source/announce-2013.html - struts-site - Git at Google

 ---
 layout: default
 title: Announcements 2013
 ---

 <h1>Announcements - 2013</h1>
 <p class="pull-right">
   Skip to: <a href="announce-2012.html">Announcements - 2012</a>
 </p>

 <h4 id="a20131208">8 December 2013 - Struts 2.3.16 General Availability Release - Maintenance Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.16 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   This release contains many important improvements and doze of other small fixes, to light just few:
   <ul>
     <li>Merged security fix from version 2.3.15.1, 2.3.15.2 and 2.3.15.3</li>
     <li>Solved problem with global "error" result in the Convention Plugin</li>
     <li>The action: and method: prefixes are be by default excluded and changed order to first check
       excludeParams and then acceptedParams in ParametersInterceptor
     </li>
     <li>Restored previous behaviour where both ParametersInterceptor AND ParameterNameAware must accept
       parameter - there is no more precedence
     </li>
     <li>Added proper support for multiple ActionMapper's used with PrefixBasedActionMapper</li>
     <li>Solved problem with creating empty map entries via Ognl</li>
     <li>... and many more, please check the Version Notes</li>
   </ul>
 </p>
 <p>
   All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.16.
 </p>
 <p>
   Struts 2.3.16 is available in a full distribution or as separate library, source, example
   and documentation distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts2316">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts".
   The <a href="http://struts.apache.org/docs/version-notes-2316.html">version notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20131015">15 October 2013 - Struts 2.3.15.3 General Availability Release - Security Fix Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.15.3 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   One security issue was solved with this release:
   <ul>
     <li>
       <a href="http://struts.apache.org/docs/s2-018.html">S2-018</a>
       - Broken Access Control Vulnerability in Apache Struts2
     </li>
     <li>
       and proper support for action: prefix was restored.
     </li>
   </ul>
 </p>
 <p>
   All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.3.
 </p>
 <p>
   Struts 2.3.15.3 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts23153">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-23153.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130920">20 September 2013 - Struts 2.3.15.2 General Availability Release - Security Fix Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   Two security issues were solved with this release:
   <ul>
     <li>
       <a href="http://struts.apache.org/docs/s2-018.html">S2-018</a>
       - Broken Access Control Vulnerability in Apache Struts2
     </li>
     <li>
       <a href="http://struts.apache.org/docs/s2-019.html">S2-019</a>
       - Dynamic Method Invocation disabled by default
     </li>
   </ul>
 </p>
 <p>
   All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.2.
 </p>
 <p>
   Struts 2.3.15.2 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts23152">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-23152.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130716">16 July 2013 - Struts 2.3.15.1 General Availability Release - Security Fix Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.15.1 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   Two security issues were solved with this release:
   <ul>
     <li>
       <a href="http://struts.apache.org/docs/s2-016.html">S2-016</a>
       - Remote code execution vulnerability when using short-circuit navigation
       parameter prefixes
     </li>
     <li>
       <a href="http://struts.apache.org/docs/s2-017.html">S2-017</a>
       - Open redirect vulnerability when using short-circuit redirect
       parameter prefixes
     </li>
   </ul>
 </p>
 <p>
   All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.1.
 </p>
 <p>
   Struts 2.3.15.1 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts23151">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-23151.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130622">22 June 2013 - Struts 2.3.15 General Availability Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.15 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   It's a mostly maintenance release but few important improvements were added as well:
   <ul>
     <li>Merged security fix from version 2.3.14.1, 2.3.14.2 and 2.3.14.3</li>
     <li>Resolved problem with memory leak in ContainerHolder</li>
     <li>Resolved bug related to struts.convention.action.includeJars</li>
     <li>Improved OSGi support to allow work in Glassfish 3</li>
     <li>Added support to create cookies from whitin an action</li>
     <li>New interface - ValidationAware - was added to allow notify actions when there are action/field
       errors
     </li>
     <li>and other small improvments</li>
   </ul>
 Please check the Version Notes to see more details.
 </p>
 <p>
   All developers are recommended to update existing Struts 2 applications to Struts 2.3.15.
 </p>
 <p>
   Struts 2.3.15 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts2315">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-2315.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130603">3 June 2013 - Struts 2.3.14.3 General Availability Release - Security Fix Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.14.3 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   A highly critical security vulnerability was resolved in this release:
   <ul>
     <li>
       <a href="http://struts.apache.org/docs/s2-015.html">S2-015</a>
       - A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote
       command execution
     </li>
   </ul>
 </p>
 <p>
   <strong>All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.3
     immediately.</strong>
 </p>
 <p>
   Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts23143">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-23143.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130526">26 May 2013 - Struts 2.3.14.2 General Availability Release - Security Fix Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.14.2 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   A highly critical security vulnerability was resolved in this release:
   <ul>
     <li>
       <a href="http://struts.apache.org/docs/s2-014.html">S2-014</a> - A vulnerability introduced by forcing
       parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and
       XSS attacks
     </li>
   </ul>
 </p>
 <p>
   <strong>All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.2
     immediately.</strong>
 </p>
 <p>
   Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts23142">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-23142.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130522">22 May 2013 - Struts 2.3.14.1 General Availability Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.14.1 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   Two security issues were solved with this release:
   <ul>
     <li>
       Showcase app vulnerability allows remote command execution
     </li>
     <li>
       A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
     </li>
   </ul>
 </p>
 <p>
   All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.1.
 </p>
 <p>
   Struts 2.3.14.1 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts23141">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-23141.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130411">11 April 2013 - Struts 2.3.14 General Availability Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.14 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   It's a mostly maintenance release but few important improvements were added as well:
   <ul>
     <li>All the annotations related to validators were updated to match the implementing classes</li>
     <li>The JUnit plugin supports now the Convention plugin configuration (check StrutsJUnit4ConventionTestCaseTest)</li>
     <li>Logging support was improved and extended to allow use user custom implementation of LoggingFactory</li>
   </ul>
 Please check the Version Notes to see more details.
 </p>
 <p>
   All developers are recommended to update existing Struts 2 applications to Struts 2.3.14.
 </p>
 <p>
   Struts 2.3.14 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts2314">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-2314.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <h4 id="a20130405">5 April 2013 - Apache Struts 1 End-Of-Life (EOL) Announcement</h4>
 <p>
   The Apache Struts Project Team would like to inform you that the Struts 1.x web framework has
   reached its end of life and is no longer officially supported.
 </p>
 <p>
   Please check the following readings to find more details.
   <ul>
     <li><a href="struts1eol-announcement.html">Apache Struts 1 EOL Announcement</a>, including a detailed Q/A section</li>
     <li><a href="struts1eol-press.html">Apache Struts 1 EOL Press Release</a></li>
   </ul>
 </p>

