struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [struts-site] branch master updated: Adds announcements of newly released versions
Date Wed, 16 Jan 2019 07:51:29 GMT
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 4fbe63c  Adds announcements of newly released versions
4fbe63c is described below

commit 4fbe63cece1406d9674d47369ff2f189a5234bb8
Author: Lukasz Lenart <lukaszlenart@apache.org>
AuthorDate: Wed Jan 16 08:50:40 2019 +0100

    Adds announcements of newly released versions
---
 _config.yml                              |  16 +--
 source/{announce.md => announce-2018.md} |   0
 source/announce.md                       | 209 ++++---------------------------
 source/index.html                        |  10 +-
 4 files changed, 33 insertions(+), 202 deletions(-)

diff --git a/_config.yml b/_config.yml
index ea930d7..3342fca 100644
--- a/_config.yml
+++ b/_config.yml
@@ -10,17 +10,17 @@ kramdown:
   syntax_highlighter: rouge
 
 # Simplifies introducing changes related to the latest release
-current_version: 2.5.18
-current_version_short: 2518
-prev_version: 2.3.36
-prev_version_short: 2336
+current_version: 2.5.20
+current_version_short: 2520
+prev_version: 2.3.37
+prev_version_short: 2337
 archetype_version: 2.5.14
 current_beta_version: 2.5-BETA3
 current_beta_version_short: 25B3
-release_date: 15 October 2018
-release_date_short: 20181015
-prev_release_date: 15 October 2018
-prev_release_date_short: 20181015
+release_date: 14 January 2019
+release_date_short: 20190114
+prev_release_date: 30 December 2018
+prev_release_date_short: 20181230
 beta_release_date_short: 20160126
 
 # Allows directly edit pages on GitHub
diff --git a/source/announce.md b/source/announce-2018.md
similarity index 100%
copy from source/announce.md
copy to source/announce-2018.md
diff --git a/source/announce.md b/source/announce.md
index 99fe1f0..66f8957 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -1,53 +1,21 @@
 ---
 layout: default
-title: Announcements 2018
+title: Announcements 2019
 ---
 
-# Announcements 2018
+# Announcements 2019
 {:.no_toc}
 
 * Will be replaced with the ToC, excluding a header
 {:toc}
 
 <p class="pull-right">
-  Skip to: <a href="announce-2017.html">Announcements - 2017</a>
+  Skip to: <a href="announce-2018.html">Announcements - 2018</a>
 </p>
 
-#### 14 November 2018 - Apache Struts 2.3.x End-Of-Life (EOL) Announcement {#a20181114}
+#### 14 January 2019 - Struts 2.5.20 General Availability {#a20190114}
 
-The Apache Struts Project Team would like to inform you that the Struts 2.3.x web framework
will reach 
-its end of life in 6 months and won't be longer officially supported.
-
-Please check the following reading to find more details.
-
- - [Apache Struts 2.3.x EOL Announcement](struts23-eol-announcement), including a detailed
Q/A section
-
-#### 15 October 2018 - Struts 2.3.36 General Availability {#a20181015-2}
-
-The Apache Struts group is pleased to announce that Struts 2.3.36 is available as a "General
Availability"
-release. The GA designation is our highest quality grade.
-
-This release addresses one backward compatibility issue:
-
-- [xml-validation fails since struts 2.5.17]({{ site.wiki_url }}/Version+Notes+2.3.36)
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web
applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-**All developers are strongly advised to perform this action.**
-
-The 2.3.x series of the Apache Struts framework has a minimum requirement of the following
specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 6.
-
-Should any issues arise with your use of any version of the Struts framework, please post
your comments
-to the user list, and, if appropriate, file a tracking ticket.
-
-You can download this version from our [download](download.cgi#struts-23x) page.
-
-#### 15 October 2018 - Struts 2.5.18 General Availability {#a20181015-1}
-
-The Apache Struts group is pleased to announce that Struts 2.5.18 is available as a "General
Availability"
+The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a "General
Availability"
 release. The GA designation is our highest quality grade.
 
 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web
applications.
@@ -56,16 +24,18 @@ to maintaining applications over time.
 
 Below is a full list of all changes:
 
- - `jar_cache` Some jar_cache******.tmp files are generated into a temporary directory(/tmp)
during web service start
- - Struts 2.5.16 is creating jar_cache files in temp folder
- - MD5 and SHA1 should no longer be provided on download pages
- - xml-validation fails since struts 2.5.17
+- s:include tag fails with truncated content in certain circumstances
+- NullPointerException in DefaultStaticContentLoader#findStaticResource
+- Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest
+- Static files like css and js files in struts-core not properly served
+- Race condition reloading config results in actions not found
+- Setting Struts2 <s:select> options Css Class
+- Enhancement for s:set tag to improve tag body whitespace control.
+- Add support for Java 11
+- Upgraded commons-fileupload to version 1.4
+- Update multiple Struts 2.5.x libraries to more recent versions
+- Update OGNL versions for 2.6 and 2.5.x builds
  
-Internal Changes:
-
-- XWorkList was moved into a com.opensymphony.xwork2.conversion.impl package as com.opensymphony.xwork2.util
package is excluded 
-  by the Internal Security Mechanism.
-
 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web
applications.
 The framework is designed to streamline the full development cycle, from building, to deploying,
 to maintaining applications over time.
@@ -80,56 +50,16 @@ to the user list, and, if appropriate, file a tracking ticket.
 
