This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new deb7af4 Updates stage by Jenkins
deb7af4 is described below
commit deb7af4e433c8fca6a59a446efc1646753c7cff8
Author: jenkins <[email protected]>
AuthorDate: Mon Aug 24 06:35:41 2020 +0000
Updates stage by Jenkins
---
content/{announce.html => announce-2019.html} | 2 +-
content/announce.html | 168 +++---------------------
content/core-developers/interceptors.html | 11 ++
content/core-developers/struts-default-xml.html | 11 ++
content/index.html | 40 +++---
5 files changed, 62 insertions(+), 170 deletions(-)
diff --git a/content/announce.html b/content/announce-2019.html
similarity index 99%
copy from content/announce.html
copy to content/announce-2019.html
index 2a620cd..9ec6e55 100644
--- a/content/announce.html
+++ b/content/announce-2019.html
@@ -126,7 +126,7 @@
<article class="container">
<section class="col-md-12">
- <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/announce.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/announce-2019.md";
title="Edit this page on GitHub">Edit on GitHub</a>
<h1 class="no_toc" id="announcements-2019">Announcements 2019</h1>
diff --git a/content/announce.html b/content/announce.html
index 2a620cd..1444b0e 100644
--- a/content/announce.html
+++ b/content/announce.html
@@ -7,7 +7,7 @@
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
- <title>Announcements 2019</title>
+ <title>Announcements 2020</title>
<link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
<link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
@@ -128,174 +128,44 @@
<section class="col-md-12">
<a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/announce.md";
title="Edit this page on GitHub">Edit on GitHub</a>
- <h1 class="no_toc" id="announcements-2019">Announcements 2019</h1>
+ <h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
<ul id="markdown-toc">
- <li><a href="#a20191129" id="markdown-toc-a20191129">29 November 2019 -
Struts 2.5.22 General Availability</a></li>
- <li><a href="#a20190912" id="markdown-toc-a20190912">12 September 2019 -
Struts 2.3.x reached End-Of-Life</a></li>
- <li><a href="#a20190815" id="markdown-toc-a20190815">15 August 2019 -
Security Advice: Announcing corrected affected version ranges in historic
Apache Struts security bulletins and CVE entries</a></li>
- <li><a href="#a20190114" id="markdown-toc-a20190114">14 January 2019 -
Struts 2.5.20 General Availability</a></li>
- <li><a href="#a20181230" id="markdown-toc-a20181230">30 December 2018 -
Struts 2.3.37 General Availability</a></li>
+ <li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues</a></li>
</ul>
<p class="pull-right">
- Skip to: <a href="announce-2018.html">Announcements - 2018</a>
+ Skip to: <a href="announce-2019.html">Announcements - 2019</a>
</p>
-<h4 id="a20191129">29 November 2019 - Struts 2.5.22 General Availability</h4>
+<h4 id="a20200813">13 August 2020 - Security Advice: Announcing CVE-2019-0230
(Possible RCE) and CVE-2019-0233 (DoS) security issues</h4>
-<p>The Apache Struts group is pleased to announce that Struts 2.5.22 is
available as a “General Availability”
-release. The GA designation is our highest quality grade.</p>
-
-<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from
building, to deploying,
-to maintaining applications over time.</p>
-
-<blockquote>
- <p>Please be aware of new security enhancements added to the version of
Struts, they are disabled by default
-but please consider enabling them to increase safety of you application. You
will find more details in our
-<a href="security">Security Guide</a>.</p>
-</blockquote>
-
-<p>Below is a full list of all changes:</p>
+<p>Two new <a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletin";>Struts
Security Bulletins</a> have been issued for Struts 2 by the Apache Struts
Security Team:</p>
<ul>
- <li>File upload fails from certain clients</li>
- <li>Not existing property in listValueKey throws exception</li>
- <li>Can’t get OgnlValueStack log even if enable logMissingProperties</li>
- <li>No more calling of a static variable in Struts 2.8.20 available</li>
- <li>NullPointerException in ProxyUtil class when accessing static member</li>
- <li>EmptyStackException in JSON plugin due to concurrency</li>
- <li>Tiles bug when parsing file:// URLs including # as part of the URL</li>
- <li>Accessing static variable via OGNL returns nothing</li>
- <li>HttpParameters.Builder can wrap objects in two layers of Parameters</li>
- <li>Binding Integer Array upon form submission</li>
- <li>Double-submit of TokenSessionStoreInterceptor broken since 2.5.16</li>
- <li>xerces tries to load resources from the internet</li>
- <li>Dispatcher prints stacktraces directly to the console</li>
- <li>The content allowed-methods tag of the XML configuration is sometimes
truncated</li>
- <li>OGNL: An illegal reflective access operation has occurred</li>
- <li>java.lang.reflect.InvocationTargetException - Class:
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector</li>
- <li>Struts2 convention plugin lacks Java 11 support</li>
- <li>Upgrade SLF4J to latest 1.7.x version</li>
- <li>Minor enhancement/fix to AbstractLocalizedTextProvider</li>