 <h4 id="a20130306">6 March 2013 - Struts 2.3.12 General Availability Release</h4>
 <p>
   The Apache Struts group is pleased to announce that Struts 2.3.12 is
   available as a "General Availability" release. The GA designation is our
   highest quality grade.
 </p>
 <p>
   Apache Struts 2 is an elegant, extensible framework for creating
   enterprise-ready Java web applications. The framework is designed to
   streamline the full development cycle, from building, to deploying, to
   maintaining applications over time.
 </p>
 <p>
   It's a mostly maintenance release but few important improvements were added as well:
   <ul>
     <li>All validators were refactored and right now parameters can be set via OGNL also parameter parse was removed</li>
     <li>Tag's required attribute was renamed to requiredLabel to allow support of Html5 required attribute in the tags
     </li>
     <li>New Tiles 3 plugin was added to support Tiles 3 result type</li>
     <li>Support for JBoss 5 to work with the Convention Plugin was improved</li>
   </ul>
 Please check the Version Notes to see more details.
 </p>
 <p>
   All developers are recommended to update existing Struts 2 applications to Struts 2.3.12.
 </p>
 <p>
   Struts 2.3.12 is available in a full distribution or as separate library, source, example and documentation
   distributions, from the
   <a href="http://struts.apache.org/download.cgi#struts2312">releases page</a>.
   The release is also available through the central Maven repository under Group ID "org.apache.struts". The
   <a href="http://struts.apache.org/docs/version-notes-2312.html">release notes</a>
   are available online.
 </p>
 <p>
   The 2.3.x series of the Apache Struts framework has a minimum
   requirement of the following specification versions: Servlet API 2.4,
   JSP API 2.0, and Java 5.
 </p>
 <p>
   Should any issues arise with your use of any version of the Struts
   framework, please post your comments to the user list, and, if
   appropriate, file a tracking ticket.
 </p>

 <p class="pull-right">
   Skip to: <a href="announce-2012.html">Announcements - 2012</a>
 </p>

 <p class="pull-left">
   <strong>Next:</strong>
   <a href="kickstart.html">Kickstart FAQ</a>
 </p>
	---
	layout: default
	title: Announcements 2013
	---

