Author: lukaszlenart
Date: Fri Feb 21 07:05:19 2014
New Revision: 1570474
URL: http://svn.apache.org/r1570474
Log:
Adds announcement about required upgrade of commons-fileupload
Added:
struts/site/trunk/content/announce-2013.html
struts/site/trunk/source/announce-2013.html
- copied, changed from r1569212, struts/site/trunk/source/announce.html
struts/site/trunk/source/announce.html
Modified:
struts/site/trunk/content/announce.html
struts/site/trunk/content/index.html
struts/site/trunk/source/index.html
Added: struts/site/trunk/content/announce-2013.html
URL:
http://svn.apache.org/viewvc/struts/site/trunk/content/announce-2013.html?rev=1570474&view=auto
==============================================================================
--- struts/site/trunk/content/announce-2013.html (added)
+++ struts/site/trunk/content/announce-2013.html Fri Feb 21 07:05:19 2014
@@ -0,0 +1,616 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="UTF-8"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <meta name="Date-Revision-yyyymmdd" content="20140206"/>
+ <meta http-equiv="Content-Language" content="en"/>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+
+ <title>Announcements 2013</title>
+
+ <link rel="stylesheet" href="/bootstrap/css/bootstrap.min.css">
+ <link rel="stylesheet" href="/css/main.css">
+
+ <script type="text/javascript" src="/js/jquery-1.11.0.min.js"></script>
+ <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
+ <script type="text/javascript" src="/js/community.js"></script>
+</head>
+<body>
+
+<a href="http://github.com/apache/struts";>
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index:
10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png";
alt="Fork me on GitHub">
+</a>
+
+<header>
+ <!-- Fixed navbar -->
+<nav>
+ <div class="navbar navbar-default navbar-fixed-top" role="navigation">
+ <div class="container">
+ <div class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown" href="#">Apache
Struts <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="index.html">Welcome</a></li>
+ <li><a href="downloads.html">Downloads</a></li>
+ <li><a href="announce.html">Announcements</a></li>
+ <li><a href="http://www.apache.org/licenses/";>License</a></li>
+ <li><a
href="http://apache.org/foundation/thanks.html";>Thanks!</a></li>
+ <li><a
href="http://apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown" href="#">Support
<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="mail.html">User Mailing List</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/WW";>Issue
Tracker</a></li>
+ <li><a href="security.html">Reporting Security Issues</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown"
href="#">Documentation <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="birdseye.html">Birds Eye</a></li>
+ <li><a href="primer.html">Key Technologies</a></li>
+ <li><a href="kickstart.html">Kickstart FAQ</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
+ <li><a
href="http://struts.apache.org/release/2.3.x/index.html";>Struts 2</a></li>
+ <li><a
href="http://struts.apache.org/release/1.3.x/index.html";>Struts 1</a></li>
+ </ul>
+ </li>
+
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown"
href="#">Contributing <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="youatstruts.html">You at Struts</a></li>
+ <li><a href="helping.html">How to Help FAQ</a></li>
+ <li><a href="dev-mail.html">Development Lists</a></li>
+ <li class="divider"></li>
+ <li><a href="git-for-struts.html">Git for Struts</a></li>
+ <li><a href="builds.html">Source Code</a></li>
+ <li><a href="coding-standards.html">Coding standards</a></li>
+ <li class="divider"></li>
+ <li><a href="releases.html">Release Guidelines</a></li>
+ <li><a href="bylaws.html">PMC Charter</a></li>
+ <li><a href="volunteers.html">Volunteers</a></li>
+ <li><a
href="https://git-wip-us.apache.org/repos/asf?p=struts.git";>Source
Repository</a></li>
+ </ul>
+ </li>
+
+ </ul>
+ </div>
+ <!--/.nav-collapse -->
+ </div>
+ </div>
+</nav>
+
+ <div class="container">
+ <div class="row">
+ <div class="pull-left">
+ <a href="/" id="bannerLeft">
+ <img src="/img/struts.gif" alt="Apache Struts"/>
