output/announce-2021.html - struts-site - Git at Google

 <!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
   <meta name="Date-Revision-yyyymmdd" content="20140918"/>
   <meta http-equiv="Content-Language" content="en"/>
   <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

   <title>Announcements 2021</title>

   <link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
   <link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
   <link href="/css/main.css" rel="stylesheet">
   <link href="/css/custom.css" rel="stylesheet">
   <link href="/css/syntax.css" rel="stylesheet">

   <script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
   <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
   <script type="text/javascript" src="/js/community.js"></script>

   <!-- Matomo -->
   <script>
     var _paq = window._paq = window._paq || [];
     /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
     /* We explicitly disable cookie tracking to avoid privacy issues */
     _paq.push(['disableCookies']);
     _paq.push(['trackPageView']);
     _paq.push(['enableLinkTracking']);
     (function() {
       var u="//analytics.apache.org/";
       _paq.push(['setTrackerUrl', u+'matomo.php']);
       _paq.push(['setSiteId', '41']);
       var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
       g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
     })();
   </script>
   <!-- End Matomo Code -->
 </head>
 <body>

 <a href="https://github.com/apache/struts" class="github-ribbon">
   <img decoding="async" loading="lazy" style="position: absolute; right: 0; border: 0;" width="149" height="149" src="https://github.blog/wp-content/uploads/2008/12/forkme_right_red_aa0000.png?resize=149%2C149" class="attachment-full size-full" alt="Fork me on GitHub" data-recalc-dims="1">
 </a>

 <header>
   <nav>
     <div role="navigation" class="navbar navbar-default navbar-fixed-top">
       <div class="container">
         <div class="navbar-header">
           <button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
             Menu
             <span class="sr-only">Toggle navigation</span>
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
           </button>
           <a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
         </div>
         <div id="struts-menu" class="navbar-collapse collapse">
           <ul class="nav navbar-nav">
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Home<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/index.html">Welcome</a></li>
                 <li><a href="/download.cgi">Download</a></li>
                 <li><a href="/releases.html">Releases</a></li>
                 <li><a href="/announce-2024.html">Announcements</a></li>
                 <li><a href="http://www.apache.org/licenses/">License</a></li>
                 <li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
                 <li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
                 <li><a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a></li>
               </ul>
             </li>
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Support<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/mail.html">User Mailing List</a></li>
                 <li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
                 <li><a href="/security.html">Reporting Security Issues</a></li>
                 <li><a href="/commercial-support.html">Commercial Support</a></li>
                 <li class="divider"></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
                 <li class="divider"></li>
                 <li><a href="/maven/project-info.html">Maven Project Info</a></li>
                 <li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
                 <li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
               </ul>
             </li>
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Documentation<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/birdseye.html">Birds Eye</a></li>
                 <li><a href="/primer.html">Key Technologies</a></li>
                 <li><a href="/kickstart.html">Kickstart FAQ</a></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
                 <li class="divider"></li>
                 <li><a href="/getting-started/">Getting Started</a></li>
                 <li><a href="/security/">Security Guide</a></li>
                 <li><a href="/core-developers/">Core Developers Guide</a></li>
                 <li><a href="/tag-developers/">Tag Developers Guide</a></li>
                 <li><a href="/maven-archetypes/">Maven Archetypes</a></li>
                 <li><a href="/plugins/">Plugins</a></li>
                 <li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
                 <li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
                 <li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
                 <li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
               </ul>
             </li>
             <li class="dropdown">
               <a data-toggle="dropdown" href="#" class="dropdown-toggle">
                 Contributing<b class="caret"></b>
               </a>
               <ul class="dropdown-menu">
                 <li><a href="/youatstruts.html">You at Struts</a></li>
                 <li><a href="/helping.html">How to Help FAQ</a></li>
                 <li><a href="/dev-mail.html">Development Lists</a></li>
                 <li class="divider"></li>
                 <li><a href="/submitting-patches.html">Submitting patches</a></li>
                 <li><a href="/builds.html">Source Code and Builds</a></li>
                 <li><a href="/coding-standards.html">Coding standards</a></li>
                 <li><a href="/contributors/">Contributors Guide</a></li>
                 <li class="divider"></li>
                 <li><a href="/release-guidelines.html">Release Guidelines</a></li>
                 <li><a href="/bylaws.html">PMC Charter</a></li>
                 <li><a href="/volunteers.html">Volunteers</a></li>
                 <li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
                 <li><a href="/updating-website.html">Updating the website</a></li>
               </ul>
             </li>
             <li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
           </ul>
         </div>
       </div>
     </div>
   </nav>
 </header>


