The Apache Struts 2.5.12 test build is now available. With this release the following security vulnerabilities were addressed:
- Possible DoS attack when using URLValidator, see https://cwiki.apache.org/confluence/display/WW/S2-047 - A DoS attack is available for Spring secured actions, see https://cwiki.apache.org/confluence/display/WW/S2-049 Except that, the following issues were also addressed: Bug [WW-3171] - "double" and "Double" are not validated with the same decimal séparator [WW-3357] - ognl.MethodFailedException when you do not enter a value for a field mapped to an int. [WW-3650] - Double Value Conversion with requestLocale=de [WW-3659] - strange behavior of s:a tag with s:include tag inside [WW-3905] - The TextProvider injection in ActionSupport isn't quite integrated into the framework's core DI [WW-4105] - Struts2 raise java.lang.ClassCastException when Result type is chain [WW-4472] - @InputConfig annotation is not working when integrating with spring aop [WW-4528] - ChainingInterceptor does not handle lists correctly for excludes and includes [WW-4578] - Validators do not work for multiple values [WW-4581] - BigDecimal are not converted according context locale [WW-4663] - NullPointerException when displaying a form without action attribute [WW-4665] - Struts2 JSR286 Portlet fileupload not working [WW-4694] - AnnotationWorkflowInterceptor doesn't work with spring proxied action [WW-4736] - Upgrade to Log4j2 version 2.8 [WW-4737] - Array-of-null parameters are converted to arrays containing "null" [WW-4739] - <s:reset> tag does not properly interpret the attribute tabindex [WW-4740] - NullPointer in com.opensymphony.xwork2.ActionSupport.getLocale [WW-4741] - Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value. [WW-4746] - cssErrorClass attribute has no effect on label tag [WW-4747] - s:file generates input tag with "value" attribute [WW-4750] - Why JSONValidationInterceptor return Status Code 400 BAD_REQUEST instead of 200 SUCCESS [WW-4758] - @autowired does not work since Struts 2.3.28.1 [WW-4772] - Convention Plugin can't use ${message} [WW-4773] - Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1 [WW-4774] - Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues HTTPS to HTTP [WW-4775] - Action class Attributes(value stack) is not getting populated through Ajax url request parms [WW-4784] - <s:url tag is not working after Struts 2.5.10.1 migration [WW-4786] - Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin gives a NoSuchDefinitionException [WW-4788] - Parameters which are added via ServletDispatcherResult aren't availabe in #parameters [WW-4790] - struts 2.5.10.1 upgrade cause more frequent garbage collection [WW-4794] - Subreport call "Caused by: java.lang.ClassCastException: org.apache.struts2.views.jasperreports.ValueStackDataSource cannot be cast to java.util.Collection" [WW-4800] - Aspects are not executed when chaining AOPed actions [WW-4801] - Duplicate hidden input field checkboxListHandler [WW-4804] - inputtransferselect does not auto-select its elements [WW-4810] - Calling empty locale Improvement [WW-1534] - The value of checkbox getted in server-side is "false" when no any checkbox been selected. [WW-3924] - refactor file upload framework [WW-3952] - creditCard validator available in Struts 1 missing in Struts 2 [WW-4149] - No easy way to have an empty interceptor stack if have default stack [WW-4210] - @TypeConversion converter attribut to class [WW-4714] - Convert LocalizedTextUtil into a bean with default implementation [WW-4743] - NPE in StrutsTilesContainerFactory when resource isn't found [WW-4744] - AnnotationWorkflowInterceptor should supports non-public annotated methods [WW-4748] - Upgrade commons-lang3 to 3.5 [WW-4749] - Buffer/Flush behaviour in FreemarkerResult [WW-4751] - Struts2 should know and consider config time class of user's Actions [WW-4752] - getters of exclude-sets in OgnlUtil should return immutable collections [WW-4753] - Make DelegatingValidatorContext injectable [WW-4754] - Mark site-graph plugin as deprecated [WW-4756] - Use TextProviderFactory instead of TextProvider as bean's dependency [WW-4757] - Create LocaleProviderFactory and uses instead of LocaleProvider [WW-4761] - Improve error logging in DefaultDispatcherErrorHandler [WW-4762] - DefaultLocalizedTextProvider refactoring [WW-4764] - Make jakarta-stream multipart parser more extensbile [WW-4767] - Make Multipart parsers more extensible [WW-4768] - Add proper validation if request is a multipart request [WW-4769] - Make SecurityMethodAccess excluded classes & packages definitions immutable [WW-4771] - minor typos in confluence page "security.html" [WW-4780] - Upgrade to Log4j2 2.8.2 [WW-4785] - Allow disable file upload support via an configurable option [WW-4787] - TestCase XWorkMapPropertyAccessorTest should be moved to src/test/java [WW-4791] - Stop using DefaultLocalizedTextProvider#localeFromString static util method [WW-4793] - Don't add JBossFileManager as a possible FileManager when not on JBoss [WW-4795] - There is no @LongRangeFieldValidator annotation to support LongRangeFieldValidator [WW-4805] - At least a DoS attack is available for Spring secured actions [WW-4809] - Upgrade to commons-lang 3.6 [WW-4812] - Update commons-fileupload New Feature [WW-3399] - JCR(JSR-170) Struts2 plugin Release notes: * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12 Distribution: * https://dist.apache.org/repos/dist/dev/struts/2.5.12/ Maven 2 staging repository: * https://repository.apache.org/content/repositories/staging/ Once you have had a chance to review the test build, please respond with a vote on its quality: [ ] Leave at test build [ ] Alpha [ ] Beta [ ] General Availability (GA) Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s. The vote will remain open for at least 24 hours, longer upon request. A vote can be amended at any time to upgrade or downgrade the quality of the release based on future experience. If an initial vote designates the build as "Beta", the release will be submitted for mirroring and announced to the user list. Once released as a public beta, subsequent quality votes on a build may be held on the user list. As always, the act of voting carries certain obligations. A binding vote not only states an opinion, but means that the voter is agreeing to help do the work. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org