 You can download this version from our [download](download.cgi#struts-ga) page.
 
-#### 22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 {#a20180822-0}
-
-CVEID:CVE-2018-11776
-
-PRODUCT:Apache Struts
-
-VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
-
-PROBLEMTYPE:Remote Code Execution
-
-REFERENCES:[S2-057]({{ site.wiki_url }}/S2-057)
-
-DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts
versions 2.3 to 2.3.34 and
-2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace
and in same time, its 
-upper action(s) have no or wildcard namespace. Same possibility when using url tag which
doesn’t have value and action
-set and in same time, its upper action(s) have no or wildcard namespace.
-
-#### 22 August 2018 - Struts 2.5.17 General Availability {#a20180822-1}
+#### 30 December 2018 - Struts 2.3.37 General Availability {#a20181230}
 
-The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a "General
Availability"
+The Apache Struts group is pleased to announce that Struts 2.3.37 is available as a "General
Availability"
 release. The GA designation is our highest quality grade.
 
-In addition to critical overall proactive security improvements, this release addresses one
potential security vulnerability:
-
-- Possible Remote Code Execution when using results with no namespace and in same time, its
upper action(s) have no or 
-wildcard namespace. Same possibility when using url tag which doesn’t have value and action
set. - [S2-057]({{ site.wiki_url }}/S2-057)
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web
applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-**All developers are strongly advised to perform this action.**
-
-The 2.5.x series of the Apache Struts framework has a minimum requirement of the following
specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 7.
-
-Should any issues arise with your use of any version of the Struts framework, please post
your comments
-to the user list, and, if appropriate, file a tracking ticket.
-
-You can download this version from our [download](download.cgi#struts-ga) page.
-
-#### 22 August 2018 - Struts 2.3.35 General Availability {#a20180822-2}
-
-The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a "General
Availability"
-release. The GA designation is our highest quality grade.
-
-In addition to critical overall proactive security improvements, this release addresses one
potential security vulnerability:
+This release addresses one backward compatibility issue:
 
-- Possible Remote Code Execution when using results with no namespace and in same time, its
upper action(s) have no or 
-wildcard namespace. Same possibility when using url tag which doesn’t have value and action
set. - [S2-057]({{ site.wiki_url }}/S2-057)
+- Struts 2.3.36 - InvalidPathException: Illegal char <:> on JDK 9,10,11 on windows
+- Error when upgrading to struts2.3.35
+- Upgraded commons-fileupload to version 1.4
 
 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web
applications.
 The framework is designed to streamline the full development cycle, from building, to deploying,
@@ -145,101 +75,8 @@ to the user list, and, if appropriate, file a tracking ticket.
 
 You can download this version from our [download](download.cgi#struts-23x) page.
 
