[ANN] Apache Struts 6.4.0
The Apache Struts group is pleased to announce that Apache Struts version 6.4.0 is available as a “General Availability” release. The GA designation is our highest quality grade. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This version contains a lot of proactive security improvements, which should make your application hard to compromise. Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.4.0 All developers are strongly advised to perform this upgrade. The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. https://issues.apache.org/jira/projects/WW/ You can download this version from our download page. https://struts.apache.org/download.cgi#struts-ga Regards Lukasz
CVE-2023-41835: Apache Struts: excessive disk usage
Severity: moderate Affected versions: - Apache Struts 2.0.0 through 2.5.31 - Apache Struts 6.1.2.1 through 6.3.0 Description: When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue. References: https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft https://struts.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-41835
[ANN] Apache Struts 6.3.0.2 & 2.5.33
The Apache Struts group is pleased to announce that Apache Struts versions 6.3.0.2 & 2.5.33 are available as “General Availability” releases. The GA designation is our highest quality grade. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This version addresses a potential security vulnerability identified as CVE-2023-50164 and described in S2-066 - please read the mentioned security bulletins for more details. This is a drop-in replacement and upgrade should be straightforward. * https://cwiki.apache.org/confluence/display/WW/S2-066 Please read the Version Notes to find more details about performed bug fixes and improvements. * https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.3.0.2 * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.33 All developers are strongly advised to perform this upgrade. The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. * https://issues.apache.org/jira/projects/WW/ You can download this version from our download page. * https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz
CVE-2023-50164: Apache Struts: File upload component had a directory traversal vulnerability
Severity: critical Affected versions: - Apache Struts 2.0.0 through 2.5.32 - Apache Struts 6.0.0 through 6.3.0.1 Description: An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.1 or greater to fix this issue. Credit: Steven Seeley (reporter) References: https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj https://struts.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-50164
[ANN] Apache Struts 2.5.x EOL
The Apache Struts Project Team would like to inform you that the Struts 2.5.x web framework will reach its end of life in 6 months and won’t be officially supported. Please check the following reading to find more details. https://struts.apache.org/struts25-eol-announcement Apache Struts 2.5.x EOL Announcement, including a detailed Q/A section. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 6.3.0.1, 6.1.2.2, 2.5.32
The Apache Struts group is pleased to announce that Apache Struts versions 6.3.0.1, 6.1.2.2 & 2.5.32 are available as “General Availability” releases. The GA designation is our highest quality grade. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This version addresses a potential security vulnerability described in S2-065 - please read the mentioned security bulletins for more details. This is a drop-in replacement and upgrade should be straightforward. * https://cwiki.apache.org/confluence/display/WW/S2-065 Please read the Version Notes to find more details about performed bug fixes and improvements. * https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.3.0.1 * https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.1.2.2 * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.32 All developers are strongly advised to perform this upgrade. The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. * https://issues.apache.org/jira/projects/WW/ You can download this version from our download page. * https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz
[ANN] Apache Struts 6.3.0
The Apache Struts group is pleased to announce that Apache Struts version 6.3.0 is available as a “General Availability” release. The GA designation is our highest quality grade. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. > Note: This version includes the whole code of retired Apache Tiles, when you > use the Struts Tiles plugin please remove any external dependencies to the > Apache Tiles as the whole code is already included in the plugin. > See WW-5233 for more details - https://issues.apache.org/jira/browse/WW-5233 Below is a full list of all changes: Bug WW-5330 - Issue when submitting a form with a textarea containing more than 4000 characters. WW-5331 - Access to request attributes via tags is broken Improvement WW-5233 - Include Apache Tiles code base in the Tiles plugin WW-5321 - notify / document about new maxStringLength limitation WW-5327 - Stop using JavaBeans notation for setters in SecurityMemberAccess & MemberAccessValueStack WW-5332 - Validate excluded package name list for missing commas WW-5334 - Misc VelocityManager code cleanup WW-5336 - Merge OgnlTool class into StrutsUtil class WW-5337 - Improve performance of excluded classes and packages Dependency WW-5315 - Upgrades ASM to version 9.5 WW-5316 - Upgrades commons-io to version 2.13.0 WW-5317 - Upgrades log4j-api to version 2.20.0 WW-5318 - Upgrades slf4j-api to version 2.0.7 WW-5320 - finish Reproducible Builds WW-5322 - Upgrade Jackson version to 2.15.2 WW-5323 - Upgrade JasperReports to version 6.20.5 WW-5325 - Upgrade commons-lang3 to version 2.13.0 WW-5329 - Upgrade xstream to version 1.4.20 Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.3.0 All developers are strongly advised to perform this upgrade. The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. https://issues.apache.org/jira/projects/WW/ You can download this version from our download page. https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 6.2.0
The Apache Struts group is pleased to announce that Apache Struts 6.2.0 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2023#a20230710 Below is a full list of all changes. Bug WW-4434 - datetextfield.ftl is missing WW-5199 - StrutsPrepareFilter and StrutsExecuteFilter do not support forwarding to another action WW-5263 - CSP related interceptors have wrong short names WW-5270 - Forwarding from a Struts excluded URL to an Action not working WW-5271 - Select tag NOT working when using list=”#{ … }” WW-5272 - java.lang.UnsupportedOperationException in the Time component WW-5276 - Cleanup method of request is not called WW-5289 - Execute and Wait Interceptor prevents JVM shutdown WW-5295 - s:date ignores LocalTime WW-5296 - Wrong DTD version WW-5301 - Impossible to select alternate default VelocityManager bean WW-5302 - Autogenerated html ID bases on unevaluated value of the name/action/method attributes WW-5307 - Confusing documentation about ognl WW-5309 - NamedVariablePatternMatcher throws when pattern begins with a variable WW-5310 - s:url does not handle equal sign correctly WW-5311 - NamedVariablePatternMatcher throws an IllegalArgumentException when named variable is not the last part of the sequence WW-5312 - ExecuteAndWaitInterceptor inconsistent wait processing behaviour New Feature WW-5275 - Allow to configure more flexible Content-Security-Policy Improvement WW-4404 - Implement HttpInterceptor WW-5196 - Make RequestMap and ApplicationMap to use generics, also correct SessionMap to always be of type WW-5243 - Removes support for “struts.mapper.action.prefix.crossNamespaces” WW-5251 - Remove deprecated interfaces used with ServletConfigInterceptor WW-5253 - Remove deprecated methods from DefaultUrlHelper WW-5261 - Refactor TagUtils#getStack() WW-5262 - Extract excluded classes and beans out of struts-default.xml WW-5264 - Extract XSLT result into a dedicated plugin WW-5265 - Allow removal of a single/specific container provider WW-5266 - Add configuration option for a per-file max size for multipart requests WW-5268 - Add configuration option to exempt classes from OGNL package exclusions WW-5273 - Support fileupload using native Servlet API 3.1 logic WW-5280 - Cleanup NoParameters interfaces WW-5283 - Update Struts Archetypes WW-5285 - Upgrade commons-fileupload to ver 1.5 and add option to limit number of accepted files WW-5288 - Make excluded package exemption logic more strict WW-5290 - Refactor ConfigurationManager WW-5292 - Allow overriding of Operations classes in two filter setup and assorted clean up WW-5293 - Allow loading XML configuration from other than filesystem WW-5304 - Drop deprecated methods from ActionContext WW-5308 - Add minlength and maxlength to textarea on javatemplates plugin WW-5314 - Do not log warnings for bad user input from JakartaMultiPartRequest Task WW-5278 - Clean up duplicated code across ActionValidatorManagers WW-5279 - Improve readability of XmlConfigurationProvider class WW-5284 - Further clean up ActionValidatorManager implementations WW-5298 - Clean up StrutsVelocityContext WW-5299 - Clean up ActionChainResult WW-5300 - Make Dispatcher methods overridable Dependency WW-5269 - Upgrade Jackson to version 2.14.1 WW-5274 - Mark Pell Multipart plugin as deprecated WW-5277 - Upgrade Freemarker to version 3.2.32 Version Notes https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.2.0 **All developers are strongly advised to perform this upgrade.** The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Apache Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. https://issues.apache.org/jira/projects/WW/ You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 6.1.2.1
The Apache Struts group is pleased to announce that Apache Struts version 6.1.2.1 is available as a “General Availability” release. The GA designation is our highest quality grade. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This version addresses two potential security vulnerabilities described in S2-063 and S2-064 - please read the mentioned security bulletins for more details. This is a drop-in replacement and upgrade should be straightforward. * https://cwiki.apache.org/confluence/display/WW/S2-063 * https://cwiki.apache.org/confluence/display/WW/S2-064 Please read the Version Notes to find more details about performed bug fixes and improvements. Also, a dedicated migration guide has been prepared. * https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.1.2.1 * https://cwiki.apache.org/confluence/display/WW/Struts+2.5+to+6.0.0+migration All developers are strongly advised to perform this upgrade. The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. * https://issues.apache.org/jira/projects/WW/ You can download this version from our download page. * https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.31
