Adds notes about 2.3.29
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/a6afc275 Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/a6afc275 Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/a6afc275 Branch: refs/heads/master Commit: a6afc2751a92ee69e8e0d4a68731847f42abd09d Parents: 4cc16c6 Author: Lukasz Lenart <lukasz.len...@gmail.com> Authored: Fri Jun 17 14:16:11 2016 +0200 Committer: Lukasz Lenart <lukasz.len...@gmail.com> Committed: Fri Jun 17 14:25:04 2016 +0200 ---------------------------------------------------------------------- source/announce.md | 56 +++++++++++++++- source/download.html | 162 ++++++---------------------------------------- source/index.html | 33 +++------- 3 files changed, 84 insertions(+), 167 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts-site/blob/a6afc275/source/announce.md ---------------------------------------------------------------------- diff --git a/source/announce.md b/source/announce.md index 70fa7a7..e4c62c8 100644 --- a/source/announce.md +++ b/source/announce.md @@ -8,6 +8,61 @@ title: Announcements Skip to: <a href="announce-2015.html">Announcements - 2015</a> </p> +#### 17 June 2016 - Struts 2.3.29 General Availability with Security Fixes Release {#a20160617} + +The Apache Struts group is pleased to announce that Struts 2.3.29 is available as a "General Availability" +release. The GA designation is our highest quality grade. + +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time. + +This release addresses two potential security vulnerabilities: + + - [S2-035](/docs/s2-035.html) + Action name clean up is error prone + + - [S2-036](/docs/s2-036.html) + Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, + may lead to remote code execution (similar to S2-029) + + - [S2-037](/docs/s2-037.html) + Remote Code Execution can be performed when using REST Plugin. + + - [S2-038](/docs/s2-038.html) + It is possible to bypass token validation and perform a CSRF attack + + - [S2-039](/docs/s2-039.html) + Getter as action method leads to security bypass + + - [S2-040](/docs/s2-040.html) + Input validation bypass using existing default action method. + + - [S2-041](/docs/s2-041.html) + Possible DoS attack when using URLValidator + +This release contains several breaking changes and improvements just to mention few of them: + + - Json result type breaks + - MessageStorePreResultListener doesn't store messages for 3rd-party RedirectResult subclasses + - Multiple tiles.xml in web.xml + - New Tiles version can not find tiles*.xml files in sub-directories + - EmailValidator flags .cat emails as invalid + - Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80 + - Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+ + - `<s:submit>` generates a value attribute for type=image which violates W3C + - ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1 + +**All developers are strongly advised to perform this action.** + +The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 6. + +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket. + +You can download this version from our [download](download.html#struts-ga) page. + #### 1 June 2016 - Two security vulnerabilities reported {#a20160601} Two potential security vulnerabilities were reported which were already addressed in the latest Apache Struts 2 versions. @@ -146,7 +201,6 @@ This release addresses three potential security vulnerabilities: **All developers are strongly advised to perform this action.** - This release contains several breaking changes and improvements just to mention few of them: - New Configurationprovider type was introduced - ServletContextAwareConfigurationProvider, see WW-4410 http://git-wip-us.apache.org/repos/asf/struts-site/blob/a6afc275/source/download.html ---------------------------------------------------------------------- diff --git a/source/download.html b/source/download.html index 36d03d1..e00d546 100644 --- a/source/download.html +++ b/source/download.html @@ -139,20 +139,20 @@ title: Download a Release </ul> -<a class="anchor" name="struts23281"></a> -<h2>Struts 2.3.28.1</h2> +<a class="anchor" name="struts2329"></a> +<h2>Struts 2.3.29</h2> <ul> <li> - <a href="http://struts.apache.org/docs/version-notes-23281.html";>Version Notes</a> + <a href="http://struts.apache.org/docs/version-notes-2329.html";>Version Notes</a> </li> <li>Full Distribution: <ul> <li> - <a href="[preferred]struts/2.3.28.1/struts-2.3.28.1-all.zip">struts-2.3.28.1-all.zip</a> (65MB) - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-all.