 <article class="container">
   <section class="col-md-12">
     <a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2021.md" title="Edit this page on GitHub">Edit on GitHub</a>

     <h1 class="no_toc" id="announcements-2021">Announcements 2021</h1>


 <p class="pull-right">
   Skip to: <a href="announce-2020">Announcements - 2020</a>
 </p>

 <h4 id="a20211223">23 December 2021 - Struts 2.5.28.2 General Availability</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.5.28.2 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>This release addresses Log4j vulnerability <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">CVE-2021-45105</a>
 by using the latest Log4j ver. 2.12.3 (Java 1.7 compatible).</p>

 <p><strong>Please note, that the Apache Struts itself depends on the log4j-api package only, it’s users’ responsibility
 to use a proper version of the log4j-core package!</strong></p>

 <blockquote>
   <p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28.2">Version Notes</a> to find more details about performed
 bug fixes and improvements.</p>
 </blockquote>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework has been designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p><strong>All developers are strongly advised to perform this upgrade.</strong></p>

 <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
 Servlet API 2.4, JSP API 2.0, and Java 7.</p>

 <p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
 and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

 <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

 <h4 id="a20211217">17 December 2021 - Struts 2.5.28.1 General Availability</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>This release addresses Log4j vulnerability <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">CVE-2021-45046</a>
 by using the latest Log4j 2.12.2 version (Java 1.7 compatible).</p>

 <blockquote>
   <p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28.1">Version Notes</a> to find more details about performed
 bug fixes and improvements.</p>
 </blockquote>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework has been designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p><strong>All developers are strongly advised to perform this upgrade.</strong></p>

 <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
 Servlet API 2.4, JSP API 2.0, and Java 7.</p>

 <p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
 and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

 <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

 <h4 id="a20211212-2">12 December 2021 - Security Advice on Log4j 2.15.0</h4>

 <p>The Apache Struts Security team would like to announce that all the users using the latest Struts 2.5.x series
 should upgrade <a href="https://logging.apache.org/log4j/2.x/">Log4j</a> library to the  latest <strong>2.15.0</strong> version which addresses
 the Remote-Code-Execution vulnerability <strong>CVE-2021-44228</strong>.</p>

 <p>This version of Log4j requires Java 8, while Apache Struts 2.5.x series is still using Java 1.7 and because
 of that we cannot prepare a new patched 2.5.x version. Yet, in most cases this is a drop-in upgrade as Log4j 2.15.0
 maintains binary compatibility with previous releases - once you are running on Java 8. In case you are not able
 to upgrade Log4j, please use one of  the described mitigations.</p>

 <p>More information can be found <a href="https://logging.apache.org/log4j/2.x/#News">here</a>.</p>

 <p><strong>All developers are strongly advised to perform this action.</strong></p>

 <h4 id="a20211212">12 December 2021 - Struts 2.5.28 General Availability</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.5.28 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework has been designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p>Below is a full list of all changes:</p>

 <ul>
   <li>[WW-5149] - labelposition attribute broken in Struts 2.5.27</li>
 </ul>

 <blockquote>
   <p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28">Version Notes</a> to find more details about performed
 bug fixes and improvements.</p>
 </blockquote>

 <p><strong>All developers are strongly advised to perform this upgrade.</strong></p>

 <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
 Servlet API 2.4, JSP API 2.0, and Java 7.</p>

 <p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
 and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

 <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

 <h4 id="a20211116">16 November 2021 - Struts 2.5.27 General Availability</h4>

 <p>The Apache Struts group is pleased to announce that Struts 2.5.27 is available as a “General Availability”
 release. The GA designation is our highest quality grade.</p>

 <p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
 The framework has been designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.</p>

