From commits-return-18294-archive-asf-public=cust-asf.ponee.io@struts.apache.org Wed Jan 16 08:51:32 2019
Return-Path:
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by mx-eu-01.ponee.io (Postfix) with SMTP id 56751180645
for ; Wed, 16 Jan 2019 08:51:31 +0100 (CET)
Received: (qmail 73817 invoked by uid 500); 16 Jan 2019 07:51:30 -0000
Mailing-List: contact commits-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: dev@struts.apache.org
Delivered-To: mailing list commits@struts.apache.org
Received: (qmail 73802 invoked by uid 99); 16 Jan 2019 07:51:30 -0000
Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Jan 2019 07:51:30 +0000
Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33)
id 802F287112; Wed, 16 Jan 2019 07:51:29 +0000 (UTC)
Date: Wed, 16 Jan 2019 07:51:29 +0000
To: "commits@struts.apache.org"
Subject: [struts-site] branch master updated: Adds announcements of newly
released versions
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <154762508946.15757.15285062002003261733@gitbox.apache.org>
From: lukaszlenart@apache.org
X-Git-Host: gitbox.apache.org
X-Git-Repo: struts-site
X-Git-Refname: refs/heads/master
X-Git-Reftype: branch
X-Git-Oldrev: 9957e602b2e77548662859d3dc5b9b342f7999de
X-Git-Newrev: 4fbe63cece1406d9674d47369ff2f189a5234bb8
X-Git-Rev: 4fbe63cece1406d9674d47369ff2f189a5234bb8
X-Git-NotificationType: ref_changed_plus_diff
X-Git-Multimail-Version: 1.5.dev
Auto-Submitted: auto-generated
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push:
new 4fbe63c Adds announcements of newly released versions
4fbe63c is described below
commit 4fbe63cece1406d9674d47369ff2f189a5234bb8
Author: Lukasz Lenart
AuthorDate: Wed Jan 16 08:50:40 2019 +0100
Adds announcements of newly released versions
---
_config.yml | 16 +--
source/{announce.md => announce-2018.md} | 0
source/announce.md | 209 ++++---------------------------
source/index.html | 10 +-
4 files changed, 33 insertions(+), 202 deletions(-)
diff --git a/_config.yml b/_config.yml
index ea930d7..3342fca 100644
--- a/_config.yml
+++ b/_config.yml
@@ -10,17 +10,17 @@ kramdown:
syntax_highlighter: rouge
# Simplifies introducing changes related to the latest release
-current_version: 2.5.18
-current_version_short: 2518
-prev_version: 2.3.36
-prev_version_short: 2336
+current_version: 2.5.20
+current_version_short: 2520
+prev_version: 2.3.37
+prev_version_short: 2337
archetype_version: 2.5.14
current_beta_version: 2.5-BETA3
current_beta_version_short: 25B3
-release_date: 15 October 2018
-release_date_short: 20181015
-prev_release_date: 15 October 2018
-prev_release_date_short: 20181015
+release_date: 14 January 2019
+release_date_short: 20190114
+prev_release_date: 30 December 2018
+prev_release_date_short: 20181230
beta_release_date_short: 20160126
# Allows directly edit pages on GitHub
diff --git a/source/announce.md b/source/announce-2018.md
similarity index 100%
copy from source/announce.md
copy to source/announce-2018.md
diff --git a/source/announce.md b/source/announce.md
index 99fe1f0..66f8957 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -1,53 +1,21 @@
---
layout: default
-title: Announcements 2018
+title: Announcements 2019
---
-# Announcements 2018
+# Announcements 2019
{:.no_toc}
* Will be replaced with the ToC, excluding a header
{:toc}
- Skip to: Announcements - 2017
+ Skip to: Announcements - 2018
-#### 14 November 2018 - Apache Struts 2.3.x End-Of-Life (EOL) Announcement {#a20181114}
+#### 14 January 2019 - Struts 2.5.20 General Availability {#a20190114}
-The Apache Struts Project Team would like to inform you that the Struts 2.3.x web framework will reach
-its end of life in 6 months and won't be longer officially supported.
-
-Please check the following reading to find more details.
