> |
| <li>Centre alignment does not seem to work in Velocity tags - see WW-4634</li> |
| <li>Unable to process Jar entry (javassist-3.20.0-GA.jar) - see WW-4637</li> |
| <li>Strict Method Invocation breaks Action-Less Results - see WW-4643</li> |
| <li>When method is not allowed throw exception with meaningful message - see WW-4640</li> |
| <li>update struts2 bom - see WW-4644</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20160617">17 June 2016 - Struts 2.3.29 General Availability with Security Fixes Release</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.29 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release addresses these potential security vulnerabilities:</p> |
| |
| <ul> |
| <li> |
| <p><a href="/docs/s2-035.html">S2-035</a> |
| Action name clean up is error prone</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-036.html">S2-036</a> |
| Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, |
| may lead to remote code execution (similar to S2-029)</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-037.html">S2-037</a> |
| Remote Code Execution can be performed when using REST Plugin.</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-038.html">S2-038</a> |
| It is possible to bypass token validation and perform a CSRF attack</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-039.html">S2-039</a> |
| Getter as action method leads to security bypass</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-040.html">S2-040</a> |
| Input validation bypass using existing default action method.</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-041.html">S2-041</a> |
| Possible DoS attack when using URLValidator</p> |
| </li> |
| </ul> |
| |
| <p>This release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>Json result type breaks</li> |
| <li>MessageStorePreResultListener doesn’t store messages for 3rd-party RedirectResult subclasses</li> |
| <li>Multiple tiles.xml in web.xml</li> |
| <li>New Tiles version can not find tiles*.xml files in sub-directories</li> |
| <li>EmailValidator flags .cat emails as invalid</li> |
| <li>Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80</li> |
| <li>Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+</li> |
| <li><code class="highlighter-rouge"><s:submit></code> generates a value attribute for type=image which violates W3C</li> |
| <li>ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20160601">1 June 2016 - Two security vulnerabilities reported</h4> |
| |
| <p>Two potential security vulnerabilities were reported which were already addressed in the latest Apache Struts 2 versions. |
| Those reports just added other vectors of attack.</p> |
| |
| <ul> |
| <li> |
| <p><a href="/docs/s2-033.html">S2-033</a> |
| Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-034.html">S2-034</a> |
| OGNL cache poisoning can lead to DoS vulnerability</p> |
| </li> |
| </ul> |
| |
| <p>Please read carefully the Security Bulletins and take suggested actions. The simplest way to avoid those vulnerabilities |
| in your application is to upgrade the Apache Struts to latest available version in 2.3.x series or to the Apache Struts 2.5.</p> |
| |
| <p>You can download those versions from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20160509">9 May 2016 - Struts 2.5 General Availability</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>XWork source was merged into Struts Core source, it means that there be no more xwork artifact nor dedicated jar</li> |
| <li>Spring dependency for tests and spring plugin was upgraded to version 4.1.6, see WW-4510.</li> |
| <li>Struts2 internal logging api was marked as deprecated and was replaced with new Log4j2 api as logging layer, see WW-4504.</li> |
| <li>Struts2 is now build with JDK7, see WW-4503.</li> |
| <li>New plugin to support bean validation is now part of the distribution, see WW-4505.</li> |
| <li>Deprecated plugins are now removed from the distribution and are not longer supported anymore. |
| <ul> |
| <li>Dojo Plugin</li> |
| <li>Codebehind Plugin</li> |
| <li>JSF Plugin</li> |
| <li>Struts1 Plugin</li> |
| </ul> |
| </li> |
| <li>New security option was added - Strict Method Invocation (also known as Strict DMI), see WW-4540</li> |
| <li>Added support for latest stable AngularJS in Maven archetype, see WW-4522</li> |
| <li>Dropped support for id and name - replaced with var, see WW-2069</li> |
| <li>Dedicated archive with a minimal set of dependencies was introduced, see WW-4570</li> |
| <li>It is possible to use multiple names when defining a result, see WW-4590</li> |
| <li>Rest plugin honors Accept header, see WW-4588</li> |
| <li>New result ‘JSONActionRedirectResult’ in json-plugin was defined, see WW-4591</li> |
| <li>Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was dropped, see WW-4584</li> |
| <li>JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381</li> |
| <li>OGNL was upgraded to version 3.1.4 and it breaks access to properties as it follows Java Bean Specification, see WW-4207 and WW-3909</li> |
| <li>Annotations to configure Tiles, see WW-4594 and Tiles Plugin</li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20160419">19 April 2016 - Struts 2.3.28.1 General Availability with Security Fixes Release</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.28.1 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release addresses two potential security vulnerabilities:</p> |
| |
| <ul> |
| <li> |
| <p><a href="/docs/s2-031.html">S2-031</a> |
| Possible RCE vulnerability in <code class="highlighter-rouge">XSLTResult</code> was fixed.</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-032.html">S2-032</a> |
| Prevents execution of chained expressions based on new <code class="highlighter-rouge">isSequence</code> flag introduce in appropriated OGNL versions.</p> |
| </li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p> |
| |
| <h4 id="a20160419-1">19 April 2016 - Struts 2.3.20.3 & 2.3.24.3 General Availability with Security Fixes Release</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.20.3 & Struts 2.3.24.3 are available as a “General Availability” |