- <li>Provide mechanism to clear OgnlUtil caches</li>
- <li>Struts 2 unit testing using StrutTestCase class</li>
- <li>Upgrade Jackson library to the latest version</li>
- <li>Upgrade to OGNL version 3.1.22</li>
- <li>Update a few Struts 2.5.x libraries to more recent versions</li>
- <li>Upgrade commons-beanutils to version 1.9.4</li>
- <li>Upgrade jackson-databind to version 2.9.9.3</li>
- <li>Upgrade to OGNL 3.1.26 and adapt to its new features</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/ww/s2-059";>S2-059</a> -
Forced double OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution (CVE-2019-0230)</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>S2-060</a> -
Access permission override causing a Denial of Service when performing a file
upload (CVE-2019-0233)</li>
</ul>
-<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from
building, to deploying,
-to maintaining applications over time.</p>
-
-<p><strong>All developers are strongly advised to perform this
action.</strong></p>
-
-<p>The 2.5.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 7.</p>
-
-<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments
-to the user list, and, if appropriate, file a tracking ticket.</p>
-
-<p>You can download this version from our <a
href="download.cgi#struts-ga">download</a> page.</p>
-
-<h4 id="a20190912">12 September 2019 - Struts 2.3.x reached End-Of-Life</h4>
-
-<p>As announced over 6 months ago, Apache Struts 2.3.x web framework series
reached its end of life and won’t be longer
-officially supported. Please check the following reading to find more
details:</p>
-
-<p><a href="struts23-eol-announcement">Apache Struts 2.3.x EOL
Announcement</a></p>
+<p>Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. The
current version 2.5.22, which was released in November 2019, is not
affected.</p>
-<h4 id="a20190815">15 August 2019 - Security Advice: Announcing corrected
affected version ranges in historic Apache Struts security bulletins and CVE
entries</h4>
+<p><a
href="https://cwiki.apache.org/confluence/display/ww/s2-059";>CVE-2019-0230</a>
has been reported by Matthias Kaiser, Apple Information Security.
+By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
+When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
+In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
+<strong>However, we continue to urge developers building upon Struts 2 to <a
href="https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
use <code class="highlighter-rouge">%{...}</code> or <code
class="highlighter-rouge">${...}</code> syntax referencing unvalidated user
modifiable input in tag attributes </a>, since this is the ultimate fix for
this class of vulnerabilities.</strong></p>
-<p>The Apache Struts Security team would like to announce that a number of
historic <a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletin";>Struts
Security Bulletins</a> and related CVE database entries contained incorrect
affected release version ranges.</p>
+<p><a
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>CVE-2019-0233</a>
has been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
+In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.</p>
-<p>The issue was reported by Christopher Fearon and the Black Duck Research
Team within the Synopsys Cybersecurity Research Center. The reporting entity
conducted thorough investigations on this matter, leading to a report to the
Apache Struts Security Team. The Apache Struts Security Team worked with the
reporters to cross-check said issues and map them to affected Apache Struts
General Availability (GA) releases.</p>
+<p>Both issues are already fixed in Apache Struts <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22";>2.5.22</a>,
which was released in November 2019.</p>
-<p>This effort led to the issue of Struts Security Bulletin S2-058,
referencing 15 historic Struts Security Bulletins and <a
href="https://github.com/CVEProject/cvelist/pull/2423/files";>respective CVE
entries</a> that have been updated to reflect corrections in affected GA
version ranges as well as minimum GA versions to contain appropriate fixes for
the issues at hand.</p>
-
-<p>The full Security Bulletin can be found here:</p>
-
-<p><a href="https://cwiki.apache.org/confluence/display/WW/S2-058";>Apache
Struts Security Buletin S2-058</a></p>
-
-<p>The Struts Security Team stresses that while the reporters reference more
affected issues and resulting affected version ranges, the Struts Security
Bulletins only cover GA versions designated for production use. This led to
less corrected Security Bulletins and CVE entries compared to the number of
covered issues in the original report.</p>
-
-<p>It is very important to understand that while the individual listed
bulletins contain updated minimum fix versions, it is strongly recommended to
update to the version recommended by the latest Security Bulletin, which is <a
href="https://cwiki.apache.org/confluence/display/WW/S2-057";>S2-057</a> by the
time of this announcement. Following this advice, the recommended minimum
Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17.</p>
+<p><strong>We strongly recommend all users to <a