-#### 27 March 2018 - A crafted XML request can be used to perform a DoS attack when using
the Struts REST plugin {#a20180327}
-
-The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects
to use the latest released 
-version of the Apache Struts. This is necessary to prevent your publicly accessible web site,
which is using the Struts 
-REST plugin and performing XML serialisation, from being exposed to possible DoS attack.
-
-You can find more details in a Security Bulletin [S2-056](https://cwiki.apache.org/confluence/display/WW/S2-056)
-
-All developers are strongly advised to perform this action.
-
-#### 23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3 {#a20180323}
-
-The Apache Struts Team recommends to immediately upgrade your Struts 2
-based projects to use the latest released version of Commons
-FileUpload library, which is currently 1.3.3. This is necessary to
-prevent your publicly accessible web site from being exposed to
-possible Remote Code Execution attacks (see \[1] \[2]).
-
-This affects any Struts version prior to **2.5.12** \[3].
-
-Your project is affected if it uses the built-in file upload mechanism
-of Struts 2, which defaults to the use of commons-fileupload. The
-updated commons-fileupload library is a drop-in replacement for the
-vulnerable version. Deployed applications can be hardened by replacing
-the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
-Maven based Struts 2 projects, the following dependency needs to be
-added:
-
-```xml
-<dependency>
-  <groupId>commons-fileupload</groupId>
-  <artifactId>commons-fileupload</artifactId>
-  <version>1.3.3</version>
-</dependency>
-```
-
-More details can be found here:
-
-  1. [https://issues.apache.org/jira/browse/FILEUPLOAD-279](https://issues.apache.org/jira/browse/FILEUPLOAD-279)
-  2. [https://nvd.nist.gov/vuln/detail/CVE-2016-1000031](https://nvd.nist.gov/vuln/detail/CVE-2016-1000031)
-  3. [https://issues.apache.org/jira/browse/WW-4812](https://issues.apache.org/jira/browse/WW-4812)
-
-All developers are strongly advised to perform this action.
-
-#### 16 March 2018 - Struts 2.5.16 General Availability {#a20180316}
-
-The Apache Struts group is pleased to announce that Struts 2.5.16 is available as a "General
Availability"
-release. The GA designation is our highest quality grade.
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web
applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-Below is a full list of all changes:
-
- - unclosed instantiation of PrintWriter
- - Http Sessions forcefully created for all requests using I18nInterceptor with default Storage
value.
- - NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
- - NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
when using ExecuteAndWait 
-   interceptor
- - ClassCastException in JarEntryRevision
- - Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
- - The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion
is now deprecated. If this 
-   method is removed in some next release, it will forbid to describe a converter by the
name (id) of a Spring bean.
- - Conversion by annotation does not work
- - List of Boolean is not populated in Action class
- - JSONResult exception in struts2-json-plugin-2.5.14.1.jar
- - buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods defined
in struts.xml
- - Could not create JarEntryRevision for [zip:C:/.... unknown protocol c
- - NPE in I18nInterceptor$SessionLocaleHandler.read
- - JasperReportResult: NPE When Not Using SQL Connection
- - support JSR 303 Validation Groups in BeanValidation-Plugin
- - Debug tag should not display anything when not in dev mode
- - Allow using of Initializable interface on an implementation level
- - Allowed methods inheritance
- - Allow use Jackson XML bindings to serialise / deserialise XML
- - when using an custom array as a filed in struts 2 action form textfiled data from jsp
page in not populating into 
-   custom array but populating in String array or array list
- - Upgrade Spring to version 4.3.13
- - Update Log4j2 to 2.10.0
-
-> Please read the [Version Notes]({{ site.wiki_url }}/Version+Notes+2.5.16) to find more
details about performed bug fixes and improvements.
-
-**All developers are strongly advised to perform this action.**
-
-The 2.5.x series of the Apache Struts framework has a minimum requirement of the following
specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 7.
-
-Should any issues arise with your use of any version of the Struts framework, please post
your comments
-to the user list, and, if appropriate, file a tracking ticket.
-
-You can download this version from our [download](download.cgi#struts-ga) page.
-
 <p class="pull-right">
-  Skip to: <a href="announce-2017.html">Announcements - 2017</a>
+  Skip to: <a href="announce-2018.html">Announcements - 2018</a>
 </p>
 
 <p class="pull-left">
diff --git a/source/index.html b/source/index.html
index 514350f..e8b185f 100644
--- a/source/index.html
+++ b/source/index.html
@@ -35,14 +35,14 @@ title: Welcome to the Apache Struts project
         <p>
           Apache Struts {{ site.current_version }} GA has been released<br/>on {{ site.release_date
}}.
         </p>
-        Read more in <a href="announce.html#a{{ site.release_date_short }}-1">Announcement</a>
or in
+        Read more in <a href="announce.html#a{{ site.release_date_short }}">Announcement</a>
or in
         <a href="{{ site.wiki_url }}/Version+Notes+{{ site.current_version }}">Version
notes</a>
       </div>
       <div class="column col-md-4">
         <h2>Apache Struts {{ site.prev_version }} GA</h2>
         <p>
           It's the latest release of Struts 2.3.x which contains the latest security fixes,
-          released on {{ site.prev_release_date }}.<br/> Read more in <a href="announce.html#a{{
site.prev_release_date_short }}-2">Announcement</a> or in
+          released on {{ site.prev_release_date }}.<br/> Read more in <a href="announce.html#a{{
site.prev_release_date_short }}">Announcement</a> or in
           <a href="{{ site.wiki_url }}/Version+Notes+{{ site.prev_version }}">Version
notes</a>
         </p>
       </div>
@@ -66,12 +66,6 @@ title: Welcome to the Apache Struts project
         </p>
       </div>
       <div class="column col-md-4">
-        <h2>Immediately upgrade to version {{ site.current_version }} or {{ site.prev_version
}}</h2>
-        <p>
-          The Apache Security Struts Team recommends to immediately upgrade your Struts 2
based projects to use
-          the latest released version of the Apache Struts to prevent possible RCE attack
when using results with no namespace,
-          reported in <a href="{{ site.wiki_url }}/S2-057">S2-057</a>. Read more
in <a href="announce.html#a{{ site.release_date_short }}-0">Announcement</a>.
-        </p>
       </div>
     </div>
   </div>


Mime
View raw message