	<h1>Announcements - 2013</h1>
	<p class="pull-right">
	Skip to: <a href="announce-2012.html">Announcements - 2012</a>
	</p>

	<h4 id="a20131208">8 December 2013 - Struts 2.3.16 General Availability Release - Maintenance Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.16 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	This release contains many important improvements and doze of other small fixes, to light just few:
	<ul>
	<li>Merged security fix from version 2.3.15.1, 2.3.15.2 and 2.3.15.3</li>
	<li>Solved problem with global "error" result in the Convention Plugin</li>
	<li>The action: and method: prefixes are be by default excluded and changed order to first check
	excludeParams and then acceptedParams in ParametersInterceptor
	</li>
	<li>Restored previous behaviour where both ParametersInterceptor AND ParameterNameAware must accept
	parameter - there is no more precedence
	</li>
	<li>Added proper support for multiple ActionMapper's used with PrefixBasedActionMapper</li>
	<li>Solved problem with creating empty map entries via Ognl</li>
	<li>... and many more, please check the Version Notes</li>
	</ul>
	</p>
	<p>
	All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.16.
	</p>
	<p>
	Struts 2.3.16 is available in a full distribution or as separate library, source, example
	and documentation distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts2316">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts".
	The <a href="http://struts.apache.org/docs/version-notes-2316.html">version notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20131015">15 October 2013 - Struts 2.3.15.3 General Availability Release - Security Fix Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.15.3 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	One security issue was solved with this release:
	<ul>
	<li>
	<a href="http://struts.apache.org/docs/s2-018.html">S2-018</a>
	- Broken Access Control Vulnerability in Apache Struts2
	</li>
	<li>
	and proper support for action: prefix was restored.
	</li>
	</ul>
	</p>
	<p>
	All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.3.
	</p>
	<p>
	Struts 2.3.15.3 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts23153">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-23153.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130920">20 September 2013 - Struts 2.3.15.2 General Availability Release - Security Fix Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	Two security issues were solved with this release:
	<ul>
	<li>
	<a href="http://struts.apache.org/docs/s2-018.html">S2-018</a>
	- Broken Access Control Vulnerability in Apache Struts2
	</li>
	<li>
	<a href="http://struts.apache.org/docs/s2-019.html">S2-019</a>
	- Dynamic Method Invocation disabled by default
	</li>
	</ul>
	</p>
	<p>
	All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.2.
	</p>
	<p>
	Struts 2.3.15.2 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts23152">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-23152.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130716">16 July 2013 - Struts 2.3.15.1 General Availability Release - Security Fix Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.15.1 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	Two security issues were solved with this release:
	<ul>
	<li>
	<a href="http://struts.apache.org/docs/s2-016.html">S2-016</a>
	- Remote code execution vulnerability when using short-circuit navigation
	parameter prefixes
	</li>
	<li>
	<a href="http://struts.apache.org/docs/s2-017.html">S2-017</a>
	- Open redirect vulnerability when using short-circuit redirect
	parameter prefixes
	</li>
	</ul>
	</p>
	<p>
	All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.1.
	</p>
	<p>
	Struts 2.3.15.1 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts23151">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-23151.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130622">22 June 2013 - Struts 2.3.15 General Availability Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.15 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	It's a mostly maintenance release but few important improvements were added as well:
	<ul>
	<li>Merged security fix from version 2.3.14.1, 2.3.14.2 and 2.3.14.3</li>
	<li>Resolved problem with memory leak in ContainerHolder</li>
	<li>Resolved bug related to struts.convention.action.includeJars</li>
	<li>Improved OSGi support to allow work in Glassfish 3</li>
	<li>Added support to create cookies from whitin an action</li>
	<li>New interface - ValidationAware - was added to allow notify actions when there are action/field
	errors
	</li>
	<li>and other small improvments</li>
	</ul>
	Please check the Version Notes to see more details.
	</p>
	<p>
	All developers are recommended to update existing Struts 2 applications to Struts 2.3.15.
	</p>
	<p>
	Struts 2.3.15 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts2315">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-2315.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130603">3 June 2013 - Struts 2.3.14.3 General Availability Release - Security Fix Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.14.3 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	A highly critical security vulnerability was resolved in this release:
	<ul>
	<li>
	<a href="http://struts.apache.org/docs/s2-015.html">S2-015</a>
	- A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote
	command execution
	</li>
	</ul>
	</p>
	<p>
	<strong>All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.3
	immediately.</strong>
	</p>
	<p>
	Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts23143">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-23143.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130526">26 May 2013 - Struts 2.3.14.2 General Availability Release - Security Fix Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.14.2 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	A highly critical security vulnerability was resolved in this release:
	<ul>
	<li>
	<a href="http://struts.apache.org/docs/s2-014.html">S2-014</a> - A vulnerability introduced by forcing
	parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and
	XSS attacks
	</li>
	</ul>
	</p>
	<p>
	<strong>All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.2
	immediately.</strong>
	</p>
	<p>
	Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts23142">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-23142.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130522">22 May 2013 - Struts 2.3.14.1 General Availability Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.14.1 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	Two security issues were solved with this release:
	<ul>
	<li>
	Showcase app vulnerability allows remote command execution
	</li>
	<li>
	A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
	</li>
	</ul>
	</p>
	<p>
	All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.1.
	</p>
	<p>
	Struts 2.3.14.1 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts23141">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-23141.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130411">11 April 2013 - Struts 2.3.14 General Availability Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.14 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	It's a mostly maintenance release but few important improvements were added as well:
	<ul>
	<li>All the annotations related to validators were updated to match the implementing classes</li>
	<li>The JUnit plugin supports now the Convention plugin configuration (check StrutsJUnit4ConventionTestCaseTest)</li>
	<li>Logging support was improved and extended to allow use user custom implementation of LoggingFactory</li>
	</ul>
	Please check the Version Notes to see more details.
	</p>
	<p>
	All developers are recommended to update existing Struts 2 applications to Struts 2.3.14.
	</p>
	<p>
	Struts 2.3.14 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts2314">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-2314.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<h4 id="a20130405">5 April 2013 - Apache Struts 1 End-Of-Life (EOL) Announcement</h4>
	<p>
	The Apache Struts Project Team would like to inform you that the Struts 1.x web framework has
	reached its end of life and is no longer officially supported.
	</p>
	<p>
	Please check the following readings to find more details.
	<ul>
	<li><a href="struts1eol-announcement.html">Apache Struts 1 EOL Announcement</a>, including a detailed Q/A section</li>
	<li><a href="struts1eol-press.html">Apache Struts 1 EOL Press Release</a></li>
	</ul>
	</p>