The Apache Struts group is pleased to announce that Apache Struts version 2.5.31 is available as a “General Availability” release. The GA designation is our highest quality grade. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This version addresses two potential security vulnerabilities described in S2-063 and S2-064 - please read the mentioned security bulletins for more details. This is a drop-in replacement and upgrade should be straightforward. * https://cwiki.apache.org/confluence/display/WW/S2-063 * https://cwiki.apache.org/confluence/display/WW/S2-064 Please read the Version Notes to find more details about performed bug fixes and improvements * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.31 All developers are strongly advised to perform this upgrade. The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. * https://issues.apache.org/jira/projects/WW/ You can download this version from our download page. * https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 6.1.2
The Apache Struts group is pleased to announce that Apache Struts 6.1.2 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2023#a20230310 Below is a full list of all changes. Improvement WW-5285 - Upgrade commons-fileupload to ver 1.5 and add option to limit number of accepted files Version Notes https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.1.2 **All developers are strongly advised to perform this upgrade.** The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Apache Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. https://issues.apache.org/jira/projects/WW/ You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz
[ANN] Apache Struts 6.1.1 (proper list of issues)
The Apache Struts group is pleased to announce that Apache Struts 6.1.1 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2022#a20221128 Below is a full list of all changes. Bug WW-3529 - NamedVariablePatternMatcher does not properly escape characters WW-3737 - Parsing of excludePattern breaks regex WW-4514 - DefaultUrlHelper.buildParametersString appends just ? if collection is empty WW-5145 - Checkbox with multiple values do not default correctly WW-5214 - When value for SELECT element is greater than 2147483647, the value does not pre-select WW-5238 - Strict Method Invocation (SMI) too strict or wrong ActionMapping? WW-5239 - regression btw struts 2.5.30 and 6.0.30 / submit s:checkbox unchecked -> NPE WW-5241 - is generating an invalid url when used in conjunction with ExecuteAndWait interceptor WW-5247 - Related to: [WW-5117] - %{id} evaluates different for data-* and value attribute WW-5248 - action attribute on submit tag not working as espected WW-5255 - and tags are broken New Feature WW-4173 - Add option to disable a given interceptor Improvement WW-2815 - No way to configure XStream engine WW-3691 - BackgroundProcess should use a java.util.concurrent.Executor alternatively to spawning a new thread WW-3715 - Allow for dynamic validation xml files, by building validator cache based on action AND context WW-3725 - Remove unused tag templates from core/src/main/resources/template/archive WW-4440 - Add basic README.md to all subprojects WW-4567 - Drop unused dependencies or put a proper scope WW-4692 - Extract encoding logic from UrlHelper into a dedicated bean WW-5133 - Remove deprecated labelposition WW-5137 - Remove class attribute WW-5184 - Add optional parameter value check to ParametersInterceptor WW-5219 - Move TestNGXWorkTestCase from the Core into the TestNG plugin WW-5220 - Move XWorkJUnit4TestCase from the Core into the JUnit plugin WW-5232 - Use Github Actions instead of Travis to build PRs WW-5234 - Normalise DTD definitions WW-5235 - Reduce “OGNL Expression Max Length enabled with 256” log entry to trace WW-5240 - doubleOnchange attribute of the doubleselect tag is not supported WW-5242 - Make “struts.mapper.action.prefix.crossNamespaces” deprecated WW-5252 - Completely disable external entities declarations in XML config WW-5254 - Document how to use the Async plugin WW-5257 - output is followed by a newline in simple theme (diff to Struts 2) WW-5259 - Extract UrlHelper#parseQueryString into a dedicated plugin WW-5260 - Checkbox tag default value for attribute submitUnchecked Dependency WW-5213 - Bump javax.el from 3.0.1-b11 to 3.0.1-b12 WW-5226 - Upgrade weld-core to version 2.4.8.Final WW-5227 - Upgrade Apache Log4j to version 2.19.0 WW-5228 - Upgrade dependency-check-maven from 7.1.2 to 7.2.0 WW-5229 - Upgrade Spring to version 5.3.23 WW-5230 - Upgrade OGNL to version 3.3.4 WW-5231 - Upgrade apache-rat-plugin to version 0.15 WW-5244 - Upgrade commons-text to ver. 1.10.0 WW-5245 - Upgrade jackson-databind to version 2.13.4.1 WW-5258 - Upgrade Struts Annotation to version 1.0.8 Version Notes https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.1.1 **All developers are strongly advised to perform this upgrade.** The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Apache Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. https://issues.apache.org/jira/projects/WW/ You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
Re: [ANN] Apache Struts 6.1.1
Please ignore this announcement, it contains a wrong set of addressed issues. I will prepare a new one with a proper set of addressed tickets. Sorry for inconvenience -- Łukasz pon., 28 lis 2022 o 15:33 Lukasz Lenart napisał(a): > > The Apache Struts group is pleased to announce that Apache Struts > 6.1.1 is available as a “General Availability” release. The GA > designation is our highest quality grade. > https://struts.apache.org/announce-2022#a20220915 > > Below is a full list of all changes. > > Bug > WW-5185 - TilesDefinition is not found and the request for a Struts > action fails after an upgrade from Struts 2.5.30 to Struts 6.0. > WW-5189 - Add missing struts-6.0.dtd > WW-5190 - StackOverflowError when dispatching to JSP > WW-5191 - template/simple/textarea.ftl not rendering parameters correctly > WW-5192 - radiomap.ftl not setting enum key values > WW-5194 - UIBean.evaluateParams() throws an IllegalStateException when > getting the nonce out of a session that has been invalidated. > WW-5195 - Dispatcher: Infinite loop with dispatcher FORWARD > WW-5197 - java.lang.UnsupportedOperationException in the date component > WW-5198 - textarea’s maxlength attribute displays in tag’s body > WW-5203 - lazyPolicyBuilder in DefaultCspSettings is not lazy > WW-5205 - REST plugin cannot start due to injection error > WW-5207 - Convention Plugin - support for ASM 9 > WW-5215 - CspInterceptor assumes Session was already created > WW-5216 - Freemarker Checkbox error after migrating from Struts 2.5.29 to > 2.5.30 > > New Feature > WW-5187 - java.lang.NoClassDefFoundError: > org/apache/struts2/views/velocity/VelocityManager Improvement > WW-5173 - Implement additional OGNL cache configuration controls > WW-5188 - Use 6.0 marker instead of 2.6 > WW-5218 - Allow to disable CSP related interceptors > > Dependency > WW-5193 - Use proper hibernate-validator groupId and upgrade to > version 6.1.3.Final > WW-5201 - Bump Log4j2 to 2.18.0 > WW-5202 - Update jasperreports to 6.19.1 and exclude optional itext > from jasperreports > WW-5204 - Upgrade to OGNL 3.3.3 > WW-5208 - Update hibernate-validator to 6.2.4 > WW-5212 - Upgrade Spring to version 5.3.22 > > Version Notes > https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.1.1 > > **All developers are strongly advised to perform this upgrade.** > > The 6.x series of the Apache Struts framework has a minimum > requirement of the following specification versions: > Servlet API 3.1, JSP API 2.1, and Java 8. > > Should any issues arise with your use of any version of the Apache > Struts framework, please post your comments to the user list, and, if > appropriate, file a tracking ticket. > https://issues.apache.org/jira/projects/WW/ > > You can download this version from our download page > https://struts.apache.org/download.cgi#struts-ga > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 6.1.1
The Apache Struts group is pleased to announce that Apache Struts 6.1.1 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2022#a20220915 Below is a full list of all changes. Bug WW-5185 - TilesDefinition is not found and the request for a Struts action fails after an upgrade from Struts 2.5.30 to Struts 6.0. WW-5189 - Add missing struts-6.0.dtd WW-5190 - StackOverflowError when dispatching to JSP WW-5191 - template/simple/textarea.ftl not rendering parameters correctly WW-5192 - radiomap.ftl not setting enum key values WW-5194 - UIBean.evaluateParams() throws an IllegalStateException when getting the nonce out of a session that has been invalidated. WW-5195 - Dispatcher: Infinite loop with dispatcher FORWARD WW-5197 - java.lang.UnsupportedOperationException in the date component WW-5198 - textarea’s maxlength attribute displays in tag’s body WW-5203 - lazyPolicyBuilder in DefaultCspSettings is not lazy WW-5205 - REST plugin cannot start due to injection error WW-5207 - Convention Plugin - support for ASM 9 WW-5215 - CspInterceptor assumes Session was already created WW-5216 - Freemarker Checkbox error after migrating from Struts 2.5.29 to 2.5.30 New Feature WW-5187 - java.lang.NoClassDefFoundError: org/apache/struts2/views/velocity/VelocityManager Improvement WW-5173 - Implement additional OGNL cache configuration controls WW-5188 - Use 6.0 marker instead of 2.6 WW-5218 - Allow to disable CSP related interceptors Dependency WW-5193 - Use proper hibernate-validator groupId and upgrade to version 6.1.3.Final WW-5201 - Bump Log4j2 to 2.18.0 WW-5202 - Update jasperreports to 6.19.1 and exclude optional itext from jasperreports WW-5204 - Upgrade to OGNL 3.3.3 WW-5208 - Update hibernate-validator to 6.2.4 WW-5212 - Upgrade Spring to version 5.3.22 Version Notes https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.1.1 **All developers are strongly advised to perform this upgrade.** The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Apache Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. https://issues.apache.org/jira/projects/WW/ You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts ver. 6.0.3 GA