-
- - [Apache Struts 2.3.x EOL Announcement](struts23-eol-announcement), including a detailed Q/A section
-
-#### 15 October 2018 - Struts 2.3.36 General Availability {#a20181015-2}
-
-The Apache Struts group is pleased to announce that Struts 2.3.36 is available as a "General Availability"
-release. The GA designation is our highest quality grade.
-
-This release addresses one backward compatibility issue:
-
-- [xml-validation fails since struts 2.5.17]({{ site.wiki_url }}/Version+Notes+2.3.36)
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-**All developers are strongly advised to perform this action.**
-
-The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 6.
-
-Should any issues arise with your use of any version of the Struts framework, please post your comments
-to the user list, and, if appropriate, file a tracking ticket.
-
-You can download this version from our [download](download.cgi#struts-23x) page.
-
-#### 15 October 2018 - Struts 2.5.18 General Availability {#a20181015-1}
-
-The Apache Struts group is pleased to announce that Struts 2.5.18 is available as a "General Availability"
+The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a "General Availability"
release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
@@ -56,16 +24,18 @@ to maintaining applications over time.
Below is a full list of all changes:
- - `jar_cache` Some jar_cache******.tmp files are generated into a temporary directory(/tmp) during web service start
- - Struts 2.5.16 is creating jar_cache files in temp folder
- - MD5 and SHA1 should no longer be provided on download pages
- - xml-validation fails since struts 2.5.17
+- s:include tag fails with truncated content in certain circumstances
+- NullPointerException in DefaultStaticContentLoader#findStaticResource
+- Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest
+- Static files like css and js files in struts-core not properly served
+- Race condition reloading config results in actions not found
+- Setting Struts2 options Css Class
+- Enhancement for s:set tag to improve tag body whitespace control.
+- Add support for Java 11
+- Upgraded commons-fileupload to version 1.4
+- Update multiple Struts 2.5.x libraries to more recent versions
+- Update OGNL versions for 2.6 and 2.5.x builds
-Internal Changes:
-
-- XWorkList was moved into a com.opensymphony.xwork2.conversion.impl package as com.opensymphony.xwork2.util package is excluded
- by the Internal Security Mechanism.
-
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
to maintaining applications over time.
@@ -80,56 +50,16 @@ to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our [download](download.cgi#struts-ga) page.
-#### 22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 {#a20180822-0}
-
-CVEID:CVE-2018-11776
-
-PRODUCT:Apache Struts
-
-VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
-
-PROBLEMTYPE:Remote Code Execution
-
-REFERENCES:[S2-057]({{ site.wiki_url }}/S2-057)
-
-DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and
-2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its
-upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action
-set and in same time, its upper action(s) have no or wildcard namespace.
-
-#### 22 August 2018 - Struts 2.5.17 General Availability {#a20180822-1}
+#### 30 December 2018 - Struts 2.3.37 General Availability {#a20181230}
-The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a "General Availability"
+The Apache Struts group is pleased to announce that Struts 2.3.37 is available as a "General Availability"
release. The GA designation is our highest quality grade.
-In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:
-
-- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or
-wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057)
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-**All developers are strongly advised to perform this action.**
-
-The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 7.
-
-Should any issues arise with your use of any version of the Struts framework, please post your comments
-to the user list, and, if appropriate, file a tracking ticket.
-
-You can download this version from our [download](download.cgi#struts-ga) page.
-
-#### 22 August 2018 - Struts 2.3.35 General Availability {#a20180822-2}
-
-The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a "General Availability"
-release. The GA designation is our highest quality grade.
-
-In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:
+This release addresses one backward compatibility issue:
-- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or
-wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057)
+- Struts 2.3.36 - InvalidPathException: Illegal char <:> on JDK 9,10,11 on windows
+- Error when upgrading to struts2.3.35
+- Upgraded commons-fileupload to version 1.4
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
The framework is designed to streamline the full development cycle, from building, to deploying,
@@ -145,101 +75,8 @@ to the user list, and, if appropriate, file a tracking ticket.
You can download this version from our [download](download.cgi#struts-23x) page.
-#### 27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin {#a20180327}
-
-The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released
-version of the Apache Struts. This is necessary to prevent your publicly accessible web site, which is using the Struts
-REST plugin and performing XML serialisation, from being exposed to possible DoS attack.