href="download.cgi#struts-ga">upgrade</a> to Struts 2.5.22, if this has not
been done already.</strong></p>
<p>The Apache Struts Security Team would like to thank the reporters for their
efforts and their practice of responsible disclosure, as well as their help
while investigating the report and coordinating public disclosure.</p>
-<h4 id="a20190114">14 January 2019 - Struts 2.5.20 General Availability</h4>
-
-<p>The Apache Struts group is pleased to announce that Struts 2.5.20 is
available as a “General Availability”
-release. The GA designation is our highest quality grade.</p>
-
-<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from
building, to deploying,
-to maintaining applications over time.</p>
-
-<p>Below is a full list of all changes:</p>
-
-<ul>
- <li>s:include tag fails with truncated content in certain circumstances</li>
- <li>NullPointerException in
DefaultStaticContentLoader#findStaticResource</li>
- <li>Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest</li>
- <li>Static files like css and js files in struts-core not properly
served</li>
- <li>Race condition reloading config results in actions not found</li>
- <li>Setting Struts2 <s:select> options Css Class</s:select></li>
- <li>Enhancement for s:set tag to improve tag body whitespace control.</li>
- <li>Add support for Java 11</li>
- <li>Upgraded commons-fileupload to version 1.4</li>
- <li>Update multiple Struts 2.5.x libraries to more recent versions</li>
- <li>Update OGNL versions for 2.6 and 2.5.x builds</li>
-</ul>
-
-<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from
building, to deploying,
-to maintaining applications over time.</p>
-
-<p><strong>All developers are strongly advised to perform this
action.</strong></p>
-
-<p>The 2.5.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 7.</p>
-
-<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments
-to the user list, and, if appropriate, file a tracking ticket.</p>
-
-<p>You can download this version from our <a
href="download.cgi#struts-ga">download</a> page.</p>
-
-<h4 id="a20181230">30 December 2018 - Struts 2.3.37 General Availability</h4>
-
-<p>The Apache Struts group is pleased to announce that Struts 2.3.37 is
available as a “General Availability”
-release. The GA designation is our highest quality grade.</p>
-
-<p>This release addresses one backward compatibility issue:</p>
-
-<ul>
- <li>Struts 2.3.36 - InvalidPathException: Illegal char <:> on JDK 9,10,11 on
windows</:></li>
- <li>Error when upgrading to struts2.3.35</li>
- <li>Upgraded commons-fileupload to version 1.4</li>
-</ul>
-
-<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from
building, to deploying,
-to maintaining applications over time.</p>
-
-<p><strong>All developers are strongly advised to perform this
action.</strong></p>
-
-<p>The 2.3.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 6.</p>
-
-<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments
-to the user list, and, if appropriate, file a tracking ticket.</p>
-
-<p>You can download this version from our <a
href="download.cgi#struts-23x">download</a> page.</p>
-
<p class="pull-right">
- Skip to: <a href="announce-2018.html">Announcements - 2018</a>
+ Skip to: <a href="announce-2019.html">Announcements - 2019</a>
</p>
<p class="pull-left">
diff --git a/content/core-developers/interceptors.html
b/content/core-developers/interceptors.html
index 9761818..6d59f5d 100644
--- a/content/core-developers/interceptors.html
+++ b/content/core-developers/interceptors.html
@@ -467,10 +467,12 @@ than reiterate the same list of Interceptors, we can
bundle these Interceptors t
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"alias"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.AliasInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"autowiring"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.spring.interceptor.ActionAutowiringInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"chain"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ChainingInterceptor"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoepInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"conversionError"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.StrutsConversionErrorInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookie"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookieProvider"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieProviderInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"clearSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ClearSessionInterceptor"</span> <span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoopInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"createSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CreateSessionInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"debugging"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.debugging.DebuggingInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"execAndWait"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ExecuteAndWaitInterceptor"</span><span
class="nt">/></span>
@@ -615,6 +617,15 @@ than reiterate the same list of Interceptors, we can
bundle these Interceptors t