The Apache Struts group is pleased to announce that Apache Struts 6.0.3 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2022#a20220915 Below is a full list of all changes. Bug: WW-5185 - TilesDefinition is not found and the request for a Struts action fails after an upgrade from Struts 2.5.30 to Struts 6.0. WW-5189 - Add missing struts-6.0.dtd WW-5190 - StackOverflowError when dispatching to JSP WW-5191 - template/simple/textarea.ftl not rendering parameters correctly WW-5192 - radiomap.ftl not setting enum key values WW-5194 - UIBean.evaluateParams() throws an IllegalStateException when getting the nonce out of a session that has been invalidated. WW-5195 - Dispatcher: Infinite loop with dispatcher FORWARD WW-5197 - java.lang.UnsupportedOperationException in the date component WW-5198 - textarea’s maxlength attribute displays in tag’s body WW-5203 - lazyPolicyBuilder in DefaultCspSettings is not lazy WW-5205 - REST plugin cannot start due to injection error WW-5207 - Convention Plugin - support for ASM 9 WW-5215 - CspInterceptor assumes Session was already created WW-5216 - Freemarker Checkbox error after migrating from Struts 2.5.29 to 2.5.30 New Feature: WW-5187 - java.lang.NoClassDefFoundError: org/apache/struts2/views/velocity/VelocityManager Improvement WW-5173 - Implement additional OGNL cache configuration controls WW-5188 - Use 6.0 marker instead of 2.6 WW-5218 - Allow to disable CSP related interceptors Dependency: WW-5193 - Use proper hibernate-validator groupId and upgrade to version 6.1.3.Final WW-5201 - Bump Log4j2 to 2.18.0 WW-5202 - Update jasperreports to 6.19.1 and exclude optional itext from jasperreports WW-5204 - Upgrade to OGNL 3.3.3 WW-5208 - Update hibernate-validator to 6.2.4 WW-5212 - Upgrade Spring to version 5.3.22 Version Notes https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.0.3 **All developers are strongly advised to perform this upgrade.** The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8. Should any issues arise with your use of any version of the Apache Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. https://issues.apache.org/jira/projects/WW/ You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2 ver. 6.0.0
The Apache Struts group is pleased to announce that Apache Struts 2 ver. 6.0.0 is available as a "General Availability" release. The GA designation is our highest quality grade. **Version change** You may be surprised by the version change, previously we have been using Struts 2.5.x versioning schema, but this was a bit misleading. Struts 2 is a different framework than Struts 1 and its versioning is supposed to start with 1.0.0. Yet that never happened. With each breaking change release (like Struts 2.5), we had been only upgrading the MINOR part of the versioning schema. To fix that problem as from Struts 2 ver. 6.0.0 (aka Struts 2.6) we adopt a proper SemVer to avoid such confusion. **Internal Changes** The framework requires Java 8 at runtime. Also Servlet API 3.1 capable container is required. OGNL expressions are limited to 256 characters by default. See [WW-5179] and [docs] for more details. https://issues.apache.org/jira/browse/WW-5179 https://struts.apache.org/security/#apply-a-maximum-allowed-length-on-ognl-expressions Yasser's PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation. How to test: - Run all your app tests, you shouldn't see any WARN log like below: Expression [so-and-so] isn't allowed by pattern [so-and-so]! See Accepted / Excluded patterns at https://struts.apache.org/security/ - See if following components are still functioning correctly regarding java-scripts: - forms with client side validations - doubleselect - combobox - Check also `StreamResult`s, `AliasInterceptor` and `JasperReportResult`s if they are still working as expected. Support to access static methods via OGNL expressions has been removed, use action instance methods instead. **Bug** - WW-3534 - PrepareOperations.createActionContext does not detect existing context correctly - WW-3730 - action tag accepts only String arrays as parameters - WW-4723 - s:url incompatible with JDK 1.5 - WW-4742 - Problem with escape when the key from getText has no value - WW-4865 - Struts s:checkbox conversion fails to List - WW-4866 - ASM 5.2 and Java 9 leads to IllegalArgumentException - WW-4897 - KEYS, sigs and hashes should use https (SSL) - WW-4902 - Struts 2 fails to init Dispatcher - Tomcat Embedded - WW-4928 - Setting struts.devMode from system property not working as described - WW-4930 - SMI cannot be diasabled for action-packages found via the convention-plugin - WW-4941 - [jar_cache] Some jar_cache**.tmp files are generated into a temporary directory(/tmp) during web service start - WW-4943 - opensymphony.xwork2.util.LocalizedTextUtil can't get i18n resources - WW-4944 - Struts 2 REST Tiles integration issue - WW-4945 - TagUtils#buildNamespace should throw an exception when invocation is null - WW-4946 - Strtus 2 spring integrations is failing - fails to init Dispatcher - Tomcat Embedded - WW-4948 - Struts 2.5.16 is creating jar_cache files in temp folder - WW-4951 - MD5 and SHA1 should no longer be provided on download pages - WW-4954 - xml-validation fails since struts 2.5.17 - WW-4957 - Update struts version from 2.5.10 to 2.5.17. LocalizedTextUtil class is removed and GlobalLocalizedTextProvider&StrutsLocalizedTextProvider cannot be used instead. - WW-4958 - File upload fails from certain clients - WW-4964 - Missing javascript in form-validate.ftl - WW-4968 - combining s:set and s:property where the property retrieved is null has unexpected results - WW-4971 - s:include tag fails with truncated content in certain circumstances - WW-4974 - NullPointerException in DefaultStaticContentLoader#findStaticResource - WW-4977 - Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest - WW-4984 - Static files like css and js files in struts-core not properly served - WW-4986 - Race condition reloading config results in actions not found - WW-4987 - Setting Struts2 options Css Class - WW-4991 - Not existing property in listValueKey throws exception - WW-4997 - can't be resolved - WW-4999 - Can't get OgnlValueStack log even if enable logMissingProperties - WW-5002 - Package Level Properties in Global Results - WW-5004 - No more calling of a static variable in Struts 2.8.20 available - WW-5006 - NullPointerException in ProxyUtil class when accessing static member - WW-5009 - EmptyStackException in JSON plugin due to concurrency - WW-5011 - Tiles bug when parsing file:// URLs including # as part of the URL - WW-5013 - Accessing static variable via OGNL returns nothing - WW-5022 - Struts 2.6 escaping behaviour change for s:a (anchor) tag - WW-5024 - HttpParameters.Builder can wrap objects in two layers of Parameters - WW-5025 - Binding Integer Array upon form submission - WW-5026 - Double-submit of TokenSessionStoreInterceptor broken since 2.5.16 - WW-5027 - xerces tries to load resources from the internet - WW-5028 - Dispatcher prints stacktra
[ANN] Apache Struts 2.5.30
The Apache Struts group is pleased to announce that Struts 2.5.30 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2022#a20220404 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes. Internal Changes: Yasser’s PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation. Dependency: [WW-5170] - Upgrade Jackson-Core to version 2.10.5 and Jackson-Databind to 2.10.5.1 [WW-5172] - Upgrade freemarker to 2.3.31 All developers are strongly advised to perform this upgrade. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz
[ANN] Apache Struts 2.5.29
The Apache Struts group is pleased to announce that Struts 2.5.29 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2022#a20220122 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - [WW-5117] - %{id} evaluates different for data-* and value attribute - [WW-5160] - Template not found for name “Empty{name=’templateDir’}/simple/hidden.ftl” - [WW-5163] - Error executing FreeMarker template Version Notes https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.29 All developers are strongly advised to perform this upgrade. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.28.3
The Apache Struts group is pleased to announce that Struts 2.5.28.3 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2022#a20220102 This release addresses the Log4j vulnerability CVE-2021-44832 by using the latest Log4j ver. 2.12.4 (Java 1.7 compatible). https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832 Please note, that the Apache Struts itself depends on the log4j-api package only, it's users' responsibility to use a proper version of the log4j-core package! Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. All developers are strongly advised to perform this upgrade. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.28.2
The Apache Struts group is pleased to announce that Struts 2.5.28.2 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2021.html#a20211223 This release addresses the Log4j vulnerability CVE-2021-45105 by using the latest Log4j ver. 2.12.3 (Java 1.7 compatible). https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105 Please note, that the Apache Struts itself depends on the log4j-api package only, it's users' responsibility to use a proper version of the log4j-core package! Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. All developers are strongly advised to perform this upgrade. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.28.1
The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2021.html#a20211217 This release addresses the Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible). https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.28
The Apache Struts group is pleased to announce that Struts 2.5.28 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2021.html#a20211212 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - labelposition attribute broken in Struts 2.5.27 All developers are strongly advised to perform this upgrade. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.27
The Apache Struts group is pleased to announce that Struts 2.5.27 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce-2021.html#a2026 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - PostbackResult uses wrong regex range - %{id} evaluates different for data-* and value attribute - Blocking Threads in retrieving text from resource bundle - Contention when injecting Scope.SINGLETON instances - CheckboxTag value missing for labelposition - forbidden name attribute values (size, clone…?) in using the default theme - ID param not being set - Make labelposition deprecated - Make class attribute deprecated - Fix the compilation alarms of deprecated methods - OGNL long conversion - Upgrade XStream to version 1.4.16 All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] [SECURITY] Apache Struts 2.0.0 - 2.5.25: Potential RCE when using forced evaluation - CVE-2020-17530
