Fork me on GitHub
Edit on GitHub

Announcements 2019

Skip to: Announcements - 2018

29 November 2019 - Struts 2.5.22 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.22 is available as a “General Availability” release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Please be aware of new security enhancements added to the version of Struts, they are disabled by default but please consider enabling them to increase safety of you application. You will find more details in our Security Guide.

Below is a full list of all changes:

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

12 September 2019 - Struts 2.3.x reached End-Of-Life

As announced over 6 months ago, Apache Struts 2.3.x web framework series reached its end of life and won’t be longer officially supported. Please check the following reading to find more details:

Apache Struts 2.3.x EOL Announcement

15 August 2019 - Security Advice: Announcing corrected affected version ranges in historic Apache Struts security bulletins and CVE entries

The Apache Struts Security team would like to announce that a number of historic Struts Security Bulletins and related CVE database entries contained incorrect affected release version ranges.

The issue was reported by Christopher Fearon and the Black Duck Research Team within the Synopsys Cybersecurity Research Center. The reporting entity conducted thorough investigations on this matter, leading to a report to the Apache Struts Security Team. The Apache Struts Security Team worked with the reporters to cross-check said issues and map them to affected Apache Struts General Availability (GA) releases.

This effort led to the issue of Struts Security Bulletin S2-058, referencing 15 historic Struts Security Bulletins and respective CVE entries that have been updated to reflect corrections in affected GA version ranges as well as minimum GA versions to contain appropriate fixes for the issues at hand.

The full Security Bulletin can be found here:

Apache Struts Security Buletin S2-058

The Struts Security Team stresses that while the reporters reference more affected issues and resulting affected version ranges, the Struts Security Bulletins only cover GA versions designated for production use. This led to less corrected Security Bulletins and CVE entries compared to the number of covered issues in the original report.

It is very important to understand that while the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the version recommended by the latest Security Bulletin, which is S2-057 by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17.

The Apache Struts Security Team would like to thank the reporters for their efforts and their practice of responsible disclosure, as well as their help while investigating the report and coordinating public disclosure.

14 January 2019 - Struts 2.5.20 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a “General Availability” release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Below is a full list of all changes:

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

30 December 2018 - Struts 2.3.37 General Availability

The Apache Struts group is pleased to announce that Struts 2.3.37 is available as a “General Availability” release. The GA designation is our highest quality grade.

This release addresses one backward compatibility issue:

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this action.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 6.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

Skip to: Announcements - 2018

Next: Kickstart FAQ