 <p>Below is a full list of all changes:</p>

 <ul>
   <li>PostbackResult uses wrong regex range</li>
   <li><code class="language-plaintext highlighter-rouge">%{id}</code> evaluates different for data-* and value attribute</li>
   <li>Blocking Threads in retrieving text from resource bundle</li>
   <li>Contention when injecting <code class="language-plaintext highlighter-rouge">Scope.SINGLETON</code> instances</li>
   <li>CheckboxTag value missing for labelposition</li>
   <li>forbidden name attribute values (size, clone…?) in <code class="language-plaintext highlighter-rouge">&lt;s:textfield&gt;</code> using the default theme</li>
   <li>ID param not being set</li>
   <li>Make labelposition deprecated</li>
   <li>Make class attribute deprecated</li>
   <li>Fix the compilation alarms of deprecated methods</li>
   <li>OGNL long conversion</li>
   <li>Upgrade XStream to version 1.4.16</li>
 </ul>

 <blockquote>
   <p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.27">Version Notes</a> to find more details about performed
 bug fixes and improvements.</p>
 </blockquote>

 <p><strong>All developers are strongly advised to perform this action.</strong></p>

 <p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
 Servlet API 2.4, JSP API 2.0, and Java 7.</p>

 <p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
 and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

 <p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

 <h4 id="a20210219">19 February 2021 - Struts Security Impact Levels</h4>

 <p>The Apache Struts Security team would like to announce <a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins#SecurityBulletins-Securityimpactlevels">Security Impact Levels</a>
 which will be used to rate any future Security Bulletins. We also updated the current Security Bulletins to match
 the levels. Below is the list of the updated bulletins with a new Maximum security rating.</p>

 <ul>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-060">S2-060</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-056">S2-056</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-055">S2-055</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-054">S2-054</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-051">S2-051</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-049">S2-049</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-048">S2-048</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-042">S2-042</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-040">S2-040</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-039">S2-039</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-038">S2-038</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-037">S2-037</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-036">S2-036</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-033">S2-033</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-032">S2-032</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-031">S2-031</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-026">S2-026</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-024">S2-024</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-023">S2-023</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-022">S2-022</a>
 Medium -&gt; Moderate</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-021">S2-021</a>
 High -&gt; Important</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-016">S2-016</a>
 Highly Critical -&gt; Critical</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-015">S2-015</a>
 Highly Critical -&gt; Critical</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-014">S2-014</a>
 Highly Critical -&gt; Critical</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-013">S2-013</a>
 Highly Critical -&gt; Critical</li>
   <li><a href="https://cwiki.apache.org/confluence/display/WW/S2-012">S2-012</a>
 Moderately Critical -&gt; Important</li>
 </ul>

 <p><strong>All developers are strongly advised to read about new Security Impact Levels.</strong></p>

 <p class="pull-right">
   Skip to: <a href="announce-2020.html">Announcements - 2020</a>
 </p>

 <p class="pull-left">
   <strong>Next:</strong>
   <a href="kickstart.html">Kickstart FAQ</a>
 </p>

   </section>
 </article>


 <footer class="container">
   <div class="col-md-12">
     Copyright &copy; 2000-2022 <a href="https://www.apache.org/">The Apache Software Foundation</a>.
     Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
     trademarks of The Apache Software Foundation. All Rights Reserved.
   </div>
   <div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
 </footer>

 <script>!function (d, s, id) {
   var js, fjs = d.getElementsByTagName(s)[0];
   if (!d.getElementById(id)) {
     js = d.createElement(s);
     js.id = id;
     js.src = "//platform.twitter.com/widgets.js";
     fjs.parentNode.insertBefore(js, fjs);
   }
 }(document, "script", "twitter-wjs");</script>
 <script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>

 <div id="fb-root"></div>

 <script>(function (d, s, id) {
   var js, fjs = d.getElementsByTagName(s)[0];
   if (d.getElementById(id)) return;
   js = d.createElement(s);
   js.id = id;
   js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
   fjs.parentNode.insertBefore(js, fjs);
 }(document, 'script', 'facebook-jssdk'));</script>


 </body>
 </html>
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8"/>
	<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
	<meta name="Date-Revision-yyyymmdd" content="20140918"/>
	<meta http-equiv="Content-Language" content="en"/>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

	<title>Announcements 2021</title>

	<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic" rel="stylesheet" type="text/css">
	<link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet">
	<link href="/css/main.css" rel="stylesheet">
	<link href="/css/custom.css" rel="stylesheet">
	<link href="/css/syntax.css" rel="stylesheet">

	<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
	<script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
	<script type="text/javascript" src="/js/community.js"></script>