The Apache Struts Security team would like to announce that forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected products Apache Struts 2.0.0 - 2.5.25 Problem Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. Solution Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression evaluation won't lead to the double evaluation. Please read our Security Bulletin for more details: https://cwiki.apache.org/confluence/display/WW/S2-061 This vulnerability was identified by: - Alvaro Munoz - pwntester at github dot com - Masato Anzai of Aeye Security Lab, inc. All developers are strongly advised to perform this action. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Struts 2.5.26
The Apache Struts group is pleased to announce that Struts 2.5.26 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce.html#a20201206 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - Junit plugin does not push ACTION_MAPPING into the context resulting in NPE - Struts2 StaticParametersInterceptor’s addParametersToContext method is not working as expected All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Struts 2.5.25
The Apache Struts group is pleased to announce that Struts 2.5.25 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce.html#a20200928 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - Package Level Properties in Global Results - AbstractMatcher adds values to the map passed into replaceParameters - Minor bug in single file upload example of the Showcase application - Unable to set long pathname variables - s:set with empty body - AliasInterceptor doesn’t properly handle Parameter.Empty - Improve build behaviour on JDK9+ - Update multiple Struts 2.5.x libraries / Maven build plugin versions - Upgrade OSGi to the latest version All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.22
The Apache Struts group is pleased to announce that Struts 2.5.22 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce.html#a20191129 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Please be aware of new security enhancements added to the version of Struts, they are disabled by default but please consider enabling them to increase safety of you application. You will find more details in our Security Guide. https://struts.apache.org/security Below is a full list of all changes: - File upload fails from certain clients - Not existing property in listValueKey throws exception - Can't get OgnlValueStack log even if enable logMissingProperties - No more calling of a static variable in Struts 2.8.20 available - NullPointerException in ProxyUtil class when accessing static member - EmptyStackException in JSON plugin due to concurrency - Tiles bug when parsing file:// URLs including # as part of the URL - Accessing static variable via OGNL returns nothing - HttpParameters.Builder can wrap objects in two layers of Parameters - Binding Integer Array upon form submission - Double-submit of TokenSessionStoreInterceptor broken since 2.5.16 - xerces tries to load resources from the internet - Dispatcher prints stacktraces directly to the console - The content allowed-methods tag of the XML configuration is sometimes truncated - OGNL: An illegal reflective access operation has occurred - java.lang.reflect.InvocationTargetException - Class: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector - Struts2 convention plugin lacks Java 11 support - Upgrade SLF4J to latest 1.7.x version - Minor enhancement/fix to AbstractLocalizedTextProvider - Provide mechanism to clear OgnlUtil caches - Struts 2 unit testing using StrutTestCase class - Upgrade Jackson library to the latest version - Upgrade to OGNL version 3.1.22 - Update a few Struts 2.5.x libraries to more recent versions - Upgrade commons-beanutils to version 1.9.4 - Upgrade jackson-databind to version 2.9.9.3 - Upgrade to OGNL 3.1.26 and adapt to its new features Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.x EOL
As announced over 6 months ago, Apache Struts 2.3.x web framework series reached its end of life and won’t be longer officially supported. Please check the following reading to find more details: https://struts.apache.org/struts23-eol-announcement https://struts.apache.org/announce#a20190912 Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.37 GA
The Apache Struts group is pleased to announce that Struts 2.3.37 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - Struts 2.3.36 - InvalidPathException: Illegal char <:> on JDK 9,10,11 on windows - Error when upgrading to struts2.3.35 - Upgraded commons-fileupload to version 1.4 Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.37 All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. https://struts.apache.org/download.cgi#struts-23x Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.20 GA
The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - s:include tag fails with truncated content in certain circumstances - NullPointerException in DefaultStaticContentLoader#findStaticResource - Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest - Static files like css and js files in struts-core not properly served - Race condition reloading config results in actions not found - Setting Struts2 options Css Class - Enhancement for s:set tag to improve tag body whitespace control. - Add support for Java 11 - Upgraded commons-fileupload to version 1.4 - Update multiple Struts 2.5.x libraries to more recent versions - Update OGNL versions for 2.6 and 2.5.x builds Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20 All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.x End-Of-Life (EOL) Announcement
The Apache Struts Project Team would like to inform you that the Struts 2.3.x web framework will reach its end of life in 6 months and won’t be longer officially supported. https://struts.apache.org/announce#a20181114 This announcement takes place on 2018-11-14 and starting from that date we will only support Apache Struts 2.3.x in case of security vulnerabilities. Within those 6 months period you can expect that we do our best to keep Struts 2.3.x branch secure but some of the security related changes cannot happen without architectural changes that can affect backward compatibility. This what happened to Struts 2.5.x, we introduced some internal changes to improve overall framework’s security. Questions and Answers With the announcement of Struts 2.3.x EOL, what happens to Struts 2.3.x resources? All resources will stay where they are. The documentation will still be accessible from the Apache Struts homepage, as well as the downloads for all released Struts 2.3.x versions. All of the Struts 2.3.x source code can be found in the Apache Struts Git repository under branch support-2-3, now and in future. All released Maven artifacts will still be accessible in Maven Central. Given a major security problem or a serious bug is reported for Struts 2.3.x in near future, can we expect a new release with fixes? Yes, we will continue to support Struts 2.3.x in case of security issues for the next 6 months, after that time we won’t support this branch in any case. Is there an immediate need to eliminate Struts 2.3.x from my projects? As far as the Struts team is currently aware of, there is no urgent issue posing the immediate need to eliminate Struts 2.3.x usage from your projects. However, you should consider migration to the latest available version as we stop supporting this version in 6 months. We plan to start a new project based on Struts 2.3.x. Can we still do so? Basically yes, but we would not recommend doing so. As long as no code line is written, it is very easy to conceptually select the latest version of Struts 2. My friends / colleagues and I would like to see Struts 2.3.x being maintained again. What can we do? You are free to put effort in Struts 2.3.x. There are basically one possibility: fork the existing source and support it on your own. On behalf of the Apache Struts Team Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior
The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.3. This is necessary to prevent your publicly accessible web site from being exposed to possible Remote Code Execution attacks (see [1] [2]). This affects Struts 2.3.36 and prior. Struts versions from 2.5.12 are already using the latest commons-fileupload version [3]. Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For Maven based Struts 2 projects, the following dependency needs to be added: commons-fileupload commons-fileupload 1.3.3 More details can be found here: [1] https://issues.apache.org/jira/browse/FILEUPLOAD-279 [2] https://nvd.nist.gov/vuln/detail/CVE-2016-131 [3] https://issues.apache.org/jira/browse/WW-4812 All developers are strongly advised to perform this action. on behalf of the Apache Struts Team Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
Re: [ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36
I meant commons-fileupload version 1.3.3, sorry for that. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ niedz., 4 lis 2018 o 10:30 Lukasz Lenart napisał(a): > > The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 > based projects to use the latest released version of Commons > FileUpload library, which is currently 1.3.1. This is necessary to > prevent your publicly accessible web site from being exposed to > possible DoS attacks [1] [2]. > > Your project is affected if it uses the built-in file upload mechanism > of Struts 2, which defaults to the use of commons-fileupload. The > updated commons-fileupload library is a drop-in replacement for the > vulnerable version. Deployed applications can be hardened by replacing > the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For > Maven based Struts 2 projects, the following dependency needs to be > added: > > commons-fileupload > commons-fileupload > 1.3.1 > > > > More details can be found here: > [1] > http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1 > [2] > http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3c52f373fc.9030...@apache.org%3E > > on behalf of the Apache Struts Team > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/
[ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36
The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.1. This is necessary to prevent your publicly accessible web site from being exposed to possible DoS attacks [1] [2]. Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For Maven based Struts 2 projects, the following dependency needs to be added: commons-fileupload commons-fileupload 1.3.1 More details can be found here: [1] http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1 [2] http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3c52f373fc.9030...@apache.org%3E on behalf of the Apache Struts Team Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.18 GA
