You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2013/09/21 18:06:09 UTC
[ANN] Struts 2.3.15.2 GA release available - security fix
The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
available as a "General Availability" release.The GA designation is
our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.
This release includes important security fixes:
- S2-018 - Broken Access Control Vulnerability in Apache Struts2
- S2-019 - Dynamic Method Invocation disabled by default
All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.15.2
Struts 2.3.15.2 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page.
* http://struts.apache.org/download.cgi#struts23152
The release is also available from the central Maven repository under
Group ID "org.apache.struts".
The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 5
The release notes are available online at:
* http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html
Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW
- The Apache Struts group.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Yaragalla Muralidhar <ya...@gmail.com>.
No I don't have any problem. Sorry if i bothered you. Thank u so much for
asking back.
what i am talking about is the redeployment issue in tomcat with eclipse
when using struts. When ever we do modifications in the code in eclipse the
tomcat tries to redploy the app and when it tried we get the following
error and the app gets un deployed. This is very problematic in
development. Always we have to stop and start the tomcat.
Stack trace is as below:-
INFO: Illegal access: this web application instance has been stopped
already. Could not load
META-INF/services/org.apache.xerces.xni.parser.XMLParserConfiguration. The
eventual following stack trace is caused by an error thrown for debugging
purposes as well as to attempt to terminate the thread which caused the
illegal access, and has no functional impact.
2013-09-23 00:19:14 ERROR Dispatcher:38 - Dispatcher initialization failed
Unable to load configuration. - [unknown location]
at
com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:70)
at
org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:429)
at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:473)
at
org.apache.struts2.dispatcher.ng.InitOperations.initDispatcher(InitOperations.java:74)
at
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:51)
at
org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
at
org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
at
org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:107)
at
org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4656)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5309)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardContext.reload(StandardContext.java:3926)
at
org.apache.catalina.loader.WebappLoader.backgroundProcess(WebappLoader.java:426)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1345)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1530)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1519)
at java.lang.Thread.run(Unknown Source)
Caused by: Caught exception while loading file struts-default.xml -
[unknown location]
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadConfigurationFiles(XmlConfigurationProvider.java:1017)
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadDocuments(XmlConfigurationProvider.java:165)
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.init(XmlConfigurationProvider.java:132)
at
com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:225)
at
com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:67)
... 18 more
Caused by: java.lang.ClassCastException:
org.apache.xerces.parsers.XIncludeAwareParserConfiguration cannot be cast
to org.apache.xerces.xni.parser.XMLParserConfiguration
at org.apache.xerces.parsers.DOMParser.<init>(Unknown Source)
at org.apache.xerces.parsers.DOMParser.<init>(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.<init>(Unknown Source)
at
org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.newDocumentBuilder(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.trax.SAX2DOM.createDocument(Unknown
Source)
at com.sun.org.apache.xalan.internal.xsltc.trax.SAX2DOM.<init>(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.runtime.output.TransletOutputHandlerFactory.getSerializationHandler(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.getOutputHandler(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerHandlerImpl.setResult(Unknown
Source)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.setup(DomHelper.java:213)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.<init>(DomHelper.java:198)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.<init>(DomHelper.java:189)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.<init>(DomHelper.java:175)
at com.opensymphony.xwork2.util.DomHelper.parse(DomHelper.java:111)
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadConfigurationFiles(XmlConfigurationProvider.java:1009)
... 22 more
Sep 23, 2013 12:19:14 AM org.apache.catalina.core.StandardContext
filterStart
SEVERE: Exception starting filter struts2
Unable to load configuration. - [unknown location]
at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:485)
at
org.apache.struts2.dispatcher.ng.InitOperations.initDispatcher(InitOperations.java:74)
at