+ </a>
+ </div>
+ <div class="pull-right"><a href="http://www.apache.org"; id="bannerRight">
+ <img src="/img/asf-logo.gif" alt="Apache Software Foundation"/>
+ </a>
+ </div>
+ </div>
+ </div>
+</header>
+
+
+<article class="container">
+ <section class="col-md-12">
+ <h1>Announcements - 2013</h1>
+<p class="pull-right">
+ Skip to: <a href="announce-2012.html">Announcements - 2012</a>
+</p>
+
+<h4 id="a20131208">8 December 2013 - Struts 2.3.16 General Availability
Release - Maintenance Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.16 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ This release contains many important improvements and doze of other small
fixes, to light just few:
+ <ul>
+ <li>Merged security fix from version 2.3.15.1, 2.3.15.2 and 2.3.15.3</li>
+ <li>Solved problem with global "error" result in the Convention Plugin</li>
+ <li>The action: and method: prefixes are be by default excluded and
changed order to first check
+ excludeParams and then acceptedParams in ParametersInterceptor
+ </li>
+ <li>Restored previous behaviour where both ParametersInterceptor AND
ParameterNameAware must accept
+ parameter - there is no more precedence
+ </li>
+ <li>Added proper support for multiple ActionMapper's used with
PrefixBasedActionMapper</li>
+ <li>Solved problem with creating empty map entries via Ognl</li>
+ <li>... and many more, please check the Version Notes</li>
+ </ul>
+</p>
+<p>
+ All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.16.
+</p>
+<p>
+ Struts 2.3.16 is available in a full distribution or as separate library,
source, example
+ and documentation distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts2316";>releases page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts".
+ The <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-2316.html";>version
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20131015">15 October 2013 - Struts 2.3.15.3 General Availability
Release - Security Fix Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.15.3 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ One security issue was solved with this release:
+ <ul>
+ <li>
+ <a
href="http://struts.apache.org/release/2.3.x/docs/s2-018.html";>S2-018</a>
+ - Broken Access Control Vulnerability in Apache Struts2
+ </li>
+ <li>
+ and proper support for action: prefix was restored.
+ </li>
+ </ul>
+</p>
+<p>
+ All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.15.3.
+</p>
+<p>
+ Struts 2.3.15.3 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts23153";>releases
page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23153.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130920">20 September 2013 - Struts 2.3.15.2 General Availability
Release - Security Fix Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ Two security issues were solved with this release:
+ <ul>
+ <li>
+ <a
href="http://struts.apache.org/release/2.3.x/docs/s2-018.html";>S2-018</a>
+ - Broken Access Control Vulnerability in Apache Struts2
+ </li>
+ <li>
+ <a
href="http://struts.apache.org/release/2.3.x/docs/s2-019.html";>S2-019</a>
+ - Dynamic Method Invocation disabled by default
+ </li>
+ </ul>
+</p>
+<p>
+ All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.15.2.
+</p>
+<p>
+ Struts 2.3.15.2 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts23152";>releases
page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130716">16 July 2013 - Struts 2.3.15.1 General Availability Release
- Security Fix Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.15.1 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ Two security issues were solved with this release:
+ <ul>
+ <li>
+ <a
href="http://struts.apache.org/release/2.3.x/docs/s2-016.html";>S2-016</a>
+ - Remote code execution vulnerability when using short-circuit navigation
+ parameter prefixes
+ </li>
+ <li>
+ <a
href="http://struts.apache.org/release/2.3.x/docs/s2-017.html";>S2-017</a>
+ - Open redirect vulnerability when using short-circuit redirect
+ parameter prefixes
+ </li>
+ </ul>
+</p>
+<p>
+ All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.15.1.