The Apache Struts group is pleased to announce that Struts 2.5.18 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - jar_cache Some jar_cache**.tmp files are generated into a temporary directory(/tmp) during web service start - Struts 2.5.16 is creating jar_cache files in temp folder - MD5 and SHA1 should no longer be provided on download pages - xml-validation fails since struts 2.5.17 Internal Changes: - XWorkList was moved into a com.opensymphony.xwork2.conversion.impl package as com.opensymphony.xwork2.util package is excluded by the Internal Security Mechanism. Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.18 All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Extended list of Struts version affected by CVE-2018-11776 - RCE when using alwaysSelectFullNamespace
Hello, We received an additional information about possible affected versions of Struts. Please read the bulletin [1] to find more details about the vulnerability and upgrade to the latest version of Struts if you are running one of those versions: - Struts 2.0.4 - Struts 2.3.34 - Struts 2.5.0 - Struts 2.5.16 [1] https://cwiki.apache.org/confluence/display/WW/S2-057 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin
The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released version of the Apache Struts. This is necessary to prevent your publicly accessible web site, which is using the Struts REST plugin and performing XML serialisation, from being exposed to possible DoS attack. You can find more details in a Security Bulletin S2-056 - https://cwiki.apache.org/confluence/display/WW/S2-056 All developers are strongly advised to perform this action. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Immediately upgrade commons-fileupload to version 1.3.3
The Apache Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.3. This is necessary to prevent your publicly accessible web site from being exposed to possible Remote Code Execution attacks (see [1] [2]). This affects any Struts version prior to 2.5.12 [3]. Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For Maven based Struts 2 projects, the following dependency needs to be added: commons-fileupload commons-fileupload 1.3.3 More details can be found here: 1. https://issues.apache.org/jira/browse/FILEUPLOAD-279 2. https://nvd.nist.gov/vuln/detail/CVE-2016-131 3. https://issues.apache.org/jira/browse/WW-4812 All developers are strongly advised to perform this action. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.16 GA
The Apache Struts group is pleased to announce that Struts 2.5.16 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - unclosed instantiation of PrintWriter - Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value. - NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper - NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait interceptor - ClassCastException in JarEntryRevision - Dependency Mapping Exception When Using PrefixBasedActionProxyFactory - The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean. - Conversion by annotation does not work - List of Boolean is not populated in Action class - JSONResult exception in struts2-json-plugin-2.5.14.1.jar - buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods defined in struts.xml - Could not create JarEntryRevision for [zip:C:/ unknown protocol c - NPE in I18nInterceptor$SessionLocaleHandler.read - JasperReportResult: NPE When Not Using SQL Connection - support JSR 303 Validation Groups in BeanValidation-Plugin - Debug tag should not display anything when not in dev mode - Allow using of Initializable interface on an implementation level - Allowed methods inheritance - Allow use Jackson XML bindings to serialise / deserialise XML - when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into custom array but populating in String array or array list - Upgrade Spring to version 4.3.13 - Update Log4j2 to 2.10.0 Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.16 All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] New version of the Apache Struts Maven Archetypes
The Apache Struts group is pleased to announce that the Apache Struts Maven Archetypes are available as a “General Availability” release. The GA designation is our highest quality grade. The Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release of the archetypes is compatible with the latest version of the Apache Struts. Please read the following web page of how to use the archetypes: http://struts.apache.org/maven-archetypes/ The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: * Java SE 7 * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 5 Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW - The Apache Struts group. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)
Hi, After further clarification we increased impact of a vulnerability reported to us and described as S2-055 to High. The vulnerability exists in a JSON Jackson library and it's registered under CVE-2017-7525. Please read the bulletin [1] and apply possible solutions. This vulnerability impacts anyone using the vulnerable Jackson JSON library (not only Struts users). [1] https://cwiki.apache.org/confluence/display/WW/S2-055 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.14.1 GA with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.5.14.1 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains fixes for the following potential security vulnerabilities: - S2-054 A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin https://cwiki.apache.org/confluence/display/WW/S2-054 - S2-055 Vulnerability in the Jackson JSON library https://cwiki.apache.org/confluence/display/WW/S2-055 Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14.1 All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.14 GA
The Apache Struts group is pleased to announce that Struts 2.5.14 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - A class JSONWriter was converted into an interface with default implementation in DefaultJSONWriter class. If you were using the class directly, you must update your code in other case it won’t compile when using Struts 2.5.14. - DefaultUrlHelper().buildUrl() not outputting port when used as parameter - Not able to convert Spring object to the JSON response - The if test can accidently incorrectly assign a new value to an object - ObjectFactory constructor signature change breaks extensions - Snippets in Struts documentation are missing - I am migrating my struts 2.2.x to 2.5.13 and where all used struts taglibs and tags UI is breaking where i have not used bootstrap there and all working fine - Default Multipart validation regex is invalid due to charset encoding - Exception starting filter struts-prepare: Unable to load configuration. - interceptor - vfs - createInstance method signature change of TextProviderFactory from merged xwork-core code inside struts2-core-2.5.13.jar which was present with xwork-core jar - Struts2.5.13 can’t run in java9 win10 - StringConverter from OGNL 3.1.15 in Struts 2.5.13 - Decimal converters should avoid loss of user’s data caused by rounding - Struts text tag doesn’t print value from Stack - No validations happening after upgrading to Struts 2.5.12 - Allow to use custom JSONwriter - Implement Dependency Check in Maven build - Fallback to ActionContext if container is null in ActionSupport - Upgrade to the latest Jetty plugin in all examples - Add missing header with license to all files reported by the Rat plugin - Review available interceptors and document the missing ones - Fetch docs from new locations - Allow define only TextProvider instead of providing the whole TextProviderFactory - HTML escaping on the text tag - Upgrade FreeMarker to version 2.3.26-incubating - Upgrade to Log4j2 2.9.1 - Upgrade com.fasterxml.jackson to version 2.8.2 - Upgrade net.sf.json-lib to version 2.4 - Upgrade Spring to version 4.1.9 Please read the Version Notes to find more details about performed bug fixes and improvements. https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.14 All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.34 General Availability with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.3.34 is available as a “General Availability” release. The GA designation is our highest quality grade. This release addresses these potential security vulnerabilities: - S2-050 A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047) - S2-051 A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin - S2-052 Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads - S2-053 A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals This release contains several minor improvements just to mention few of them: - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped - Threads get blocked due to unnecessary synchronization in OgnlRuntime - Upgrade to OGNL 3.0.21 - Upgrade to struts-master 11 - Improve RegEx used to validate URLs More details in version notes http://struts.apache.org/docs/version-notes-2334.html All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-23x Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
Re: [ANN] Apache Struts 2.5.13 GA with Security Fixes Release
2017-09-05 15:17 GMT+02:00 Lukasz Lenart : > - S2-052 Possible Remote Code Execution attack when using the Struts REST > plugin with XStream handler to handle XML payloads > http://struts.apache.org/docs/s2-050.html It's supposed to be http://struts.apache.org/docs/s2-052.html Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.13 GA with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.5.13 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains fixes for the following potential security vulnerabilities: - S2-050 A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047) http://struts.apache.org/docs/s2-050.html - S2-051 A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin http://struts.apache.org/docs/s2-051.html - S2-052 Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads http://struts.apache.org/docs/s2-050.html Except the above this release also contains several improvements just to mention few of them: Except the above this release also contains several improvements just to mention few of them: - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped - NP with TextProvider and wildcardmapping - Threads get blocked due to unnecessary synchronization in OgnlRuntime - Default Multipart validation regex is invalid - Not fully initialized ObjectFactory tries to create beans - http://struts.apache.org/dtds/struts-2.5.dtd missing - Set a global resource bundle in class - Override TextProvider doesnot work in struts 2.5.12 - Array-of-null parameters are converted to string “null” - JakartaStreamMultiPartRequest Should Honor “struts.multipart.maxSize” - Build Fails Due to Unused com.sun Import - Struts2.5.12 - NPE in DeligatingValidatorContext - Struts 2 Fails to Initialize with JRebel - Allow define more than one Action suffix - Remove jQuery from debugging interceptor views - update dependencies page on the struts site - Improve RegEx used to validate URLs - Make REST ContentHandlers configurable - expose Freemarker incompatible_improvements into FreemarkerManager and StrutsBeansWrapper - Upgrade Commons Collections to 3.2.2 - Upgrade Commons IO to 2.5 - Upgrade to ASM version 5.2 - Upgrade to OGNL 3.1.15 - Upgrade xstream to the latest version - Upgrade to struts-master 11 Please read the Version Notes to find more details about performed bug fixes and improvements. http://struts.apache.org/docs/version-notes-2513.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts: S2-049 Security Bulletin update
