Mailing-List: contact dev-help@struts.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Struts Developers List" <dev@struts.apache.org>
MIME-Version: 1.0
From: Lukasz Lenart <lukaszlenart@apache.org>
Date: Fri, 18 Mar 2016 10:01:28 +0100
Message-ID: 
 <CAMopvkMBMcqQYBfnO9uHCLD9ehUo=qJ9QpjFKSHOXbuL9tBtzg@mail.gmail.com>
Subject: [VOTE] Struts 2.3.27
To: Struts Developers List <dev@struts.apache.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

This is a third call in row with tiny fix discovered during test
period so I'm going to speed things up as there are three security
bulletins addressed with this release.

The Apache Struts 2.3.26 test build is now available. With this release:
- Possible XSS vulnerability in pages not using UTF-8 was fixed, read
more details in S2-028
- Prevents possible RCE when reusing user input in tag's attributes,
see more details in S2-029
- I18NInterceptor narrows selected locale to those available in JVM to
reduce possibility of another XSS vulnerability, see more details in
S2-030
- New Configurationprovider type was introduced -
ServletContextAwareConfigurationProvider, see WW-4410
- Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
- Spring BeanPostProcessor(s) are called only once to constructed
objects., see WW-4554
- OGNL was upgraded to version 3.0.13, see WW-4562
- Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4=
568
- A dedicated assembly with minimal set of jars was defined, see WW-4570
- Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
- Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
- MessageStoreInterceptor was refactored to use PreResultListener to
store messages, see WW-4605
- A new annotation was added to support configuring Tiles -
@TilesDefinition, see WW-4606

and few other small improvements, please see the release notes

Security note:
This release fixes three potential security vulnerabilities as
mentioned in the Version Notes

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.27

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.27/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

The vote will remain open for at least 24 hours, longer upon request.
A vote can be amended at any time to upgrade or downgrade the quality
of the release based on future experience. If an initial vote
designates the build as "Beta", the release will be submitted for
mirroring and announced to the user list. Once released as a public
beta, subsequent quality votes on a build may be held on the user
list.

As always, the act of voting carries certain obligations. A binding
vote not only states an opinion, but means that the voter is agreeing
to help do the work.


Kind regards
--
=C5=81ukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org