+</p>
+<p>
+ Struts 2.3.15.1 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts23151";>releases
page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23151.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130622">22 June 2013 - Struts 2.3.15 General Availability
Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.15 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ It's a mostly maintenance release but few important improvements were added
as well:
+ <ul>
+ <li>Merged security fix from version 2.3.14.1, 2.3.14.2 and 2.3.14.3</li>
+ <li>Resolved problem with memory leak in ContainerHolder</li>
+ <li>Resolved bug related to struts.convention.action.includeJars</li>
+ <li>Improved OSGi support to allow work in Glassfish 3</li>
+ <li>Added support to create cookies from whitin an action</li>
+ <li>New interface - ValidationAware - was added to allow notify actions
when there are action/field
+ errors
+ </li>
+ <li>and other small improvments</li>
+ </ul>
+Please check the Version Notes to see more details.
+</p>
+<p>
+ All developers are recommended to update existing Struts 2 applications to
Struts 2.3.15.
+</p>
+<p>
+ Struts 2.3.15 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts2315";>releases page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/development/2.x/docs/version-notes-2315.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130603">3 June 2013 - Struts 2.3.14.3 General Availability Release
- Security Fix Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.14.3 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ A highly critical security vulnerability was resolved in this release:
+ <ul>
+ <li>
+ <a
href="http://struts.apache.org/release/2.3.x/docs/s2-015.html";>S2-015</a>
+ - A vulnerability introduced by wildcard matching mechanism or double
evaluation of OGNL Expression allows remote
+ command execution
+ </li>
+ </ul>
+</p>
+<p>
+ <strong>All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.14.3
+ immediately.</strong>
+</p>
+<p>
+ Struts 2.3.14.2 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts23143";>releases
page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23143.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130526">26 May 2013 - Struts 2.3.14.2 General Availability Release
- Security Fix Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.14.2 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ A highly critical security vulnerability was resolved in this release:
+ <ul>
+ <li>
+ <a
href="http://struts.apache.org/release/2.3.x/docs/s2-014.html";>S2-014</a> - A
vulnerability introduced by forcing
+ parameter inclusion in the URL and Anchor Tag allows remote command
execution, session access and manipulation and
+ XSS attacks
+ </li>
+ </ul>
+</p>
+<p>
+ <strong>All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.14.2
+ immediately.</strong>
+</p>
+<p>
+ Struts 2.3.14.2 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts23142";>releases
page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23142.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130522">22 May 2013 - Struts 2.3.14.1 General Availability
Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.14.1 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ Two security issues were solved with this release:
+ <ul>
+ <li>
+ Showcase app vulnerability allows remote command execution
+ </li>
+ <li>
+ A vulnerability, present in the includeParams attribute of the URL and
Anchor Tag, allows remote command execution
+ </li>
+ </ul>
+</p>
+<p>
+ All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.14.1.
+</p>
+<p>
+ Struts 2.3.14.1 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts23141";>releases
page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/development/2.x/docs/version-notes-23141.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130411">11 April 2013 - Struts 2.3.14 General Availability
Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.14 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ It's a mostly maintenance release but few important improvements were added
as well:
+ <ul>
+ <li>All the annotations related to validators were updated to match the
implementing classes</li>
+ <li>The JUnit plugin supports now the Convention plugin configuration
(check StrutsJUnit4ConventionTestCaseTest)</li>
+ <li>Logging support was improved and extended to allow use user custom
implementation of LoggingFactory</li>
+ </ul>
+Please check the Version Notes to see more details.
+</p>
+<p>
+ All developers are recommended to update existing Struts 2 applications to
Struts 2.3.14.
+</p>
+<p>
+ Struts 2.3.14 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts2314";>releases page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/development/2.x/docs/version-notes-2314.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<h4 id="a20130405">5 April 2013 - Apache Struts 1 End-Of-Life (EOL)
Announcement</h4>
+<p>
+ The Apache Struts Project Team would like to inform you that the Struts 1.x
web framework has
+ reached its end of life and is no longer officially supported.
+</p>
+<p>
+ Please check the following readings to find more details.