This is an update of the recently announced Security Bulletin S2-049 - http://struts.apache.org/docs/s2-049.html The bulletin was extended with an additional information when the potential vulnerability can be present in your application. Please re-read the mentioned bulletin and apply required actions if needed. Please report any problems back to the Struts Security mailing list - secur...@struts.apache.org Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.12 GA with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.5.12 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains fixes for the following potential security vulnerabilities: - S2-047 Possible DoS attack when using URLValidator http://struts.apache.org/docs/s2-047.html - S2-049 A DoS attack is available for Spring secured actions http://struts.apache.org/docs/s2-049.html Except the above this release also contains several improvements just to mention few of them: - `double` and `Double` are not validated with the same decimal separator - `ognl.MethodFailedException` when you do not enter a value for a field mapped to an int - `Double` Value Conversion with requestLocale=de - The `TextProvider` injection in `ActionSupport` isn't quite integrated into the framework's core DI - Struts2 raise `java.lang.ClassCastException` when Result type is `chain` - `@InputConfig` annotation is not working when integrating with spring aop - Validators do not work for multiple values - `BigDecimal` are not converted according context locale - `NullPointerException` when displaying a form without action attribute - Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value. - `cssErrorClass` attribute has no effect on `label` tag - Why `JSONValidationInterceptor` return Status Code `400 BAD_REQUEST` instead of `200 SUCCESS` - @autowired does not work since Struts 2.3.28.1 - Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1 - Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin gives a NoSuchDefinitionException - Aspects are not executed when chaining AOPed actions - Duplicate hidden input field checkboxListHandler - The value of checkbox getted in server-side is "false" when no any checkbox been selected. - refactor file upload framework - `creditCard` validator available in Struts 1 missing in Struts 2 - No easy way to have an empty interceptor stack if have default stack - `@TypeConversion` converter attribute to class - Convert `LocalizedTextUtil` into a bean with default implementation - NPE in `StrutsTilesContainerFactory` when resource isn't found - Buffer/Flush behaviour in `FreemarkerResult` - Struts2 should know and consider config time class of user's Actions - getters of exclude-sets in OgnlUtil should return immutable collections - Mark `site-graph` plugin as deprecated - Use `TextProviderFactory` instead of `TextProvider` as bean's dependency - Create `LocaleProviderFactory` and uses instead of `LocaleProvider` - Improve error logging in `DefaultDispatcherErrorHandler` - Make `jakarta-stream` multipart parser more extensible - Make Multipart parsers more extensible - Add proper validation if request is a multipart request - Make `SecurityMethodAccess` excluded classes & packages definitions immutable - Upgrade to Log4j2 2.8.2 - Allow disable file upload support via an configurable option - Stop using `DefaultLocalizedTextProvider#localeFromString` static util method - Don't add `JBossFileManager` as a possible FileManager when not on JBoss - There is no `@LongRangeFieldValidator` annotation to support `LongRangeFieldValidator` - Upgrade to commons-lang 3.6 - Update commons-fileupload Please read the Version Notes to find more details about performed bug fixes and improvements. http://struts.apache.org/docs/version-notes-2512.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2: possible RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts 2.3.x series
A potential security vulnerability was reported in the Struts 1 plugin used in the Struts 2.3.x series. It is possible to perform a Remote Code Execution attack if given construction exists in the vulnerable application. Please read the security bulletin for more details and inspect your application. - S2-048 Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series http://struts.apache.org/docs/s2-048.html http://struts.apache.org/announce.html#a20170707 NOTE: Please notice that this vulnerability does not affect applications using Struts 2.5.x series or applications that do not use the Struts 1 plugin. Even if the plugin is available but certain code construction is not present, your application is safe. On behalf of the Apache Struts project Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] [SECURITY] Struts Extras secure Multipart plugins GA - versions 1.1
The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin 1.1 and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin 1.1 are available as a “General Availability” release. The GA designation is our highest quality grade. These releases address one critical security vulnerability: - Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser S2-045, S2-046 (CVE-2017-5638) Also backward comaptibility between different Struts versions was improved. http://struts.apache.org/docs/s2-045.html http://struts.apache.org/docs/s2-046.html Those plugins were released to allow users running older versions of the Apache Struts secure their applications in easy way. You don’t have to migrate to the latest version (which is still preferable) but by applying one of those plugins, your application won’t be vulnerable anymore. Please read the README (https://github.com/apache/struts-extras) for more details and supported Apache Struts versions. All developers are strongly advised to perform this action. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download those plugins from our download page. http://struts.apache.org/download.cgi#struts-extras Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] [SECURITY] Struts Extras secure Multipart plugins GA
The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin are available as a “General Availability” release. The GA designation is our highest quality grade. These releases address one critical security vulnerability: - Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser S2-045, S2-046 (CVE-2017-5638) http://struts.apache.org/docs/s2-045.html http://struts.apache.org/docs/s2-046.html Those plugins were released to allow users running older versions of the Apache Struts secure their applications in easy way. You don’t have to migrate to the latest version (which is still preferable) but by applying one of those plugins, your application won’t be vulnerable anymore. It is a drop-in installation, just select a proper jar file and copy it to WEB-INF/lib folder. Please read the README (https://github.com/apache/struts-extras) for more details and supported Apache Struts versions. All developers are strongly advised to perform this action. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download those plugins from our download page. http://struts.apache.org/download.cgi#struts-extras Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.32 GA with Security Fixe Release
The Apache Struts group is pleased to announce that Struts 2.3.32 is available as a “General Availability” release. The GA designation is our highest quality grade. This release addresses one potential security vulnerability: - Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser - S2-045 - http://struts.apache.org/docs/s2-045.html Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-23x Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.10.1 GA with Security Fixe Release
The Apache Struts group is pleased to announce that Struts 2.5.10.1 is available as a “General Availability” release. The GA designation is our highest quality grade. This release addresses one potential security vulnerability: - Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser - S2-045 - http://struts.apache.org/docs/s2-045.html Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts25101 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.10 GA
The Apache Struts group is pleased to announce that Struts 2.5.10 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains several breaking changes and improvements just to mention few of them: - How to handle 404 when using wildcard instead of error 500 when the wildcard method doesn’t exist - MessageStoreInterceptor must handle all redirects - MaxMultiPartUpload limited to 2GB (Long –> Integer) - Struts 2.5.8 no longer supports the directive in the struts.xml - JSONValidationInterceptor change static parameters names - ServletDispatcherResult can’t handle parameters anymore - TokenInterceptor synchronized on session.getId().intern() - XSLT error during transformation - No default parameter defined for result json of type org.apache.struts2.json.JSONResult - I18Interceptor ignores session or cookie Locale after first lookup failure - EmailValidator does not accept new domain suffixes - AnnotationValidationInterceptor : NullPointerException when method is null - struts.xml include not loading in dependant jar files - AnnotationValidationInterceptor should consult UnknownHandler before throwing NoSuchMethodException - ActionSupport.LOG should be private - Remove StrutsObjectFactory and define StrutsInterceptorFactory instead - Make OgnlValueStack and OgnlValueStackFactory More Extensible - Make interceptor parameters dynamic - allow include other config files from classpath Version notes http://struts.apache.org/docs/version-notes-2510.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.8 GA