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-all.zip.md5";>MD5</a>] + <a href="[preferred]struts/2.3.29/struts-2.3.29-all.zip">struts-2.3.29-all.zip</a> (65MB) + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-all.zip.asc";>PGP</a>] + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-all.zip.md5";>MD5</a>] </li> </ul> </li> @@ -160,9 +160,9 @@ title: Download a Release <li>Example Applications: <ul> <li> - <a href="[preferred]struts/2.3.28.1/struts-2.3.28.1-apps.zip">struts-2.3.28.1-apps.zip</a> (35MB) - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-apps.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-apps.zip.md5";>MD5</a>] + <a href="[preferred]struts/2.3.29/struts-2.3.29-apps.zip">struts-2.3.29-apps.zip</a> (35MB) + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-apps.zip.asc";>PGP</a>] + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-apps.zip.md5";>MD5</a>] </li> </ul> </li> @@ -170,9 +170,9 @@ title: Download a Release <li>Essential Dependencies Only: <ul> <li> - <a href="[preferred]struts/2.3.28.1/struts-2.3.28.1-min-lib.zip">struts-2.3.28.1-min-lib.zip</a> (4MB) - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-min-lib.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-min-lib.zip.md5";>MD5</a>] + <a href="[preferred]struts/2.3.29/struts-2.3.29-min-lib.zip">struts-2.3.29-min-lib.zip</a> (4MB) + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-min-lib.zip.asc";>PGP</a>] + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-min-lib.zip.md5";>MD5</a>] </li> </ul> </li> @@ -180,9 +180,9 @@ title: Download a Release <li>All Dependencies: <ul> <li> - <a href="[preferred]struts/2.3.28.1/struts-2.3.28.1-lib.zip">struts-2.3.28.1-lib.zip</a> (19MB) - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-lib.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-lib.zip.md5";>MD5</a>] + <a href="[preferred]struts/2.3.29/struts-2.3.29-lib.zip">struts-2.3.29-lib.zip</a> (19MB) + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-lib.zip.asc";>PGP</a>] + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-lib.zip.md5";>MD5</a>] </li> </ul> </li> @@ -190,9 +190,9 @@ title: Download a Release <li>Documentation: <ul> <li> - <a href="[preferred]struts/2.3.28.1/struts-2.3.28.1-docs.zip">struts-2.3.28.1-docs.zip</a> (13MB) - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-docs.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-docs.zip.md5";>MD5</a>] + <a href="[preferred]struts/2.3.29/struts-2.3.29-docs.zip">struts-2.3.29-docs.zip</a> (13MB) + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-docs.zip.asc";>PGP</a>] + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-docs.zip.md5";>MD5</a>] </li> </ul> </li> @@ -200,129 +200,9 @@ title: Download a Release <li>Source: <ul> <li> - <a href="[preferred]struts/2.3.28.1/struts-2.3.28.1-src.zip">struts-2.3.28.1-src.zip</a> (7MB) - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-src.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.28.1/struts-2.3.28.1-src.zip.md5";>MD5</a>] - </li> - </ul> - </li> - -</ul> - -<a class="anchor" name="struts23243"></a> -<h2>Struts 2.3.24.3</h2> - -<ul> - <li> - <a href="http://struts.apache.org/docs/version-notes-23243.html";>Version Notes</a> - </li> - - <li>Full Distribution: - <ul> - <li> - <a href="[preferred]struts/2.3.24.3/struts-2.3.24.3-all.zip">struts-2.3.24.3-all.zip</a> (65MB) - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-all.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-all.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>Example Applications: - <ul> - <li> - <a href="[preferred]struts/2.3.24.3/struts-2.3.24.3-apps.zip">struts-2.3.24.3-apps.zip</a> (35MB) - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-apps.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-apps.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>All Dependencies: - <ul> - <li> - <a href="[preferred]struts/2.3.24.3/struts-2.3.24.3-lib.zip">struts-2.3.24.3-lib.zip</a> (19MB) - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-lib.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-lib.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>Documentation: - <ul> - <li> - <a href="[preferred]struts/2.3.24.3/struts-2.3.24.3-docs.zip">struts-2.3.24.3-docs.zip</a> (13MB) - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-docs.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-docs.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>Source: - <ul> - <li> - <a href="[preferred]struts/2.3.24.3/struts-2.3.24.3-src.zip">struts-2.3.24.3-src.zip</a> (7MB) - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-src.