8 December 2013 - Struts 2.3.16 General Availability Release - Maintenance Release

The Apache Struts group is pleased to announce that Struts 2.3.16 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

This release contains many important improvements and doze of other small fixes, to light just few:

• Merged security fix from version 2.3.15.1, 2.3.15.2 and 2.3.15.3
• Solved problem with global "error" result in the Convention Plugin
• The action: and method: prefixes are be by default excluded and changed order to first check excludeParams and then acceptedParams in ParametersInterceptor
• Restored previous behaviour where both ParametersInterceptor AND ParameterNameAware must accept parameter - there is no more precedence
• Added proper support for multiple ActionMapper's used with PrefixBasedActionMapper
• Solved problem with creating empty map entries via Ognl
• ... and many more, please check the Version Notes

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.16.

Struts 2.3.16 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The version notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

15 October 2013 - Struts 2.3.15.3 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.15.3 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

One security issue was solved with this release:

• S2-018 - Broken Access Control Vulnerability in Apache Struts2
• and proper support for action: prefix was restored.

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.3.

Struts 2.3.15.3 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

20 September 2013 - Struts 2.3.15.2 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.15.2 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Two security issues were solved with this release:

• S2-018 - Broken Access Control Vulnerability in Apache Struts2
• S2-019 - Dynamic Method Invocation disabled by default

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.2.

Struts 2.3.15.2 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

16 July 2013 - Struts 2.3.15.1 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.15.1 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Two security issues were solved with this release:

• S2-016 - Remote code execution vulnerability when using short-circuit navigation parameter prefixes
• S2-017 - Open redirect vulnerability when using short-circuit redirect parameter prefixes

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.1.

Struts 2.3.15.1 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

22 June 2013 - Struts 2.3.15 General Availability Release

The Apache Struts group is pleased to announce that Struts 2.3.15 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

It's a mostly maintenance release but few important improvements were added as well:

• Merged security fix from version 2.3.14.1, 2.3.14.2 and 2.3.14.3
• Resolved problem with memory leak in ContainerHolder
• Resolved bug related to struts.convention.action.includeJars
• Improved OSGi support to allow work in Glassfish 3
• Added support to create cookies from whitin an action
• New interface - ValidationAware - was added to allow notify actions when there are action/field errors
• and other small improvments

All developers are recommended to update existing Struts 2 applications to Struts 2.3.15.

Struts 2.3.15 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

3 June 2013 - Struts 2.3.14.3 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.14.3 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

A highly critical security vulnerability was resolved in this release:

• S2-015 - A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.3 immediately.

Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

26 May 2013 - Struts 2.3.14.2 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.14.2 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

A highly critical security vulnerability was resolved in this release:

• S2-014 - A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.2 immediately.

Struts 2.3.14.2 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

22 May 2013 - Struts 2.3.14.1 General Availability Release

The Apache Struts group is pleased to announce that Struts 2.3.14.1 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Two security issues were solved with this release:

• Showcase app vulnerability allows remote command execution
• A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.14.1.

Struts 2.3.14.1 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

11 April 2013 - Struts 2.3.14 General Availability Release

The Apache Struts group is pleased to announce that Struts 2.3.14 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

It's a mostly maintenance release but few important improvements were added as well:

• All the annotations related to validators were updated to match the implementing classes
• The JUnit plugin supports now the Convention plugin configuration (check StrutsJUnit4ConventionTestCaseTest)
• Logging support was improved and extended to allow use user custom implementation of LoggingFactory

All developers are recommended to update existing Struts 2 applications to Struts 2.3.14.

Struts 2.3.14 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

5 April 2013 - Apache Struts 1 End-Of-Life (EOL) Announcement

The Apache Struts Project Team would like to inform you that the Struts 1.x web framework has reached its end of life and is no longer officially supported.

Please check the following readings to find more details.

• Apache Struts 1 EOL Announcement, including a detailed Q/A section
• Apache Struts 1 EOL Press Release

6 March 2013 - Struts 2.3.12 General Availability Release

The Apache Struts group is pleased to announce that Struts 2.3.12 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

It's a mostly maintenance release but few important improvements were added as well:

• All validators were refactored and right now parameters can be set via OGNL also parameter parse was removed
• Tag's required attribute was renamed to requiredLabel to allow support of Html5 required attribute in the tags
• New Tiles 3 plugin was added to support Tiles 3 result type
• Support for JBoss 5 to work with the Convention Plugin was improved

All developers are recommended to update existing Struts 2 applications to Struts 2.3.12.

Struts 2.3.12 is available in a full distribution or as separate library, source, example and documentation distributions, from the releases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". The release notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.