Fork me on GitHub
Edit on GitHub

Announcements 2022

Skip to: Announcements - 2021

06 June 2022 - Struts 2 ver. 6.0.0 General Availability

The Apache Struts group is pleased to announce that Apache Struts 2 ver. 6.0.0 is available as a “General Availability” release. The GA designation is our highest quality grade.

Version change

You can be surprised by the version change, previously we have been using Struts 2.5.x versioning schema, but this was a bit misleading. Struts 2 is a different framework than Struts 1 and its versioning is supposed to start with 1.0.0, yet that never happened. With each breaking changes release (like Struts 2.5), we had been only upgrading the MINOR part of the versioning schema. To fix that problem as from Struts 2 ver. 6.0.0 (aka Struts 2.6) we adopt a proper SemVer to avoid such confusion.

Internal Changes

The framework requires Java 8 at runtime. Also Servlet API 3.1 capable container is required.

OGNL expressions are limited to 256 characters by default. See WW-5179 and docs for more details.

Yasser’s PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation.

How to test

Support to access static methods via OGNL expressions has been removed, use action instance methods instead.

Bug

New Feature

Improvement

Task

Dependency

Please read the Version Notes to find more details about performed bug fixes and improvements. Also, a dedicated migration guide has been prepared.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this upgrade.

The 6.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 3.1, JSP API 2.1, and Java 8.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

04 April 2022 - Struts 2.5.30 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.30 is available as a “General Availability” release. The GA designation is our highest quality grade.

Internal Changes:

Yasser’s PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation.

How to test

Run all your app tests, you shouldn’t see any WARN log like below:

Expression [so-and-so] isn't allowed by pattern [so-and-so]! See Accepted / Excluded patterns at
https://struts.apache.org/security/

See if following components are still functioning correctly regarding java-scripts:

Check also StreamResult, AliasInterceptor and JasperReportResult if they are still working as expected.

Dependency:

Please read the Version Notes to find more details about performed bug fixes and improvements.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this upgrade.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

22 January 2022 - Struts 2.5.29 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.29 is available as a “General Availability” release. The GA designation is our highest quality grade.

Bugs:

Please read the Version Notes to find more details about performed bug fixes and improvements.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this upgrade.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

02 January 2022 - Struts 2.5.28.3 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.28.3 is available as a “General Availability” release. The GA designation is our highest quality grade.

This release addresses Log4j vulnerability CVE-2021-44832 by using the latest Log4j ver. 2.12.4 (Java 1.7 compatible).

Please note, that the Apache Struts itself depends on the log4j-api package only, it’s users’ responsibility to use a proper version of the log4j-core package!

Please read the Version Notes to find more details about performed bug fixes and improvements.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

All developers are strongly advised to perform this upgrade.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

Skip to: Announcements - 2021

Next: Kickstart FAQ