blob: 4dd5c4477bb539a5cbda5f7d1eb43ab0dcbc33d9 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<meta name="Date-Revision-yyyymmdd" content="20140918"/>
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Announcements 2018</title>
<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
<link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
<link href="/css/main.css" rel="stylesheet">
<link href="/css/custom.css" rel="stylesheet">
<link href="/css/syntax.css" rel="stylesheet">
<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
<script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
<script type="text/javascript" src="/js/community.js"></script>
<!-- Matomo -->
<script>
var _paq = window._paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
/* We explicitly disable cookie tracking to avoid privacy issues */
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//analytics.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '41']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<!-- End Matomo Code -->
</head>
<body>
<a href="https://github.com/apache/struts" class="github-ribbon">
<img decoding="async" loading="lazy" style="position: absolute; right: 0; border: 0;" width="149" height="149" src="https://github.blog/wp-content/uploads/2008/12/forkme_right_red_aa0000.png?resize=149%2C149" class="attachment-full size-full" alt="Fork me on GitHub" data-recalc-dims="1">
</a>
<header>
<nav>
<div role="navigation" class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
Menu
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
</div>
<div id="struts-menu" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Home<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/index.html">Welcome</a></li>
<li><a href="/download.cgi">Download</a></li>
<li><a href="/releases.html">Releases</a></li>
<li><a href="/announce-2023.html">Announcements</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Support<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/mail.html">User Mailing List</a></li>
<li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
<li><a href="/security.html">Reporting Security Issues</a></li>
<li><a href="/commercial-support.html">Commercial Support</a></li>
<li class="divider"></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
<li class="divider"></li>
<li><a href="/maven/project-info.html">Maven Project Info</a></li>
<li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
<li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Documentation<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/birdseye.html">Birds Eye</a></li>
<li><a href="/primer.html">Key Technologies</a></li>
<li><a href="/kickstart.html">Kickstart FAQ</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
<li class="divider"></li>
<li><a href="/getting-started/">Getting Started</a></li>
<li><a href="/security/">Security Guide</a></li>
<li><a href="/core-developers/">Core Developers Guide</a></li>
<li><a href="/tag-developers/">Tag Developers Guide</a></li>
<li><a href="/maven-archetypes/">Maven Archetypes</a></li>
<li><a href="/plugins/">Plugins</a></li>
<li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
<li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
<li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
</ul>
</li>
<li class="dropdown">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
Contributing<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<li><a href="/youatstruts.html">You at Struts</a></li>
<li><a href="/helping.html">How to Help FAQ</a></li>
<li><a href="/dev-mail.html">Development Lists</a></li>
<li class="divider"></li>
<li><a href="/submitting-patches.html">Submitting patches</a></li>
<li><a href="/builds.html">Source Code and Builds</a></li>
<li><a href="/coding-standards.html">Coding standards</a></li>
<li><a href="/contributors/">Contributors Guide</a></li>
<li class="divider"></li>
<li><a href="/release-guidelines.html">Release Guidelines</a></li>
<li><a href="/bylaws.html">PMC Charter</a></li>
<li><a href="/volunteers.html">Volunteers</a></li>
<li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
<li><a href="/updating-website.html">Updating the website</a></li>
</ul>
</li>
<li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
</ul>
</div>
</div>
</div>
</nav>
</header>
<article class="container">
<section class="col-md-12">
<a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2018.md" title="Edit this page on GitHub">Edit on GitHub</a>
<h1 class="no_toc" id="announcements-2018">Announcements 2018</h1>
<p class="pull-right">
Skip to: <a href="announce-2017.html">Announcements - 2017</a>
</p>
<h4 id="a20181114">14 November 2018 - Apache Struts 2.3.x End-Of-Life (EOL) Announcement</h4>
<p>The Apache Struts Project Team would like to inform you that the Struts 2.3.x web framework will reach
its end of life in 6 months and won’t be longer officially supported.</p>
<p>Please check the following reading to find more details.</p>
<ul>
<li><a href="struts23-eol-announcement">Apache Struts 2.3.x EOL Announcement</a>, including a detailed Q/A section</li>
</ul>
<h4 id="a20181015-2">15 October 2018 - Struts 2.3.36 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.36 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>This release addresses one backward compatibility issue:</p>
<ul>
<li><a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.36">xml-validation fails since struts 2.5.17</a></li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p>
<h4 id="a20181015-1">15 October 2018 - Struts 2.5.18 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.18 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>Below is a full list of all changes:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">jar_cache</code> Some jar_cache<strong>**</strong>.tmp files are generated into a temporary directory(/tmp) during web service start</li>
<li>Struts 2.5.16 is creating jar_cache files in temp folder</li>
<li>MD5 and SHA1 should no longer be provided on download pages</li>
<li>xml-validation fails since struts 2.5.17</li>
</ul>
<p>Internal Changes:</p>
<ul>
<li>XWorkList was moved into a com.opensymphony.xwork2.conversion.impl package as com.opensymphony.xwork2.util package is excluded
by the Internal Security Mechanism.</li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20180822-0">22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</h4>
<p>CVEID:CVE-2018-11776</p>
<p>PRODUCT:Apache Struts</p>
<p>VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16</p>
<p>PROBLEMTYPE:Remote Code Execution</p>
<p>REFERENCES:<a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></p>
<p>DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and