	<!-- Matomo -->
	<script>
	var _paq = window._paq = window._paq \|\| [];
	/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
	/* We explicitly disable cookie tracking to avoid privacy issues */
	_paq.push(['disableCookies']);
	_paq.push(['trackPageView']);
	_paq.push(['enableLinkTracking']);
	(function() {
	var u="//analytics.apache.org/";
	_paq.push(['setTrackerUrl', u+'matomo.php']);
	_paq.push(['setSiteId', '41']);
	var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
	g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
	})();
	</script>
	<!-- End Matomo Code -->
	</head>
	<body>

	<a href="https://github.com/apache/struts" class="github-ribbon">
	<img decoding="async" loading="lazy" style="position: absolute; right: 0; border: 0;" width="149" height="149" src="https://github.blog/wp-content/uploads/2008/12/forkme_right_red_aa0000.png?resize=149%2C149" class="attachment-full size-full" alt="Fork me on GitHub" data-recalc-dims="1">
	</a>

	<header>
	<nav>
	<div role="navigation" class="navbar navbar-default navbar-fixed-top">
	<div class="container">
	<div class="navbar-header">
	<button type="button" data-toggle="collapse" data-target="#struts-menu" class="navbar-toggle">
	Menu
	<span class="sr-only">Toggle navigation</span>
	<span class="icon-bar"></span>
	<span class="icon-bar"></span>
	<span class="icon-bar"></span>
	</button>
	<a href="/index.html" class="navbar-brand logo"><img src="/img/struts-logo.svg"></a>
	</div>
	<div id="struts-menu" class="navbar-collapse collapse">
	<ul class="nav navbar-nav">
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Home<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/index.html">Welcome</a></li>
	<li><a href="/download.cgi">Download</a></li>
	<li><a href="/releases.html">Releases</a></li>
	<li><a href="/announce-2024.html">Announcements</a></li>
	<li><a href="http://www.apache.org/licenses/">License</a></li>
	<li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li>
	<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
	<li><a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Support<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/mail.html">User Mailing List</a></li>
	<li><a href="https://issues.apache.org/jira/browse/WW">Issue Tracker</a></li>
	<li><a href="/security.html">Reporting Security Issues</a></li>
	<li><a href="/commercial-support.html">Commercial Support</a></li>
	<li class="divider"></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide">Version Notes</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins">Security Bulletins</a></li>
	<li class="divider"></li>
	<li><a href="/maven/project-info.html">Maven Project Info</a></li>
	<li><a href="/maven/struts2-core/dependencies.html">Struts Core Dependencies</a></li>
	<li><a href="/maven/struts2-plugins/modules.html">Plugin Dependencies</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Documentation<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/birdseye.html">Birds Eye</a></li>
	<li><a href="/primer.html">Key Technologies</a></li>
	<li><a href="/kickstart.html">Kickstart FAQ</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/Home">Wiki</a></li>
	<li class="divider"></li>
	<li><a href="/getting-started/">Getting Started</a></li>
	<li><a href="/security/">Security Guide</a></li>
	<li><a href="/core-developers/">Core Developers Guide</a></li>
	<li><a href="/tag-developers/">Tag Developers Guide</a></li>
	<li><a href="/maven-archetypes/">Maven Archetypes</a></li>
	<li><a href="/plugins/">Plugins</a></li>
	<li><a href="/maven/struts2-core/apidocs/index.html">Struts Core API</a></li>
	<li><a href="/tag-developers/tag-reference.html">Tag reference</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/FAQs">FAQs</a></li>
	<li><a href="http://cwiki.apache.org/S2PLUGINS/home.html">Plugin registry</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a data-toggle="dropdown" href="#" class="dropdown-toggle">
	Contributing<b class="caret"></b>
	</a>
	<ul class="dropdown-menu">
	<li><a href="/youatstruts.html">You at Struts</a></li>
	<li><a href="/helping.html">How to Help FAQ</a></li>
	<li><a href="/dev-mail.html">Development Lists</a></li>
	<li class="divider"></li>
	<li><a href="/submitting-patches.html">Submitting patches</a></li>
	<li><a href="/builds.html">Source Code and Builds</a></li>
	<li><a href="/coding-standards.html">Coding standards</a></li>
	<li><a href="/contributors/">Contributors Guide</a></li>
	<li class="divider"></li>
	<li><a href="/release-guidelines.html">Release Guidelines</a></li>
	<li><a href="/bylaws.html">PMC Charter</a></li>
	<li><a href="/volunteers.html">Volunteers</a></li>
	<li><a href="https://gitbox.apache.org/repos/asf?p=struts.git">Source Repository</a></li>
	<li><a href="/updating-website.html">Updating the website</a></li>
	</ul>
	</li>
	<li class="apache"><a href="http://www.apache.org/"><img src="/img/apache.png"></a></li>
	</ul>
	</div>
	</div>
	</div>
	</nav>
	</header>