+ <ul>
+ <li><a href="struts1eol-announcement.html">Apache Struts 1 EOL
Announcement</a>, including a detailed Q/A section</li>
+ <li><a href="struts1eol-press.html">Apache Struts 1 EOL Press
Release</a></li>
+ </ul>
+</p>
+
+<h4 id="a20130306">6 March 2013 - Struts 2.3.12 General Availability
Release</h4>
+<p>
+ The Apache Struts group is pleased to announce that Struts 2.3.12 is
+ available as a "General Availability" release. The GA designation is our
+ highest quality grade.
+</p>
+<p>
+ Apache Struts 2 is an elegant, extensible framework for creating
+ enterprise-ready Java web applications. The framework is designed to
+ streamline the full development cycle, from building, to deploying, to
+ maintaining applications over time.
+</p>
+<p>
+ It's a mostly maintenance release but few important improvements were added
as well:
+ <ul>
+ <li>All validators were refactored and right now parameters can be set via
OGNL also parameter parse was removed</li>
+ <li>Tag's required attribute was renamed to requiredLabel to allow support
of Html5 required attribute in the tags
+ </li>
+ <li>New Tiles 3 plugin was added to support Tiles 3 result type</li>
+ <li>Support for JBoss 5 to work with the Convention Plugin was
improved</li>
+ </ul>
+Please check the Version Notes to see more details.
+</p>
+<p>
+ All developers are recommended to update existing Struts 2 applications to
Struts 2.3.12.
+</p>
+<p>
+ Struts 2.3.12 is available in a full distribution or as separate library,
source, example and documentation
+ distributions, from the
+ <a href="http://struts.apache.org/download.cgi#struts2312";>releases page</a>.
+ The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
+ <a
href="http://struts.apache.org/development/2.x/docs/version-notes-2312.html";>release
notes</a>
+ are available online.
+</p>
+<p>
+ The 2.3.x series of the Apache Struts framework has a minimum
+ requirement of the following specification versions: Servlet API 2.4,
+ JSP API 2.0, and Java 5.
+</p>
+<p>
+ Should any issues arise with your use of any version of the Struts
+ framework, please post your comments to the user list, and, if
+ appropriate, file a tracking ticket.
+</p>
+
+<p class="pull-right">
+ Skip to: <a href="announce-2012.html">Announcements - 2012</a>
+</p>
+
+<p class="pull-left">
+ <strong>Next:</strong>
+ <a href="kickstart.html">Kickstart FAQ</a>
+</p>
+
+ </section>
+</article>
+
+ <hr/>
+<footer class="container">
+ <div class="row col-md-12 text-center">
+ Copyright © 2000-2014 <a href="http://www.apache.org/";>The Apache
Software Foundation</a>. All Rights Reserved.
+ </div>
+ <div class="row col-md-12 text-center">
+ Apache Struts, Struts, Apache, the Apache feather logo, and the Apache
Struts
+ project logos are trademarks of The Apache Software Foundation.
+ </div>
+</footer>
+
+
+</body>
+</html>
Modified: struts/site/trunk/content/announce.html
URL:
http://svn.apache.org/viewvc/struts/site/trunk/content/announce.html?rev=1570474&r1=1570473&r2=1570474&view=diff
==============================================================================
--- struts/site/trunk/content/announce.html (original)
+++ struts/site/trunk/content/announce.html Fri Feb 21 07:05:19 2014
@@ -107,489 +107,54 @@
<article class="container">
<section class="col-md-12">
<h1>Announcements</h1>
-<p class="pull-right">
- Skip to: <a href="announce-2012.html">Announcements - 2012</a>
-</p>
-
-<h4 id="a20131208">8 December 2013 - Struts 2.3.16 General Availability
Release - Maintenance Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.16 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- This release contains many important improvements and doze of other small
fixes, to light just few:
- <ul>
- <li>Merged security fix from version 2.3.15.1, 2.3.15.2 and 2.3.15.3</li>
- <li>Solved problem with global "error" result in the Convention Plugin</li>
- <li>The action: and method: prefixes are be by default excluded and
changed order to first check
- excludeParams and then acceptedParams in ParametersInterceptor
- </li>
- <li>Restored previous behaviour where both ParametersInterceptor AND
ParameterNameAware must accept
- parameter - there is no more precedence
- </li>
- <li>Added proper support for multiple ActionMapper's used with
PrefixBasedActionMapper</li>
- <li>Solved problem with creating empty map entries via Ognl</li>
- <li>... and many more, please check the Version Notes</li>
- </ul>
-</p>
-<p>
- All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.16.