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.24.3/struts-2.3.24.3-src.zip.md5";>MD5</a>] - </li> - </ul> - </li> - -</ul> - -<a class="anchor" name="struts23203"></a> -<h2>Struts 2.3.20.3</h2> - -<ul> - <li> - <a href="http://struts.apache.org/docs/version-notes-23203.html";>Version Notes</a> - </li> - - <li>Full Distribution: - <ul> - <li> - <a href="[preferred]struts/2.3.20.3/struts-2.3.20.3-all.zip">struts-2.3.20.3-all.zip</a> (65MB) - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-all.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-all.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>Example Applications: - <ul> - <li> - <a href="[preferred]struts/2.3.20.3/struts-2.3.20.3-apps.zip">struts-2.3.20.3-apps.zip</a> (35MB) - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-apps.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-apps.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>All Dependencies: - <ul> - <li> - <a href="[preferred]struts/2.3.20.3/struts-2.3.20.3-lib.zip">struts-2.3.20.3-lib.zip</a> (19MB) - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-lib.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-lib.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>Documentation: - <ul> - <li> - <a href="[preferred]struts/2.3.20.3/struts-2.3.20.3-docs.zip">struts-2.3.20.3-docs.zip</a> (13MB) - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-docs.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-docs.zip.md5";>MD5</a>] - </li> - </ul> - </li> - - <li>Source: - <ul> - <li> - <a href="[preferred]struts/2.3.20.3/struts-2.3.20.3-src.zip">struts-2.3.20.3-src.zip</a> (7MB) - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-src.zip.asc";>PGP</a>] - [<a href="http://www.apache.org/dist/struts/2.3.20.3/struts-2.3.20.3-src.zip.md5";>MD5</a>] + <a href="[preferred]struts/2.3.29/struts-2.3.29-src.zip">struts-2.3.29-src.zip</a> (7MB) + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-src.zip.asc";>PGP</a>] + [<a href="http://www.apache.org/dist/struts/2.3.29/struts-2.3.29-src.zip.md5";>MD5</a>] </li> </ul> </li> http://git-wip-us.apache.org/repos/asf/struts-site/blob/a6afc275/source/index.html ---------------------------------------------------------------------- diff --git a/source/index.html b/source/index.html index 97d15d5..86cd9c0 100644 --- a/source/index.html +++ b/source/index.html @@ -31,45 +31,28 @@ title: Welcome to the Apache Struts project </p> </div> <div class="column col-md-4"> - <h2>Apache Struts {{ site.current_version }} GA</h2> + <h2>Apache Struts 2.3.29 GA</h2> <p> - Apache Struts {{ site.current_version }} GA has been released<br/>on {{ site.release_date }}. + It's the latest release of Struts 2.3.x, + read more in <a href="announce.html#a20160617">Announcement</a> or in + <a href="/docs/version-notes-2329.html">Version notes</a> </p> - Read more in <a href="announce.html#a{{ site.release_date_short }}">Announcement</a> or in - <a href="/docs/version-notes-{{ site.current_version_short }}.html">Version notes</a> </div> <div class="column col-md-4"> - <h2>Apache Struts 2.3.28.1 GA</h2> + <h2>Apache Struts {{ site.current_version }} GA</h2> <p> - It's the latest release of Struts 2.3.x, - read more in <a href="announce.html#aa20160419">Announcement</a> or in - <a href="/docs/version-notes-23281.html">Version notes</a> + Apache Struts {{ site.current_version }} GA has been released<br/>on {{ site.release_date }}. </p> + Read more in <a href="announce.html#a{{ site.release_date_short }}">Announcement</a> or in + <a href="/docs/version-notes-{{ site.current_version_short }}.html">Version notes</a> </div> </div> <div class="row"> <div class="column col-md-4"> - <h2>Apache Struts 2.3.20.3 & 2.3.24.3</h2> - <p> - We have released two older versions of Apache Struts which contain the latest security fixes. - Please read announcement for <a href="announce.html#a20160419-1">2.3.20.3 & 2.3.24.3</a> - and version notes for <a href="/docs/version-notes-23203.html">2.3.20.3</a> and - <a href="/docs/version-notes-23243.html">2.3.24.3</a>. - </p> </div> <div class="column col-md-4"> - <h2>Security Bulletin S2-033 & S2-034</h2> - <p> - Two new Security Bulletins were published, please read more in the - <a href="announce.html#a20160601">Announcement</a>. - </p> </div> <div class="column col-md-4"> - <h2>Security Bulletin S2-032</h2> - <p> - A new security bulletin was published, please carefully read the - <a href="/docs/s2-032.html">S2-032</a> bulletin. - </p> </div> </div> </div>