	<article class="container">
	<section class="col-md-12">
	<a class="edit-on-gh" href="https://github.com/apache/struts-site/edit/master/source/announce-2021.md" title="Edit this page on GitHub">Edit on GitHub</a>

	<h1 class="no_toc" id="announcements-2021">Announcements 2021</h1>


	<p class="pull-right">
	Skip to: <a href="announce-2020">Announcements - 2020</a>
	</p>

	<h4 id="a20211223">23 December 2021 - Struts 2.5.28.2 General Availability</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.5.28.2 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>This release addresses Log4j vulnerability <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">CVE-2021-45105</a>
	by using the latest Log4j ver. 2.12.3 (Java 1.7 compatible).</p>

	<p><strong>Please note, that the Apache Struts itself depends on the log4j-api package only, it’s users’ responsibility
	to use a proper version of the log4j-core package!</strong></p>

	<blockquote>
	<p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28.2">Version Notes</a> to find more details about performed
	bug fixes and improvements.</p>
	</blockquote>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework has been designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p><strong>All developers are strongly advised to perform this upgrade.</strong></p>

	<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
	Servlet API 2.4, JSP API 2.0, and Java 7.</p>

	<p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
	and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

	<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

	<h4 id="a20211217">17 December 2021 - Struts 2.5.28.1 General Availability</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>This release addresses Log4j vulnerability <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">CVE-2021-45046</a>
	by using the latest Log4j 2.12.2 version (Java 1.7 compatible).</p>

	<blockquote>
	<p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28.1">Version Notes</a> to find more details about performed
	bug fixes and improvements.</p>
	</blockquote>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework has been designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p><strong>All developers are strongly advised to perform this upgrade.</strong></p>

	<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
	Servlet API 2.4, JSP API 2.0, and Java 7.</p>

	<p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
	and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

	<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

	<h4 id="a20211212-2">12 December 2021 - Security Advice on Log4j 2.15.0</h4>

	<p>The Apache Struts Security team would like to announce that all the users using the latest Struts 2.5.x series
	should upgrade <a href="https://logging.apache.org/log4j/2.x/">Log4j</a> library to the latest <strong>2.15.0</strong> version which addresses
	the Remote-Code-Execution vulnerability <strong>CVE-2021-44228</strong>.</p>

	<p>This version of Log4j requires Java 8, while Apache Struts 2.5.x series is still using Java 1.7 and because
	of that we cannot prepare a new patched 2.5.x version. Yet, in most cases this is a drop-in upgrade as Log4j 2.15.0
	maintains binary compatibility with previous releases - once you are running on Java 8. In case you are not able
	to upgrade Log4j, please use one of the described mitigations.</p>

	<p>More information can be found <a href="https://logging.apache.org/log4j/2.x/#News">here</a>.</p>

	<p><strong>All developers are strongly advised to perform this action.</strong></p>

	<h4 id="a20211212">12 December 2021 - Struts 2.5.28 General Availability</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.5.28 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework has been designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p>Below is a full list of all changes:</p>

	<ul>
	<li>[WW-5149] - labelposition attribute broken in Struts 2.5.27</li>
	</ul>

	<blockquote>
	<p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28">Version Notes</a> to find more details about performed
	bug fixes and improvements.</p>
	</blockquote>

	<p><strong>All developers are strongly advised to perform this upgrade.</strong></p>

	<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
	Servlet API 2.4, JSP API 2.0, and Java 7.</p>

	<p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
	and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

	<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

	<h4 id="a20211116">16 November 2021 - Struts 2.5.27 General Availability</h4>

	<p>The Apache Struts group is pleased to announce that Struts 2.5.27 is available as a “General Availability”
	release. The GA designation is our highest quality grade.</p>

	<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
	The framework has been designed to streamline the full development cycle, from building, to deploying,
	to maintaining applications over time.</p>