-</p>
-<p>
- Struts 2.3.16 is available in a full distribution or as separate library,
source, example
- and documentation distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts2316";>releases page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts".
- The <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-2316.html";>version
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-
-<h4 id="a20131015">15 October 2013 - Struts 2.3.15.3 General Availability
Release - Security Fix Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.15.3 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- One security issue was solved with this release:
- <ul>
- <li>
- <a
href="http://struts.apache.org/release/2.3.x/docs/s2-018.html";>S2-018</a>
- - Broken Access Control Vulnerability in Apache Struts2
- </li>
- <li>
- and proper support for action: prefix was restored.
- </li>
- </ul>
-</p>
-<p>
- All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.15.3.
-</p>
-<p>
- Struts 2.3.15.3 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts23153";>releases
page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23153.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-
-<h4 id="a20130920">20 September 2013 - Struts 2.3.15.2 General Availability
Release - Security Fix Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- Two security issues were solved with this release:
- <ul>
- <li>
- <a
href="http://struts.apache.org/release/2.3.x/docs/s2-018.html";>S2-018</a>
- - Broken Access Control Vulnerability in Apache Struts2
- </li>
- <li>
- <a
href="http://struts.apache.org/release/2.3.x/docs/s2-019.html";>S2-019</a>
- - Dynamic Method Invocation disabled by default
- </li>
- </ul>
-</p>
-<p>
- All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.15.2.
-</p>
-<p>
- Struts 2.3.15.2 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts23152";>releases
page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-
-<h4 id="a20130716">16 July 2013 - Struts 2.3.15.1 General Availability Release
- Security Fix Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.15.1 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- Two security issues were solved with this release:
- <ul>
- <li>
- <a
href="http://struts.apache.org/release/2.3.x/docs/s2-016.html";>S2-016</a>
- - Remote code execution vulnerability when using short-circuit navigation
- parameter prefixes
- </li>
- <li>
- <a
href="http://struts.apache.org/release/2.3.x/docs/s2-017.html";>S2-017</a>
- - Open redirect vulnerability when using short-circuit redirect
- parameter prefixes
- </li>
- </ul>
-</p>
-<p>
- All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.15.1.
-</p>
-<p>
- Struts 2.3.15.1 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts23151";>releases
page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23151.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-<h4 id="a20130622">22 June 2013 - Struts 2.3.15 General Availability
Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.15 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- It's a mostly maintenance release but few important improvements were added
as well:
- <ul>
- <li>Merged security fix from version 2.3.14.1, 2.3.14.2 and 2.3.14.3</li>
- <li>Resolved problem with memory leak in ContainerHolder</li>
- <li>Resolved bug related to struts.convention.action.includeJars</li>
- <li>Improved OSGi support to allow work in Glassfish 3</li>
- <li>Added support to create cookies from whitin an action</li>
- <li>New interface - ValidationAware - was added to allow notify actions
when there are action/field
- errors
- </li>
- <li>and other small improvments</li>
- </ul>
-Please check the Version Notes to see more details.
-</p>
-<p>
- All developers are recommended to update existing Struts 2 applications to
Struts 2.3.15.
