struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4917) Clarification on security status and support for Struts 2.3
Date Sun, 11 Feb 2018 14:57:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16359962#comment-16359962
] 

Lukasz Lenart commented on WW-4917:
-----------------------------------

There is no known security issues related to 2.3.x series or rather there is no issue that
would require releasing a new version. Yet, we do not consider 2.3.34 as the best available
version of the Apache Struts, you should migrate to Struts 2.5. That's why Struts 2.3.34 is
listed as a "Not Recommended" release. Our development focus is on 2.5 series now and incoming
2.6 series. The 2.3.x series is still maintained but only in case of high security issues,
you shouldn't expect any other fixes. Still, there is no exact date to EOL the 2.3.x series.

> Clarification on security status and support for Struts 2.3
> -----------------------------------------------------------
>
>                 Key: WW-4917
>                 URL: https://issues.apache.org/jira/browse/WW-4917
>             Project: Struts 2
>          Issue Type: Task
>          Components: Documentation
>    Affects Versions: 2.3.34
>            Reporter: Richard Taylor
>            Priority: Minor
>              Labels: security
>
> Hi
>  
> Can you kindly provide clarity as to the exact status of the 2.3 series in terms of ongoing
support and security status.
>  
>  
> On the Struts web page [https://struts.apache.org/]
>  
> I found the statement:
>  
> "It's the latest release of Struts 2.3.x which contains the latest security fixes, read
more in [Announcement|https://struts.apache.org/announce.html#a20170907] or in [Version
notes|https://struts.apache.org/docs/version-notes-2334.html]"
>  
> Yet, on the page at [https://struts.apache.org/releases.html] it is stated that :
>  
> h2. "Prior Releases
> As a courtesy, we retain archival copies of the website for releases that initially were
considered "General Availability" but which has been reclassified as "Not recommended" since
they contain security issues
> "
> And version 2.3.34 is listed here.
>  
>  
> Lastly - I find no EOL announcement for 2.3.x
>  
> So in summary the question is:
>  
> *1 Is the 2.3 series EOL?*
> *2 Does 2.3.34 contain any known security bugs?*
>  
>  
> Thanking you in advance 
>  
> Richard



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message