	<p>Below is a full list of all changes:</p>

	<ul>
	<li>PostbackResult uses wrong regex range</li>
	<li><code class="language-plaintext highlighter-rouge">%{id}</code> evaluates different for data-* and value attribute</li>
	<li>Blocking Threads in retrieving text from resource bundle</li>
	<li>Contention when injecting <code class="language-plaintext highlighter-rouge">Scope.SINGLETON</code> instances</li>
	<li>CheckboxTag value missing for labelposition</li>
	<li>forbidden name attribute values (size, clone…?) in <code class="language-plaintext highlighter-rouge"><s:textfield></code> using the default theme</li>
	<li>ID param not being set</li>
	<li>Make labelposition deprecated</li>
	<li>Make class attribute deprecated</li>
	<li>Fix the compilation alarms of deprecated methods</li>
	<li>OGNL long conversion</li>
	<li>Upgrade XStream to version 1.4.16</li>
	</ul>

	<blockquote>
	<p>Please read the <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.27">Version Notes</a> to find more details about performed
	bug fixes and improvements.</p>
	</blockquote>

	<p><strong>All developers are strongly advised to perform this action.</strong></p>

	<p>The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
	Servlet API 2.4, JSP API 2.0, and Java 7.</p>

	<p>Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list,
	and, if appropriate, file <a href="https://issues.apache.org/jira/projects/WW/">a tracking ticket</a>.</p>

	<p>You can download this version from our <a href="download.cgi#struts-ga">download</a> page.</p>

	<h4 id="a20210219">19 February 2021 - Struts Security Impact Levels</h4>

	<p>The Apache Struts Security team would like to announce <a href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins#SecurityBulletins-Securityimpactlevels">Security Impact Levels</a>
	which will be used to rate any future Security Bulletins. We also updated the current Security Bulletins to match
	the levels. Below is the list of the updated bulletins with a new Maximum security rating.</p>

	<ul>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-060">S2-060</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-056">S2-056</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-055">S2-055</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-054">S2-054</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-051">S2-051</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-049">S2-049</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-048">S2-048</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-042">S2-042</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-040">S2-040</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-039">S2-039</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-038">S2-038</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-037">S2-037</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-036">S2-036</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-033">S2-033</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-032">S2-032</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-031">S2-031</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-026">S2-026</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-024">S2-024</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-023">S2-023</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-022">S2-022</a>
	Medium -> Moderate</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-021">S2-021</a>
	High -> Important</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-016">S2-016</a>
	Highly Critical -> Critical</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-015">S2-015</a>
	Highly Critical -> Critical</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-014">S2-014</a>
	Highly Critical -> Critical</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-013">S2-013</a>
	Highly Critical -> Critical</li>
	<li><a href="https://cwiki.apache.org/confluence/display/WW/S2-012">S2-012</a>
	Moderately Critical -> Important</li>
	</ul>

	<p><strong>All developers are strongly advised to read about new Security Impact Levels.</strong></p>

	<p class="pull-right">
	Skip to: <a href="announce-2020.html">Announcements - 2020</a>
	</p>

	<p class="pull-left">
	<strong>Next:</strong>
	<a href="kickstart.html">Kickstart FAQ</a>
	</p>

	</section>
	</article>


	<footer class="container">
	<div class="col-md-12">
	Copyright © 2000-2022 <a href="https://www.apache.org/">The Apache Software Foundation</a>.
	Apache Struts, Struts, Apache, the Apache feather logo, and the Apache Struts project logos are
	trademarks of The Apache Software Foundation. All Rights Reserved.
	</div>
	<div class="col-md-12">Logo and website design donated by <a href="https://softwaremill.com/">SoftwareMill</a>.</div>
	</footer>

	<script>!function (d, s, id) {
	var js, fjs = d.getElementsByTagName(s)[0];
	if (!d.getElementById(id)) {
	js = d.createElement(s);
	js.id = id;
	js.src = "//platform.twitter.com/widgets.js";
	fjs.parentNode.insertBefore(js, fjs);
	}
	}(document, "script", "twitter-wjs");</script>
	<script src="https://apis.google.com/js/platform.js" async="async" defer="defer"></script>

	<div id="fb-root"></div>

	<script>(function (d, s, id) {
	var js, fjs = d.getElementsByTagName(s)[0];
	if (d.getElementById(id)) return;
	js = d.createElement(s);
	js.id = id;
	js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
	fjs.parentNode.insertBefore(js, fjs);
	}(document, 'script', 'facebook-jssdk'));</script>


	</body>
	</html>