	<h4 id="a20130306">6 March 2013 - Struts 2.3.12 General Availability Release</h4>
	<p>
	The Apache Struts group is pleased to announce that Struts 2.3.12 is
	available as a "General Availability" release. The GA designation is our
	highest quality grade.
	</p>
	<p>
	Apache Struts 2 is an elegant, extensible framework for creating
	enterprise-ready Java web applications. The framework is designed to
	streamline the full development cycle, from building, to deploying, to
	maintaining applications over time.
	</p>
	<p>
	It's a mostly maintenance release but few important improvements were added as well:
	<ul>
	<li>All validators were refactored and right now parameters can be set via OGNL also parameter parse was removed</li>
	<li>Tag's required attribute was renamed to requiredLabel to allow support of Html5 required attribute in the tags
	</li>
	<li>New Tiles 3 plugin was added to support Tiles 3 result type</li>
	<li>Support for JBoss 5 to work with the Convention Plugin was improved</li>
	</ul>
	Please check the Version Notes to see more details.
	</p>
	<p>
	All developers are recommended to update existing Struts 2 applications to Struts 2.3.12.
	</p>
	<p>
	Struts 2.3.12 is available in a full distribution or as separate library, source, example and documentation
	distributions, from the
	<a href="http://struts.apache.org/download.cgi#struts2312">releases page</a>.
	The release is also available through the central Maven repository under Group ID "org.apache.struts". The
	<a href="http://struts.apache.org/docs/version-notes-2312.html">release notes</a>
	are available online.
	</p>
	<p>
	The 2.3.x series of the Apache Struts framework has a minimum
	requirement of the following specification versions: Servlet API 2.4,
	JSP API 2.0, and Java 5.
	</p>
	<p>
	Should any issues arise with your use of any version of the Struts
	framework, please post your comments to the user list, and, if
	appropriate, file a tracking ticket.
	</p>

	<p class="pull-right">
	Skip to: <a href="announce-2012.html">Announcements - 2012</a>
	</p>

	<p class="pull-left">
	<strong>Next:</strong>
	<a href="kickstart.html">Kickstart FAQ</a>
	</p>