The Apache Struts group is pleased to announce that Struts 2.5.8 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release addresses one potential security vulnerability: - Possible DoS attack when using URLValidator - S2-044 Also this release contains several breaking changes and improvements just to mention few of them: - Included XSL files’ URI not being resolved for actions with result type="xslt", see WW-2561 - ConcurrentModificationException using s:iterator (intermittent), see WW-3019 - ObjectFactory reporting ERROR’s when you attempt to set parameters on a Redirect result, see WW-3170 - preselect values in , see WW-4367 - File upload error message always in default language, see WW-4636 - Can no longer clear parameter on a tag, see WW-4701 - List based parameters no longer work when there is only one value, see WW-4702 - NullPointerException in ActionSupport when use ModelDriven, see WW-4703 - Multiselect parameter behavior different between struts 2.5.5 and 2.5.1, see WW-4707 - Invalid field value for field “id”, see WW-4709 - Scope interceptor always resets because of org.apache.struts2.dispatcher.HttpParameters, see WW-4715 - focusElement form attribute not working, see WW-4718 - Portlet Issue with I18Interceptor, see WW-4722 - Allow value substitution in XML configuration, see WW-4698 - Upgrade to latest OGNL version, see WW-4704 - Add support for long type to tag, see WW-4705 - Disallow access to HttpParameters.toMap, see WW-4710 - tag should not evaluate defaultMessage against a ValueStack by default, see WW-4711 - TextProviderHelper#getText() should perform cleaning of defaultMessage, see WW-4712 - Refactor file upload support to allow create virtual representation of java.io.File, see WW-4717 - Move DefaultClassFinder into Convention plugin, see WW-4719 - HttpParameters should behave like a Map, see WW-4720 - Add support for roundingMode in tag, see WW-4721 Version notes http://struts.apache.org/docs/version-notes-258.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.5 GA
The Apache Struts group is pleased to announce that Struts 2.5.5 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains several improvements just to mention few of them: - webconsole can always be accessed, see WW-4601 - Space character and includeParams, see WW-4628 - Empty is being supressed, see WW-4631 - remove ASM 3 from struts2, see WW-4646 - SMI do not work with JSON plugin, see WW-4649 - Concurrency issue in addDefaultResourceBundle, see WW-4652 - Action parameters should be included when building the URL to action, see WW-4654 - StreamResult closes outputstream early, see WW-4662 - NullPointerException when displaying a form without action attribute, see WW-4663 - ParametersInterceptor excludeParams only applies to first instance of params interceptor in paramsPrepareParamsStack, see WW-4667 - URL validator is case sensitive, see WW-4671 - Select box does not pre-select chosen values, see WW-4675 - Tiles-Plugin unable to load tiles definition XML, see WW-4679 - Missing brackets in checkbox.ftl of css_xhtml template, see WW-4681 - Move Struts Archetypes to dedicated project, see WW-4316 - Add dedicated class to represent Http Parameters, see WW-4572 - ParametersInterceptor should check collection index to against DOS, see WW-4620 - Move example portlet-app into struts-examples, see WW-4660 - Upgrade JFreeChart plugin to the latest version of JFreeChart, see WW-4670 - StrutsPrepareAndExecuteFilter should check for response commited status, see WW-4674 - ConversionErrorInterceptor to extend MethodFilterInterceptor, see WW-4676 - I18N Interceptor automatically validates Locale, see WW-4677 - Upgrade Tiles to 3.0.7 GA version, see WW-4680 - Allow directly accessing I18N keys from Tiles defintions, see WW-4685 - Merge two existing I18NInterceptors into one, see WW-4686 - Exclude "java.ext.dirs" when scanning for actions, see WW-4688 - CycleDetector - use enum instead of String constants, see WW-4689 - Upgrade Commons Collections to 4.1, see WW-4695 - Upgrade to Log4j 2.7, see WW-4696 - Warn about excluded action/method only when DMI is disabled, see WW-4697 Version notes http://struts.apache.org/docs/version-notes-255.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.31 General Availability with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.3.31 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release addresses two potential security vulnerabilities: - S2-042 Possible path traversal in the Convention plugin - S2-043 Using the Config Browser plugin in production This release contains several minor improvements just to mention few of them: - webconsole can always be accessed, see WW-4601 - Space character and includeParams,see WW-4628 - ParametersInterceptor excludeParams only applies to first instance of params interceptor in paramsPrepareParamsStack,see WW-4667 - Select box does not pre-select chosen values,see WW-4675 - StrutsPrepareAndExecuteFilter should check for response committed status,see WW-4674 - Allow directly accessing I18N keys from Tiles definitions,see WW-4685 More details in version notes http://struts.apache.org/docs/version-notes-2331.html All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-2331 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5.2 GA
The Apache Struts group is pleased to announce that Struts 2.5.2 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains several improvements just to mention few of them: - SecurityMemberAccess exclude class design issue, see WW-4645 - Json deserialization does not work in 2.5.1, see WW-4650 - Negative number is considered an arithmetic expression, see WW-4651 - Wildcard redirect and path /static/, see WW-4656 - Upgrade commons-fileupload to the latest version, see WW-4648 - Cleans up logic in StreamResult and update docs, see WW-4655 Version notes http://struts.apache.org/docs/version-notes-252.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.30 GA
The Apache Struts group is pleased to announce that Struts 2.3.30 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains several minor improvements just to mention few of them: - Pre-evaluation of “name” attribute stopped working, see WW-4641 - Unable to retrieve s:hidden field values, see WW-4642 - SecurityMemberAccess exclude class design issue, see WW-4645 - Negative number is considered an arithmetic expression, see WW-4651 - Upgrade commons-fileupload to the latest version, see WW-4648 More details in version notes http://struts.apache.org/docs/version-notes-2330.html All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-2330 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Struts 2.5.1 General Availability
The Apache Struts group is pleased to announce that Struts 2.5.1 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release addresses one potential security vulnerability: - S2-041 Possible DoS attack when using URLValidator http://struts.apache.org/docs/s2-041.html Also all security patches applied to version Struts 2.3.29 were also applied to this version (just in case). This release contains several improvements just to mention few of them: - contentType override ignored for JSONInterceptor - see WW-4558 - MessageStorePreResultListener does not store messages for 3rd-party RedirectResult subclasses - see WW-4618 - EmailValidator flags .cat emails as invalid - see WW-4626 - SMI cannot be disabled - see WW-4632 - Centre alignment does not seem to work in Velocity tags - see WW-4634 - Unable to process Jar entry (javassist-3.20.0-GA.jar) - see WW-4637 - Strict Method Invocation breaks Action-Less Results - see WW-4643 - When method is not allowed throw exception with meaningful message - see WW-4640 - update struts2 bom - see WW-4644 Version notes http://struts.apache.org/docs/version-notes-251.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.29 General Availability with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.3.29 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release addresses two potential security vulnerabilities: - S2-035 Action name clean up is error prone - S2-036 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) - S2-037 Remote Code Execution can be performed when using REST Plugin. - S2-038 It is possible to bypass token validation and perform a CSRF attack - S2-039 Getter as action method leads to security bypass - S2-040 Input validation bypass using existing default action method. - S2-041 Possible DoS attack when using URLValidator This release contains several minor improvements just to mention few of them: - Json result type breaks - MessageStorePreResultListener doesn’t store messages for 3rd-party RedirectResult subclasses - Multiple tiles.xml in web.xml - New Tiles version can not find tiles*.xml files in sub-directories - EmailValidator flags .cat emails as invalid - Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80 - Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+ - generates a value attribute for type=image which violates W3C - ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1 More details in version notes http://struts.apache.org/docs/version-notes-2329.html All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.html#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Two security vulnerabilities reported
Two potential security vulnerabilities were reported which were already addressed in the latest Apache Struts 2 versions. Those reports just added other vectors of attack. http://struts.apache.org/announce.html#a20160601 - S2-033 Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled - http://struts.apache.org/docs/s2-033.html - S2-034 OGNL cache poisoning can lead to DoS vulnerability - http://struts.apache.org/docs/s2-034.html Please read carefully the Security Bulletins and take suggested actions. The simplest way to avoid those vulnerabilities in your application is to upgrade the Apache Struts to latest available version in 2.3.x series or to the Apache Struts 2.5. You can download those versions from our download page. http://struts.apache.org/download.html#struts-ga Kinds regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.5 GA release available
