[ANN] Apache Struts 2.5.16 GA

2018-03-16 Thread Lukasz Lenart 
The Apache Struts group is pleased to announce that Struts 2.5.16 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

Below is a full list of all changes:

- unclosed instantiation of PrintWriter
- Http Sessions forcefully created for all requests using
I18nInterceptor with default Storage value.
- NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
- NotSerializableException:
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when
using ExecuteAndWait
  interceptor
- ClassCastException in JarEntryRevision
- Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
- The converter() method of
com.opensymphony.xwork2.conversion.annotations.TypeConversion is now
deprecated. If this
  method is removed in some next release, it will forbid to describe a
converter by the name (id) of a Spring bean.
- Conversion by annotation does not work
- List of Boolean is not populated in Action class
- JSONResult exception in struts2-json-plugin-2.5.14.1.jar
- buttons with name="method:METHODNAME" sometimes ignore
global-allowed-methods defined in struts.xml
- Could not create JarEntryRevision for [zip:C:/ unknown protocol c
- NPE in I18nInterceptor$SessionLocaleHandler.read
- JasperReportResult: NPE When Not Using SQL Connection
- support JSR 303 Validation Groups in BeanValidation-Plugin
- Debug tag should not display anything when not in dev mode
- Allow using of Initializable interface on an implementation level
- Allowed methods inheritance
- Allow use Jackson XML bindings to serialise / deserialise XML
- when using an custom array as a filed in struts 2 action form
textfiled data from jsp page in not populating into
  custom array but populating in String array or array list
- Upgrade Spring to version 4.3.13
- Update Log4j2 to 2.10.0

Please read the Version Notes to find more details about performed bug
fixes and improvements.
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions: Servlet API 2.4,
JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.

You can download this version from our download page.
http://struts.apache.org/download.cgi#struts-ga


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

The Apache News Round-up: week ending 16 March 2018

2018-03-16 Thread Sally Khudairi 
[this post is available online at https://s.apache.org/kclv ]

It's time for our mid-month review of the Apache Community's activities since 
last week:

ASF Board –management and oversight of the business affairs of the corporation 
in accordance with the Foundation's bylaws.
 - Next Board Meeting: 21 March. Board calendar and minutes 
http://apache.org/foundation/board/calendar.html

ApacheCon™ –the ASF's official global conference series.
 - Travel Assistance applications now being accepted for ApacheCon/Montreal 
https://www.apache.org/travel/
 - CFP is open for ApacheCon 24-29 September in Montreal http://apachecon.com/

Apache Community Development –helps newcomers take their first steps towards 
being a part of the Apache community.
 - The ASF is a Google Summer of Code Mentoring Organization for the 13th 
consecutive year. Students: roll up sleeves and get started with dozens of 
Apache projects at https://community.apache.org/gsoc.html

ASF Infrastructure –our distributed team on three continents keeps the ASF's 
infrastructure running around the clock.
 - 7M+ weekly checks yield fabulous performance at 99.96% uptime. 
http://status.apache.org/

ASF Operations Factoid –this week, 499 Apache contributors changed 896,598 
lines of code over 3,223 commits. Top 5 contributors, in order, are: Carlos 
Sanchez Gonzalez, Alex Harui, Gintas Grigelionis, Tellier Benoit, and Iñigo 
Goiri.

Apache Allura™ –an Open Source implementation of a software "forge" that 
manages source code repositories, bug reports, discussions, wiki pages, blogs 
and more for any number of individual projects.
 - [SECURITY] CVE-2018-1319 Apache Allura HTTP response splitting 
http://mail-archives.apache.org/mod_mbox/www-announce/201803.mbox/%3Cf89f6551-b72e-5a20-6013-8adf5acd752a%40apache.org%3E

Apache Calcite™ Avatica –a framework for building database drivers.
 - Apache Calcite Avatica 1.11.0 released https://calcite.apache.org/

Apache Commons™ Compress –working with zip, ar, jar, bz2, cpio, tar, gz, dump, 
pack200, lzma, 7z, arj and xz files.
 - [SECURITY] CVE-2018-1324 Apache Commons Compress denial of service 
vulnerability 
http://mail-archives.apache.org/mod_mbox/www-announce/201803.mbox/%3C87woycifgl.fsf%40v45346.1blu.de%3E

Apache CXF™ –an Open Source services framework.
 - Apache CXF 3.1.15 released http://cxf.apache.org/

Apache Jackrabbit™ Oak –a scalable, high-performance hierarchical content 
repository designed for use as the foundation of modern world-class Wb sites 
and other demanding content applications.
 - Apache Jackrabbit Oak 1.2.29 released http://jackrabbit.apache.org/

Apache Juneau™ –a toolkit for marshalling POJOs to a wide variety of content 
types using a common framework, and for creating sophisticated self-documenting 
REST interfaces and microservices using very little code.
 - Apache Juneau 7.1.0 released http://juneau.apache.org/

Apache PredictionIO™ –an open source Machine Learning Server built on top of 
state-of-the-art open source stack, that enables developers to manage and 
deploy production-ready predictive services for various kinds of machine 
learning tasks.
 - Apache PredictionIO 0.12.1 released http://predictionio.apache.org/

Apache SensSoft (incubating) –a user activity logging and analytics system that 
enables developers to instrument and extract design and user insights from 
their applications.
 - Apache SensSoft (Incubating) UserALE.js 1.0.0 released 
http://senssoft.incubator.apache.org/

Apache Tomcat™ –an Open Source software implementation of the Java Servlet, 
JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC 
technologies.
 - Apache Tomcat 8.5.29 released http://tomcat.apache.org/
 - [SECURITY] CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal 
http://mail-archives.apache.org/mod_mbox/www-announce/201803.mbox/%3Cadc2b992-cbd1-145d-2812-f0f2cc69c099%40apache.org%3E


Did You Know?

 - Did you know that Apache NetBeans (incubating) Day UK will be held 27 April 
2018? 
https://www.eventbrite.co.uk/e/apache-netbeans-day-uk-2018-tickets-43401128945

 - Did you know that you can participate in the Apache Drill "wishlist" survey? 
https://twitter.com/ApacheDrill/status/974499942751289344

 - Did you know that Apache Committers receive a 50% discount off registration 
for DataWorks Summit? Contact apachedwsdiscount(at)hortonworks(dot)com for the 
code.


Apache Community Notices:
 - The Apache Software Foundation 2018 Vision Statement 
https://s.apache.org/zqC3

 - Apache in 2017 - By The Digits https://s.apache.org/h8do

 - Foundation Statement –Apache Is Open. https://s.apache.org/PIRA

 - "Success at Apache" focuses on the processes behind why the ASF "just 
works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No 
Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making 
https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) 
JFDI --the unconditional love of contributors https://s.apac

[CVE-2018-1324] Apache Commons Compress denial of service vulnerability

2018-03-16 Thread Stefan Bodewig 
CVE-2018-1324: Apache Commons Compress denial of service vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.11 to 1.15

Description:
A specially crafted ZIP archive can be used to cause an infinite loop
inside of Compress' extra field parser used by the ZipFile and
ZipArchiveInputStream classes.  This can be used to mount a denial of
service attack against services that use Compress' zip package.

Mitigation:
Commons Compress users should upgrade to 1.16 or later

Credit:
This issue was discovered by Luis Filipe Nassif.