| releases. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>These releases address three potential security vulnerabilities:</p> |
| |
| <ul> |
| <li> |
| <p><a href="/docs/s2-029.html">S2-029</a> |
| Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-031.html">S2-031</a> |
| Possible RCE vulnerability in <code class="highlighter-rouge">XSLTResult</code> was fixed.</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-032.html">S2-032</a> |
| Prevents execution of chained expressions based on new <code class="highlighter-rouge">isSequence</code> flag introduce in appropriated OGNL versions.</p> |
| </li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p>You can download these versions from our <a href="download.cgi#prior-releases">download</a> page.</p> |
| |
| <h4 id="a20160318">18 March 2016 - Struts 2.3.28 General Availability with Security Fix Release</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.3.28 is available as a “General Availability” |
| release. The GA designation is our highest quality grade.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release addresses three potential security vulnerabilities:</p> |
| |
| <ul> |
| <li> |
| <p><a href="/docs/s2-028.html">S2-028</a> |
| Possible XSS vulnerability in pages not using UTF-8 was fixed.</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-029.html">S2-029</a> |
| Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</p> |
| </li> |
| <li> |
| <p><a href="/docs/s2-030.html">S2-030</a> |
| I18NInterceptor narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability.</p> |
| </li> |
| </ul> |
| |
| <p><strong>All developers are strongly advised to perform this action.</strong></p> |
| |
| <p>This release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>New Configurationprovider type was introduced - ServletContextAwareConfigurationProvider, see WW-4410</li> |
| <li>Setting status code in HttpHeaders isn’t ignored anymore, see WW-4545</li> |
| <li>Spring BeanPostProcessor(s) are called only once to constructed objects., see WW-4554</li> |
| <li>OGNL was upgraded to version 3.0.13, see WW-4562</li> |
| <li>Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568</li> |
| <li>A dedicated assembly with minimal set of jars was defined, see WW-4570</li> |
| <li>Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585</li> |
| <li>Improved the Struts2 Rest plugin to honor Accept header, see WW-4588</li> |
| <li>MessageStoreInterceptor was refactored to use PreResultListener to store messages, see WW-4605</li> |
| <li>A new annotation was added to support configuring Tiles - @TilesDefinition, see WW-4606</li> |
| </ul> |
| |
| <p>and many other improvements, please check the version notes</p> |
| |
| <p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 6.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <h4 id="a20160126">26 January 2016 - Struts 2.5-BETA3 (BETA)</h4> |
| |
| <p>The Apache Struts group is pleased to announce that Struts 2.5-BETA3 is available as a “BETA” release.</p> |
| |
| <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. |
| The framework is designed to streamline the full development cycle, from building, to deploying, |
| to maintaining applications over time.</p> |
| |
| <p>This release contains several breaking changes and improvements just to mention few of them:</p> |
| |
| <ul> |
| <li>Dropped support for id and name - replaced with var, see WW-2069</li> |
| <li>Dedicated archive with a minimal set of dependencies was introduced, see WW-4570</li> |
| <li>It is possible to use multiple names when defining a result, see WW-4590</li> |
| <li>Rest plugin honors Accept header, see WW-4588</li> |
| <li>New result ‘JSONActionRedirectResult’ in json-plugin was defined, see WW-4591</li> |
| <li>Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was dropped, see WW-4584</li> |
| <li>JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381</li> |
| <li>OGNL was upgraded to version 3.0.11 and it breaks access to properties as it follows Java Bean Specification, |
| see WW-4207 and WW-3909 |
| <ul> |
| <li>and then OGNL was upgraded to version 3.1.1, see WW-4561</li> |
| <li>and then OGNL was upgraded to version 3.2.1, see WW-4577</li> |
| </ul> |
| </li> |
| </ul> |
| |
| <p>and many other improvements, please check the version notes</p> |
| |
| <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: |
| Servlet API 2.4, JSP API 2.0, and Java 7.</p> |
| |
| <p>Should any issues arise with your use of any version of the Struts framework, please post your comments |
| to the user list, and, if appropriate, file a tracking ticket.</p> |
| |
| <p class="pull-right"> |
| Skip to: <a href="announce-2015.html">Announcements - 2015</a> |
| </p> |
| |
| <p class="pull-left"> |
| <strong>Next:</strong> |
| <a href="kickstart.html">Kickstart FAQ</a> |
| </p> |
| |
| </section> |
| </article> |
| |
| |
| <footer class="container"> |
| <div class="col-md-12"> |
| Copyright © 2000-2018 <a href="http://www.apache.org/">The Apache Software Foundation </a>. |
| All Rights Reserved. |
| </div> |
| <div class="col-md-12"> |
| Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are |
| trademarks of The Apache Software Foundation. |
| </div> |
| <div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div> |
| </footer> |
| |
| <script>!function (d, s, id) { |
| var js, fjs = d.getElementsByTagName(s)[0]; |
| if (!d.getElementById(id)) { |
| js = d.createElement(s); |
| js.id = id; |
| js.src = "//platform.twitter.com/widgets.js"; |
| fjs.parentNode.insertBefore(js, fjs); |
| } |
| }(document, "script", "twitter-wjs");</script> |
| <script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script> |
| |
| <div id="fb-root"></div> |
| |
| <script>(function (d, s, id) { |
| var js, fjs = d.getElementsByTagName(s)[0]; |
| if (d.getElementById(id)) return; |
| js = d.createElement(s); |
| js.id = id; |
| js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1"; |
| fjs.parentNode.insertBefore(js, fjs); |
| }(document, 'script', 'facebook-jssdk'));</script> |
| |
| |
| </body> |
| </html> |