-</p>
-<p>
- Struts 2.3.15 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts2315";>releases page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/development/2.x/docs/version-notes-2315.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-
-<h4 id="a20130603">3 June 2013 - Struts 2.3.14.3 General Availability Release
- Security Fix Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.14.3 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- A highly critical security vulnerability was resolved in this release:
- <ul>
- <li>
- <a
href="http://struts.apache.org/release/2.3.x/docs/s2-015.html";>S2-015</a>
- - A vulnerability introduced by wildcard matching mechanism or double
evaluation of OGNL Expression allows remote
- command execution
- </li>
- </ul>
-</p>
-<p>
- <strong>All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.14.3
- immediately.</strong>
-</p>
-<p>
- Struts 2.3.14.2 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts23143";>releases
page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23143.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-
-<h4 id="a20130526">26 May 2013 - Struts 2.3.14.2 General Availability Release
- Security Fix Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.14.2 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- A highly critical security vulnerability was resolved in this release:
- <ul>
- <li>
- <a
href="http://struts.apache.org/release/2.3.x/docs/s2-014.html";>S2-014</a> - A
vulnerability introduced by forcing
- parameter inclusion in the URL and Anchor Tag allows remote command
execution, session access and manipulation and
- XSS attacks
- </li>
- </ul>
-</p>
-<p>
- <strong>All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.14.2
- immediately.</strong>
-</p>
-<p>
- Struts 2.3.14.2 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts23142";>releases
page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-23142.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
+<p class="pull-right">
+ Skip to: <a href="announce-2013.html">Announcements - 2013</a>
</p>
-<h4 id="a20130522">22 May 2013 - Struts 2.3.14.1 General Availability
Release</h4>
+<h4 id="a20140221">21 February 2014 - Immediately upgrade commons-fileupload
to version 1.3.1</h4>
<p>
- The Apache Struts group is pleased to announce that Struts 2.3.14.1 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
+ The Apache Struts Team recommends to immediately upgrade your Struts 2
+ based projects to use the latest released version of Commons
+ FileUpload library, which is currently 1.3.1. This is necessary to
+ prevent your publicly accessible web site from being exposed to
+ possible DoS attacks [1] [2].
</p>
<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
+ Your project is affected if it uses the built-in file upload mechanism
+ of Struts 2, which defaults to the use of commons-fileupload. The
+ updated commons-fileupload library is a drop-in replacement for the
+ vulnerable version. Deployed applications can be hardened by replacing
+ the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
+ Maven based Struts 2 projects, the following dependency needs to be
+ added:
</p>
+<pre>
+ <dependency>
+ <groupId>commons-fileupload</groupId>
+ <artifactId>commons-fileupload</artifactId>
+ <version>1.3.1</version>
+ </dependency>
+</pre>
<p>
- Two security issues were solved with this release:
- <ul>
+ More details can be found here:
+ <ol>
<li>
- Showcase app vulnerability allows remote command execution
+ <a
href="http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1";>
+
http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1</a>
</li>
<li>
- A vulnerability, present in the includeParams attribute of the URL and
Anchor Tag, allows remote command execution
+ <a
href="http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%[email protected]%3E";>
+
http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%[email protected]%3E</a>
</li>
- </ul>
-</p>
-<p>
- All developers are strongly advised to update existing Struts 2 applications
to Struts 2.3.14.1.
-</p>
-<p>
- Struts 2.3.14.1 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts23141";>releases
page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/development/2.x/docs/version-notes-23141.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-
-<h4 id="a20130411">11 April 2013 - Struts 2.3.14 General Availability
Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.14 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- It's a mostly maintenance release but few important improvements were added
as well:
- <ul>
- <li>All the annotations related to validators were updated to match the
implementing classes</li>
- <li>The JUnit plugin supports now the Convention plugin configuration
(check StrutsJUnit4ConventionTestCaseTest)</li>
- <li>Logging support was improved and extended to allow use user custom
implementation of LoggingFactory</li>
- </ul>
-Please check the Version Notes to see more details.
-</p>
-<p>
- All developers are recommended to update existing Struts 2 applications to
Struts 2.3.14.
-</p>
-<p>
- Struts 2.3.14 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts2314";>releases page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/development/2.x/docs/version-notes-2314.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
-</p>
-<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
-</p>
-
-<h4 id="a20130405">5 April 2013 - Apache Struts 1 End-Of-Life (EOL)
Announcement</h4>
-<p>
- The Apache Struts Project Team would like to inform you that the Struts 1.x
web framework has
- reached its end of life and is no longer officially supported.