-
-You can find more details in a Security Bulletin [S2-056](https://cwiki.apache.org/confluence/display/WW/S2-056)
-
-All developers are strongly advised to perform this action.
-
-#### 23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3 {#a20180323}
-
-The Apache Struts Team recommends to immediately upgrade your Struts 2
-based projects to use the latest released version of Commons
-FileUpload library, which is currently 1.3.3. This is necessary to
-prevent your publicly accessible web site from being exposed to
-possible Remote Code Execution attacks (see \[1] \[2]).
-
-This affects any Struts version prior to **2.5.12** \[3].
-
-Your project is affected if it uses the built-in file upload mechanism
-of Struts 2, which defaults to the use of commons-fileupload. The
-updated commons-fileupload library is a drop-in replacement for the
-vulnerable version. Deployed applications can be hardened by replacing
-the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
-Maven based Struts 2 projects, the following dependency needs to be
-added:
-
-```xml
-
- commons-fileupload
- commons-fileupload
- 1.3.3
-
-```
-
-More details can be found here:
-
- 1. [https://issues.apache.org/jira/browse/FILEUPLOAD-279](https://issues.apache.org/jira/browse/FILEUPLOAD-279)
- 2. [https://nvd.nist.gov/vuln/detail/CVE-2016-1000031](https://nvd.nist.gov/vuln/detail/CVE-2016-1000031)
- 3. [https://issues.apache.org/jira/browse/WW-4812](https://issues.apache.org/jira/browse/WW-4812)
-
-All developers are strongly advised to perform this action.
-
-#### 16 March 2018 - Struts 2.5.16 General Availability {#a20180316}
-
-The Apache Struts group is pleased to announce that Struts 2.5.16 is available as a "General Availability"
-release. The GA designation is our highest quality grade.
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-Below is a full list of all changes:
-
- - unclosed instantiation of PrintWriter
- - Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.
- - NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
- - NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait
- interceptor
- - ClassCastException in JarEntryRevision
- - Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
- - The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this
- method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.
- - Conversion by annotation does not work
- - List of Boolean is not populated in Action class
- - JSONResult exception in struts2-json-plugin-2.5.14.1.jar
- - buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods defined in struts.xml
- - Could not create JarEntryRevision for [zip:C:/.... unknown protocol c
- - NPE in I18nInterceptor$SessionLocaleHandler.read
- - JasperReportResult: NPE When Not Using SQL Connection
- - support JSR 303 Validation Groups in BeanValidation-Plugin
- - Debug tag should not display anything when not in dev mode
- - Allow using of Initializable interface on an implementation level
- - Allowed methods inheritance
- - Allow use Jackson XML bindings to serialise / deserialise XML
- - when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into
- custom array but populating in String array or array list
- - Upgrade Spring to version 4.3.13
- - Update Log4j2 to 2.10.0
-
-> Please read the [Version Notes]({{ site.wiki_url }}/Version+Notes+2.5.16) to find more details about performed bug fixes and improvements.
-
-**All developers are strongly advised to perform this action.**
-
-The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 7.
-
-Should any issues arise with your use of any version of the Struts framework, please post your comments
-to the user list, and, if appropriate, file a tracking ticket.
-
-You can download this version from our [download](download.cgi#struts-ga) page.
-
- Skip to: Announcements - 2017
+ Skip to: Announcements - 2018
diff --git a/source/index.html b/source/index.html
index 514350f..e8b185f 100644
--- a/source/index.html
+++ b/source/index.html
@@ -35,14 +35,14 @@ title: Welcome to the Apache Struts project
Apache Struts {{ site.current_version }} GA has been released
on {{ site.release_date }}.
- Read more in Announcement or in
+ Read more in Announcement or in
Version notes
Apache Struts {{ site.prev_version }} GA
It's the latest release of Struts 2.3.x which contains the latest security fixes,
- released on {{ site.prev_release_date }}.
Read more in Announcement or in
+ released on {{ site.prev_release_date }}.
Read more in Announcement or in
Version notes
@@ -66,12 +66,6 @@ title: Welcome to the Apache Struts project
-
Immediately upgrade to version {{ site.current_version }} or {{ site.prev_version }}
-
- The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use
- the latest released version of the Apache Struts to prevent possible RCE attack when using results with no namespace,
- reported in S2-057. Read more in Announcement.
-