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"actionMappingParams"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"params"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"conversionError"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"fetchMetadata"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"validation"</span><span
class="nt">></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"excludeMethods"</span><span
class="nt">></span>input,back,cancel,browse<span
class="nt"></param></span>
diff --git a/content/core-developers/struts-default-xml.html
b/content/core-developers/struts-default-xml.html
index 29f0ea2..fd66c6a 100644
--- a/content/core-developers/struts-default-xml.html
+++ b/content/core-developers/struts-default-xml.html
@@ -384,10 +384,12 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"alias"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.AliasInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"autowiring"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.spring.interceptor.ActionAutowiringInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"chain"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ChainingInterceptor"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoepInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"conversionError"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.StrutsConversionErrorInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookie"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookieProvider"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieProviderInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"clearSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ClearSessionInterceptor"</span> <span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoopInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"createSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CreateSessionInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"debugging"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.debugging.DebuggingInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"execAndWait"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ExecuteAndWaitInterceptor"</span><span
class="nt">/></span>
@@ -532,6 +534,15 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"actionMappingParams"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"params"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"conversionError"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"fetchMetadata"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"validation"</span><span
class="nt">></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"excludeMethods"</span><span
class="nt">></span>input,back,cancel,browse<span
class="nt"></param></span>
diff --git a/content/index.html b/content/index.html
index dc7b044..475c2c2 100644
--- a/content/index.html
+++ b/content/index.html
@@ -152,23 +152,39 @@
</p>
</div>
<div class="column col-md-4">
+ <h2>Security Advice S2-058 released</h2>
+ <p>
+ A number of historic Struts Security Bulletins and related CVE
database entries contained incorrect affected release version ranges.
+ Read more in
+ <a href="announce#a20200813">Announcement</a>
+ </p>
+ </div>
+ <div class="column col-md-4">
<h2>Apache Struts 2.5.22 GA</h2>
<p>
Apache Struts 2.5.22 GA has been released<br/>on 29 November 2019.
</p>
- Read more in <a href="announce.html#a20191129">Announcement</a> or in
+ Read more in <a href="announce-2019.html#a20191129">Announcement</a>
or in
<a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22";>Version
notes</a>
</div>
+ </div>
+ <div class="row">
+ <div class="column col-md-4">
+ <h2>Apache Struts 2.3.x EOL</h2>
+ <p>
+ The Apache Struts Team informs about discontinuing support for
Struts 2.3.x branch, we recommend migration
+ to the latest version of Struts, read more in
+ <a href="announce-2019#a20190912">Announcement</a>
+ </p>
+ </div>
<div class="column col-md-4">
<h2>Apache Struts 2.3.37 GA</h2>
<p>
It's the latest release of Struts 2.3.x which contains the latest
security fixes,
- released on 30 December 2018.<br/> Read more in <a
href="announce.html#a20181230">Announcement</a> or in
+ released on 30 December 2018.<br/> Read more in <a
href="announce-2019.html#a20181230">Announcement</a> or in
<a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.37";>Version
notes</a>
</p>
</div>
- </div>
- <div class="row">
<div class="column col-md-4">
<h2>Immediately upgrade commons-fileupload to version 1.3.3</h2>
<p>
@@ -179,22 +195,6 @@
</p>
</div>
<div class="column col-md-4">
- <h2>Apache Struts 2.3.x EOL</h2>
- <p>
- The Apache Struts Team informs about discontinuing support for
Struts 2.3.x branch, we recommend migration
- to the latest version of Struts, read more in
- <a href="announce#a20190912">Announcement</a>
- </p>
- </div>
- <div class="column col-md-4">
- <h2>Security Advice S2-058 released</h2>
- <p>
- A number of historic Struts Security Bulletins and related CVE
database entries contained incorrect affected release version ranges.
- Read more in
- <a href="announce#a20190815">Announcement</a>
- </p>
- </div>
- <div class="column col-md-4">
</div>
</div>
</div>