-</p>
-<p>
- Please check the following readings to find more details.
- <ul>
- <li><a href="struts1eol-announcement.html">Apache Struts 1 EOL
Announcement</a>, including a detailed Q/A section</li>
- <li><a href="struts1eol-press.html">Apache Struts 1 EOL Press
Release</a></li>
- </ul>
-</p>
-
-<h4 id="a20130306">6 March 2013 - Struts 2.3.12 General Availability
Release</h4>
-<p>
- The Apache Struts group is pleased to announce that Struts 2.3.12 is
- available as a "General Availability" release. The GA designation is our
- highest quality grade.
-</p>
-<p>
- Apache Struts 2 is an elegant, extensible framework for creating
- enterprise-ready Java web applications. The framework is designed to
- streamline the full development cycle, from building, to deploying, to
- maintaining applications over time.
-</p>
-<p>
- It's a mostly maintenance release but few important improvements were added
as well:
- <ul>
- <li>All validators were refactored and right now parameters can be set via
OGNL also parameter parse was removed</li>
- <li>Tag's required attribute was renamed to requiredLabel to allow support
of Html5 required attribute in the tags
- </li>
- <li>New Tiles 3 plugin was added to support Tiles 3 result type</li>
- <li>Support for JBoss 5 to work with the Convention Plugin was
improved</li>
- </ul>
-Please check the Version Notes to see more details.
-</p>
-<p>
- All developers are recommended to update existing Struts 2 applications to
Struts 2.3.12.
-</p>
-<p>
- Struts 2.3.12 is available in a full distribution or as separate library,
source, example and documentation
- distributions, from the
- <a href="http://struts.apache.org/download.cgi#struts2312";>releases page</a>.
- The release is also available through the central Maven repository under
Group ID "org.apache.struts". The
- <a
href="http://struts.apache.org/development/2.x/docs/version-notes-2312.html";>release
notes</a>
- are available online.
-</p>
-<p>
- The 2.3.x series of the Apache Struts framework has a minimum
- requirement of the following specification versions: Servlet API 2.4,
- JSP API 2.0, and Java 5.
+ </ol>
</p>
<p>
- Should any issues arise with your use of any version of the Struts
- framework, please post your comments to the user list, and, if
- appropriate, file a tracking ticket.
+ All developers are strongly advised to perform this action.
</p>
<p class="pull-right">
- Skip to: <a href="announce-2012.html">Announcements - 2012</a>
+ Skip to: <a href="announce-2013.html">Announcements - 2013</a>
</p>
<p class="pull-left">
Modified: struts/site/trunk/content/index.html
URL:
http://svn.apache.org/viewvc/struts/site/trunk/content/index.html?rev=1570474&r1=1570473&r2=1570474&view=diff
==============================================================================
--- struts/site/trunk/content/index.html (original)
+++ struts/site/trunk/content/index.html Fri Feb 21 07:05:19 2014
@@ -128,9 +128,9 @@
<a
href="http://struts.apache.org/release/2.3.x/docs/version-notes-2316.html";>Version
notes</a>
</div>
<div class="col-md-4">
- <h2>Want to help?</h2>
- <p>We welcome your help! If you want to learn more about how to build
- and patch the Struts 2 codebase, please read the <a
href="youatstruts.html">Developer Docs</a>
+ <h2>Immediately upgrade commons-fileupload!</h2>
+ <p>This is necessary to prevent your publicly accessible web site from
being exposed to
+ possible DoS attacks, <a href="announce.html#a20140221">read more</a>
</p>
</div>
<div class="col-md-4">
Copied: struts/site/trunk/source/announce-2013.html (from r1569212,
struts/site/trunk/source/announce.html)
URL:
http://svn.apache.org/viewvc/struts/site/trunk/source/announce-2013.html?p2=struts/site/trunk/source/announce-2013.html&p1=struts/site/trunk/source/announce.html&r1=1569212&r2=1570474&rev=1570474&view=diff