2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its
upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action
set and in same time, its upper action(s) have no or wildcard namespace.</p>
<h4 id="a20180822-1">22 August 2018 - Struts 2.5.17 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:</p>
<ul>
<li>Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or
wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<h4 id="a20180822-2">22 August 2018 - Struts 2.3.35 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:</p>
<ul>
<li>Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or
wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - <a href="https://cwiki.apache.org/confluence/display/WW/S2-057">S2-057</a></li>
</ul>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 6.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-23x">download</a> page.</p>
<h4 id="a20180327">27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</h4>
<p>The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released
version of the Apache Struts. This is necessary to prevent your publicly accessible web site, which is using the Struts
REST plugin and performing XML serialisation, from being exposed to possible DoS attack.</p>
<p>You can find more details in a Security Bulletin <a href="https://cwiki.apache.org/confluence/display/WW/S2-056">S2-056</a></p>
<p>All developers are strongly advised to perform this action.</p>
<h4 id="a20180323">23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3</h4>
<p>The Apache Struts Team recommends to immediately upgrade your Struts 2
based projects to use the latest released version of Commons
FileUpload library, which is currently 1.3.3. This is necessary to
prevent your publicly accessible web site from being exposed to
possible Remote Code Execution attacks (see [1] [2]).</p>
<p>This affects any Struts version prior to <strong>2.5.12</strong> [3].</p>
<p>Your project is affected if it uses the built-in file upload mechanism
of Struts 2, which defaults to the use of commons-fileupload. The
updated commons-fileupload library is a drop-in replacement for the
vulnerable version. Deployed applications can be hardened by replacing
the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
Maven based Struts 2 projects, the following dependency needs to be
added:</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;dependency&gt;</span>
<span class="nt">&lt;groupId&gt;</span>commons-fileupload<span class="nt">&lt;/groupId&gt;</span>
<span class="nt">&lt;artifactId&gt;</span>commons-fileupload<span class="nt">&lt;/artifactId&gt;</span>
<span class="nt">&lt;version&gt;</span>1.3.3<span class="nt">&lt;/version&gt;</span>
<span class="nt">&lt;/dependency&gt;</span>
</code></pre></div></div>
<p>More details can be found here:</p>
<ol>
<li><a href="https://issues.apache.org/jira/browse/FILEUPLOAD-279">https://issues.apache.org/jira/browse/FILEUPLOAD-279</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000031">https://nvd.nist.gov/vuln/detail/CVE-2016-1000031</a></li>
<li><a href="https://issues.apache.org/jira/browse/WW-4812">https://issues.apache.org/jira/browse/WW-4812</a></li>
</ol>
<p>All developers are strongly advised to perform this action.</p>
<h4 id="a20180316">16 March 2018 - Struts 2.5.16 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.16 is available as a “General Availability”
release. The GA designation is our highest quality grade.</p>
<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.</p>
<p>Below is a full list of all changes:</p>
<ul>
<li>unclosed instantiation of PrintWriter</li>
<li>Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.</li>
<li>NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper</li>
<li>NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait
interceptor</li>
<li>ClassCastException in JarEntryRevision</li>
<li>Dependency Mapping Exception When Using PrefixBasedActionProxyFactory</li>
<li>The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this
method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.</li>
<li>Conversion by annotation does not work</li>
<li>List of Boolean is not populated in Action class</li>
<li>JSONResult exception in struts2-json-plugin-2.5.14.1.jar</li>
<li>buttons with name=”method:METHODNAME” sometimes ignore global-allowed-methods defined in struts.xml</li>
<li>Could not create JarEntryRevision for [zip:C:/…. unknown protocol c</li>
<li>NPE in I18nInterceptor$SessionLocaleHandler.read</li>
<li>JasperReportResult: NPE When Not Using SQL Connection</li>
<li>support JSR 303 Validation Groups in BeanValidation-Plugin</li>
<li>Debug tag should not display anything when not in dev mode</li>
<li>Allow using of Initializable interface on an implementation level</li>
<li>Allowed methods inheritance</li>
<li>Allow use Jackson XML bindings to serialise / deserialise XML</li>
<li>when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into
custom array but populating in String array or array list</li>
<li>Upgrade Spring to version 4.3.13</li>
<li>Update Log4j2 to 2.10.0</li>
</ul>
<blockquote>
<p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16">Version Notes</a> to find more details about performed bug fixes and improvements.</p>
</blockquote>
<p><strong>All developers are strongly advised to perform this action.</strong></p>
<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
Servlet API 2.4, JSP API 2.0, and Java 7.</p>
<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
to the user list, and, if appropriate, file a tracking ticket.</p>
<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>
<p class="pull-right">
Skip to: <a href="announce-2017.html">Announcements - 2017</a>
</p>
<p class="pull-left">
<strong>Next:</strong>
<a href="kickstart.html">Kickstart FAQ</a>
</p>
</section>
</article>
<footer class="container">
<div class="col-md-12">
Copyright &copy; 2000-2022 <a href="https://www.apache.org/">The Apache Software Foundation</a>.
Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
trademarks of The Apache Software Foundation. All Rights Reserved.
</div>
<div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
</footer>
<script>!function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (!d.getElementById(id)) {
js = d.createElement(s);
js.id = id;
js.src = "//platform.twitter.com/widgets.js";
fjs.parentNode.insertBefore(js, fjs);
}
}(document, "script", "twitter-wjs");</script>
<script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>
<div id="fb-root"></div>
<script>(function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);
js.id = id;
js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
</body>
</html>