The Apache Struts group is pleased to announce that Struts 2.5 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains several breaking changes and improvements just to mention few of them: - XWork source was merged into Struts Core source, it means that there be no more xwork artifact nor dedicated jar - Spring dependency for tests and spring plugin was upgraded to version 4.1.6, see WW-4510. - Struts2 internal logging api was marked as deprecated and was replaced with new Log4j2 api as logging layer, see WW-4504. - Struts2 is now build with JDK7, see WW-4503. - New plugin to support bean validation is now part of the distribution, see WW-4505. - Deprecated plugins are now removed from the distribution and are not longer supported anymore. - - Dojo Plugin - - Codebehind Plugin - - JSF Plugin - - Struts1 Plugin - New security option was added - Strict Method Invocation (also known as Strict DMI), see WW-4540 - Added support for latest stable AngularJS in Maven archetype, see WW-4522 - Dropped support for id and name - replaced with var, see WW-2069 - Dedicated archive with a minimal set of dependencies was introduced, see WW-4570 - It is possible to use multiple names when defining a result, see WW-4590 - Rest plugin honors Accept header, see WW-4588 - New result ‘JSONActionRedirectResult’ in json-plugin was defined, see WW-4591 - Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was dropped, see WW-4584 - JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381 - OGNL was upgraded to version 3.1.4 and it breaks access to properties as it follows Java Bean Specification, see WW-4207 and WW-3909 - Annotations to configure Tiles, see WW-4594 and Tiles Plugin and many other improvements, please check the version notes Struts 2.5 is available in a full distribution, or as separate library, source, example and documentation distributions, from the releases page. * http://struts.apache.org/download.cgi#struts-ga The release is also available from the central Maven repository under Group ID "org.apache.struts". The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: * Java SE 7 * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 5 The release notes are available online at: * http://struts.apache.org/docs/version-notes-25.html Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW - The Apache Struts group. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.20.3 GA & Apache Struts 2.3.24.3 GA
The Apache Struts group is pleased to announce that Struts 2.3.20.3 and Struts 2.3.24.3 are available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. These releases address three potential security vulnerabilities: - S2-029 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. - S2-031 Possible RCE vulnerability in XSLTResult was fixed. - S2-032 Prevents execution of chained expressions based on new isSequence flag introduce in appropriated OGNL versions. All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Struts 2.3.20.3 & 2.3.24.3 are available in a full distribution, or as separate library, source, example and documentation distributions, from the releases page * http://struts.apache.org/download.cgi#struts23203 * http://struts.apache.org/download.cgi#struts23243 The release is also available from the central Maven repository under Group ID "org.apache.struts". The 2.3.20.3 & 2.3.24.3 versions of the Apache Struts framework have a minimum requirement of the following specification versions: * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 6 The release notes are available online at: * http://struts.apache.org/docs/version-notes-23203.html * http://struts.apache.org/docs/version-notes-23243.html Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.28.1 GA
The Apache Struts group is pleased to announce that Struts 2.3.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release addresses two potential security vulnerabilities: - S2-031 Possible RCE vulnerability in XSLTResult was fixed. - S2-032 Prevents execution of chained expressions based on new isSequence flag introduce in appropriated OGNL versions. All developers are strongly advised to perform this action. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Struts 2.3.28.1 is available in a full distribution, or as separate library, source, example and documentation distributions, from the releases page * http://struts.apache.org/download.cgi#struts23281 The release is also available from the central Maven repository under Group ID "org.apache.struts". The 2.3.28.1 version of the Apache Struts framework has a minimum requirement of the following specification versions: * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 6 The release notes are available online at: * http://struts.apache.org/docs/version-notes-23281.html Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Apache Struts 2.3.28 GA
The Apache Struts group is pleased to announce that Struts 2.3.28 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release addresses three potential security vulnerabilities: S2-028 Possible XSS vulnerability in pages not using UTF-8 was fixed. S2-029 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. S2-030 I18NInterceptor narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability. All developers are strongly advised to perform this action. This release contains several changes and improvements just to mention few of them: - New Configurationprovider type was introduced - ServletContextAwareConfigurationProvider, see WW-4410 - Setting status code in HttpHeaders isn’t ignored anymore, see WW-4545 - Spring BeanPostProcessor(s) are called only once to constructed objects., see WW-4554 - OGNL was upgraded to version 3.0.13, see WW-4562 - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568 - A dedicated assembly with minimal set of jars was defined, see WW-4570 - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585 - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588 - MessageStoreInterceptor was refactored to use PreResultListener to store messages, see WW-4605 - A new annotation was added to support configuring Tiles - @TilesDefinition, see WW-4606 and many other improvements, please check the version notes The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6. Struts 2.3.28 is available in a full distribution, or as separate library, source, example and documentation distributions, from the releases page * http://struts.apache.org/download.cgi#struts2328 The release is also available from the central Maven repository under Group ID "org.apache.struts". The 2.3.28 version of the Apache Struts framework has a minimum requirement of the following specification versions: * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 6 The release notes are available online at: * http://struts.apache.org/docs/version-notes-2328.html Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANN] Struts 2.5-BETA3 Beta release available
The Apache Struts group is pleased to announce that Struts 2.5-BETA3 is available as a "Beta" release. The Beta designation indicates that we believe the distribution needs wider testing before being upgraded to a "General Availability" release. Your input is essential. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains several breaking changes and improvements just to mention few of them: New in BETA1 - XWork source was merged into Struts Core source, it means that there be no more xwork artifact nor dedicated jar - OGNL was upgraded to version 3.0.11 and it breaks access to properties as it follows Java Bean Specification, see WW-4207 and WW-3909 - Spring dependency for tests and spring plugin was upgraded to version 4.1.6, see WW-4510. - Struts2 internal logging api was marked as deprecated and was replaced with new Log4j2 api as logging layer, see WW-4504. - Struts2 is now build with JDK7, see WW-4503. - New plugin to support bean validation is now part of the distribution, see WW-4505. - Deprecated plugins are now removed from the distribution and are not longer supported anymore. - - Dojo Plugin - - Codebehind Plugin - - JSF Plugin - - Struts1 Plugin New in BETA2 - New security option was added - Strict Method Invocation (also known as Strict DMI), see WW-4540 - Add support for latest stable AngularJS in Maven archetype, see WW-4522 New in BETA3 - Dropped support for id and name - replaced with var, see WW-2069 - Dedicated archive with a minimal set of dependencies was introduced, see WW-4570 - It is possible to use multiple names when defining a result, see WW-4590 - Rest plugin honors Accept header, see WW-4588 - New result 'JSONActionRedirectResult' in json-plugin was defined, see WW-4591 - Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was dropped, see WW-4584 - JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381 - OGNL was upgraded to version 3.0.11 and it breaks access to properties as it follows Java Bean Specification, see WW-4207 and WW-3909 - - and then OGNL was upgraded to version 3.1.1, see WW-4561 - - and then OGNL was upgraded to version 3.2.1, see WW-4577 and many other improvements, please check the version notes Struts 2.5-BETA3 is available in a full distribution, or as separate library, source, example and documentation distributions, from the releases page. * http://struts.apache.org/download.cgi#struts-beta The release is also available from the central Maven repository under Group ID "org.apache.struts". The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: * Java SE 7 * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 5 The release notes are available online at: * http://struts.apache.org/2.x/docs/version-notes-25.html Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW - The Apache Struts group. -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
ANN] Struts 2.5-BETA2 Beta release available
The Apache Struts group is pleased to announce that Struts 2.5-BETA2 is available as a "Beta" release. The Beta designation indicates that we believe the distribution needs wider testing before being upgraded to a "General Availability" release. Your input is essential. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains several breaking changes and improvements just to mention few of them: New in BETA1 - XWork source was merged into Struts Core source, it means that there be no more xwork artifact nor dedicated jar - OGNL was upgraded to version 3.0.11 and it breaks access to properties as it follows Java Bean Specification, see WW-4207 and WW-3909 - Spring dependency for tests and spring plugin was upgraded to version 4.1.6, see WW-4510. - Struts2 internal logging api was marked as deprecated and was replaced with new Log4j2 api as logging layer, see WW-4504. - Struts2 is now build with JDK7, see WW-4503. - New plugin to support bean validation is now part of the distribution, see WW-4505. - Deprecated plugins are now removed from the distribution and are not longer supported anymore. - - Dojo Plugin - - Codebehind Plugin - - JSF Plugin - - Struts1 Plugin New in BETA2 - New security option was added - Strict Method Invocation (also known as Strict DMI), see WW-4540 - Add support for latest stable AngularJS in Maven archetype, see WW-4522 and many other improvements, please check the version notes Struts 2.5-BETA2 is available in a full distribution, or as separate library, source, example and documentation distributions, from the releases page. * http://struts.apache.org/download.cgi#struts-beta The release is also available from the central Maven repository under Group ID "org.apache.struts". The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: * Java SE 7 * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 5 The release notes are available online at: * http://struts.apache.org/2.x/docs/version-notes-25.html Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW - The Apache Struts group. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/