==============================================================================
--- struts/site/trunk/source/announce.html (original)
+++ struts/site/trunk/source/announce-2013.html Fri Feb 21 07:05:19 2014
@@ -1,9 +1,9 @@
---
layout: default
-title: Announcements
+title: Announcements 2013
---
-<h1>Announcements</h1>
+<h1>Announcements - 2013</h1>
<p class="pull-right">
Skip to: <a href="announce-2012.html">Announcements - 2012</a>
</p>
Added: struts/site/trunk/source/announce.html
URL:
http://svn.apache.org/viewvc/struts/site/trunk/source/announce.html?rev=1570474&view=auto
==============================================================================
--- struts/site/trunk/source/announce.html (added)
+++ struts/site/trunk/source/announce.html Fri Feb 21 07:05:19 2014
@@ -0,0 +1,60 @@
+---
+layout: default
+title: Announcements
+---
+
+<h1>Announcements</h1>
+
+<p class="pull-right">
+ Skip to: <a href="announce-2013.html">Announcements - 2013</a>
+</p>
+
+<h4 id="a20140221">21 February 2014 - Immediately upgrade commons-fileupload
to version 1.3.1</h4>
+<p>
+ The Apache Struts Team recommends to immediately upgrade your Struts 2
+ based projects to use the latest released version of Commons
+ FileUpload library, which is currently 1.3.1. This is necessary to
+ prevent your publicly accessible web site from being exposed to
+ possible DoS attacks [1] [2].
+</p>
+<p>
+ Your project is affected if it uses the built-in file upload mechanism
+ of Struts 2, which defaults to the use of commons-fileupload. The
+ updated commons-fileupload library is a drop-in replacement for the
+ vulnerable version. Deployed applications can be hardened by replacing
+ the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
+ Maven based Struts 2 projects, the following dependency needs to be
+ added:
+</p>
+<pre>
+ <dependency>
+ <groupId>commons-fileupload</groupId>
+ <artifactId>commons-fileupload</artifactId>
+ <version>1.3.1</version>
+ </dependency>
+</pre>
+<p>
+ More details can be found here:
+ <ol>
+ <li>
+ <a
href="http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1";>
+
http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1</a>
+ </li>
+ <li>
+ <a
href="http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%[email protected]%3E";>
+
http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%[email protected]%3E</a>
+ </li>
+ </ol>
+</p>
+<p>
+ All developers are strongly advised to perform this action.
+</p>
+
+<p class="pull-right">
+ Skip to: <a href="announce-2013.html">Announcements - 2013</a>
+</p>
+
+<p class="pull-left">
+ <strong>Next:</strong>
+ <a href="kickstart.html">Kickstart FAQ</a>
+</p>
Modified: struts/site/trunk/source/index.html
URL:
http://svn.apache.org/viewvc/struts/site/trunk/source/index.html?rev=1570474&r1=1570473&r2=1570474&view=diff
==============================================================================
--- struts/site/trunk/source/index.html (original)
+++ struts/site/trunk/source/index.html Fri Feb 21 07:05:19 2014
@@ -25,9 +25,9 @@ title: Welcome to the Apache Struts proj
<a href="http://struts.apache.org/release/2.3.x/docs/version-notes-{{
site.current_version_short }}.html">Version notes</a>
</div>
<div class="col-md-4">
- <h2>Want to help?</h2>
- <p>We welcome your help! If you want to learn more about how to build
- and patch the Struts 2 codebase, please read the <a
href="youatstruts.html">Developer Docs</a>
+ <h2>Immediately upgrade commons-fileupload!</h2>
+ <p>This is necessary to prevent your publicly accessible web site from
being exposed to
+ possible DoS attacks, <a href="announce.html#a20140221">read more</a>
</p>
</div>
<div class="col-md-4">
![https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"](https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"){kind=link}