The Apache Struts 2.5.12 test build is now available. With this
release the following security vulnerabilities were addressed:

- Possible DoS attack when using URLValidator, see
https://cwiki.apache.org/confluence/display/WW/S2-047
- A DoS attack is available for Spring secured actions, see
https://cwiki.apache.org/confluence/display/WW/S2-049

Except that, the following issues were also addressed:

Bug
[WW-3171] - "double" and "Double" are not validated with the same
decimal séparator
[WW-3357] - ognl.MethodFailedException when you do not enter a value
for a field mapped to an int.
[WW-3650] - Double Value Conversion with requestLocale=de
[WW-3659] - strange behavior of s:a tag with s:include tag inside
[WW-3905] - The TextProvider injection in ActionSupport isn't quite
integrated into the framework's core DI
[WW-4105] - Struts2 raise java.lang.ClassCastException when Result type is chain
[WW-4472] - @InputConfig annotation is not working when integrating
with spring aop
[WW-4528] - ChainingInterceptor does not handle lists correctly for
excludes and includes
[WW-4578] - Validators do not work for multiple values
[WW-4581] - BigDecimal are not converted according context locale
[WW-4663] - NullPointerException when displaying a form without action attribute
[WW-4665] - Struts2 JSR286 Portlet fileupload not working
[WW-4694] - AnnotationWorkflowInterceptor doesn't work with spring
proxied action
[WW-4736] - Upgrade to Log4j2 version 2.8
[WW-4737] - Array-of-null parameters are converted to arrays containing "null"
[WW-4739] - <s:reset> tag does not properly interpret the attribute tabindex
[WW-4740] - NullPointer in com.opensymphony.xwork2.ActionSupport.getLocale
[WW-4741] - Http Sessions forcefully created for all requests using
I18nInterceptor with default Storage value.
[WW-4746] - cssErrorClass attribute has no effect on label tag
[WW-4747] - s:file generates input tag with "value" attribute
[WW-4750] - Why JSONValidationInterceptor return Status Code 400
BAD_REQUEST instead of 200 SUCCESS
[WW-4758] - @autowired does not work since Struts 2.3.28.1
[WW-4772] - Convention Plugin can't use ${message}
[WW-4773] - Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1
[WW-4774] - Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues HTTPS to HTTP
[WW-4775] - Action class Attributes(value stack) is not getting
populated through Ajax url request parms
[WW-4784] - <s:url tag is not working after Struts 2.5.10.1 migration
[WW-4786] - Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin
gives a NoSuchDefinitionException
[WW-4788] - Parameters which are added via ServletDispatcherResult
aren't availabe in #parameters
[WW-4790] - struts 2.5.10.1 upgrade cause more frequent garbage collection
[WW-4794] - Subreport call "Caused by: java.lang.ClassCastException:
org.apache.struts2.views.jasperreports.ValueStackDataSource cannot be
cast to java.util.Collection"
[WW-4800] - Aspects are not executed when chaining AOPed actions
[WW-4801] - Duplicate hidden input field checkboxListHandler
[WW-4804] - inputtransferselect does not auto-select its elements
[WW-4810] - Calling empty locale

Improvement
[WW-1534] - The value of checkbox getted in server-side is "false"
when no any checkbox been selected.
[WW-3924] - refactor file upload framework
[WW-3952] - creditCard validator available in Struts 1 missing in Struts 2
[WW-4149] - No easy way to have an empty interceptor stack if have default stack
[WW-4210] - @TypeConversion converter attribut to class
[WW-4714] - Convert LocalizedTextUtil into a bean with default implementation
[WW-4743] - NPE in StrutsTilesContainerFactory when resource isn't found
[WW-4744] - AnnotationWorkflowInterceptor should supports non-public
annotated methods
[WW-4748] - Upgrade commons-lang3 to 3.5
[WW-4749] - Buffer/Flush behaviour in FreemarkerResult
[WW-4751] - Struts2 should know and consider config time class of user's Actions
[WW-4752] - getters of exclude-sets in OgnlUtil should return
immutable collections
[WW-4753] - Make DelegatingValidatorContext injectable
[WW-4754] - Mark site-graph plugin as deprecated
[WW-4756] - Use TextProviderFactory instead of TextProvider as bean's dependency
[WW-4757] - Create LocaleProviderFactory and uses instead of LocaleProvider
[WW-4761] - Improve error logging in DefaultDispatcherErrorHandler
[WW-4762] - DefaultLocalizedTextProvider refactoring
[WW-4764] - Make jakarta-stream multipart parser more extensbile
[WW-4767] - Make Multipart parsers more extensible
[WW-4768] - Add proper validation if request is a multipart request
[WW-4769] - Make SecurityMethodAccess excluded classes & packages
definitions immutable
[WW-4771] - minor typos in confluence page "security.html"
[WW-4780] - Upgrade to Log4j2 2.8.2
[WW-4785] - Allow disable file upload support via an configurable option
[WW-4787] - TestCase XWorkMapPropertyAccessorTest should be moved to
src/test/java
[WW-4791] - Stop using DefaultLocalizedTextProvider#localeFromString
static util method
[WW-4793] - Don't add JBossFileManager as a possible FileManager when
not on JBoss
[WW-4795] - There is no @LongRangeFieldValidator annotation to support
LongRangeFieldValidator
[WW-4805] - At least a DoS attack is available for Spring secured actions
[WW-4809] - Upgrade to commons-lang 3.6
[WW-4812] - Update commons-fileupload

New Feature
[WW-3399] - JCR(JSR-170) Struts2 plugin

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.5.12/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

The vote will remain open for at least 24 hours, longer upon request.
A vote can be amended at any time to upgrade or downgrade the quality
of the release based on future experience. If an initial vote
designates the build as "Beta", the release will be submitted for
mirroring and announced to the user list. Once released as a public
beta, subsequent quality votes on a build may be held on the user
list.

As always, the act of voting carries certain obligations. A binding
vote not only states an opinion, but means that the voter is agreeing
to help do the work.


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to