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:51)
at
org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
at
org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
at
org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:107)
at
org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4656)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5309)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardContext.reload(StandardContext.java:3926)
at
org.apache.catalina.loader.WebappLoader.backgroundProcess(WebappLoader.java:426)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1345)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1530)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1519)
at java.lang.Thread.run(Unknown Source)
Caused by: Unable to load configuration. - [unknown location]
at
com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:70)
at
org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:429)
at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:473)
... 16 more
Caused by: Caught exception while loading file struts-default.xml -
[unknown location]
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadConfigurationFiles(XmlConfigurationProvider.java:1017)
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadDocuments(XmlConfigurationProvider.java:165)
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.init(XmlConfigurationProvider.java:132)
at
com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:225)
at
com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:67)
... 18 more
Caused by: java.lang.ClassCastException:
org.apache.xerces.parsers.XIncludeAwareParserConfiguration cannot be cast
to org.apache.xerces.xni.parser.XMLParserConfiguration
at org.apache.xerces.parsers.DOMParser.<init>(Unknown Source)
at org.apache.xerces.parsers.DOMParser.<init>(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.<init>(Unknown Source)
at
org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.newDocumentBuilder(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.trax.SAX2DOM.createDocument(Unknown
Source)
at com.sun.org.apache.xalan.internal.xsltc.trax.SAX2DOM.<init>(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.runtime.output.TransletOutputHandlerFactory.getSerializationHandler(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.getOutputHandler(Unknown
Source)
at
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerHandlerImpl.setResult(Unknown
Source)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.setup(DomHelper.java:213)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.<init>(DomHelper.java:198)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.<init>(DomHelper.java:189)
at
com.opensymphony.xwork2.util.DomHelper$DOMBuilder.<init>(DomHelper.java:175)
at com.opensymphony.xwork2.util.DomHelper.parse(DomHelper.java:111)
at
com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadConfigurationFiles(XmlConfigurationProvider.java:1009)
... 22 more
Sep 23, 2013 12:19:14 AM org.apache.catalina.core.StandardContext
startInternal
SEVERE: Error filterStart
Sep 23, 2013 12:19:14 AM org.apache.catalina.core.StandardContext
startInternal
SEVERE: Context [/ums] startup failed due to previous errors
Sep 23, 2013 12:19:15 AM org.apache.catalina.core.StandardContext reload
INFO: Reloading Context with name [/ums] is completed
*Thanks and Regards,*
Muralidhar Yaragalla.
*
*
On Sun, Sep 22, 2013 at 11:41 PM, Lukasz Lenart <lu...@apache.org>wrote:
> Joke? Still don't get it. Do you have any problem related to the
> latest release? Changes included in security releases are tiny - just
> to fix security vulnerability, nothing else.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2013/9/22 Yaragalla Muralidhar <ya...@gmail.com>:
> > nice joke. Thanks.
> >
> > *Thanks and Regards,*
> > Muralidhar Yaragalla.
> > *
> > *
> >
> >
> > On Sun, Sep 22, 2013 at 10:42 PM, Lukasz Lenart <lukaszlenart@apache.org
> >wrote:
> >
> >> 2013/9/21 Yaragalla Muralidhar <ya...@gmail.com>:
> >> > when ever we do modifications in the code the webapp is trying to
> reload
> >> > automatically. at that point of time there is error happening and the
> >> > webapp gets undeployed. Is this solved or still the problem exist?
> >>
> >> eeeee...... I don't know what you talking about :\
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: user-help@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
Joke? Still don't get it. Do you have any problem related to the
latest release? Changes included in security releases are tiny - just
to fix security vulnerability, nothing else.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/9/22 Yaragalla Muralidhar <ya...@gmail.com>:
> nice joke. Thanks.
>
> *Thanks and Regards,*
> Muralidhar Yaragalla.
> *
> *
>
>
> On Sun, Sep 22, 2013 at 10:42 PM, Lukasz Lenart <lu...@apache.org>wrote:
>
>> 2013/9/21 Yaragalla Muralidhar <ya...@gmail.com>:
>> > when ever we do modifications in the code the webapp is trying to reload
>> > automatically. at that point of time there is error happening and the
>> > webapp gets undeployed. Is this solved or still the problem exist?
>>
>> eeeee...... I don't know what you talking about :\
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Yaragalla Muralidhar <ya...@gmail.com>.
nice joke. Thanks.
*Thanks and Regards,*
Muralidhar Yaragalla.
*
*
On Sun, Sep 22, 2013 at 10:42 PM, Lukasz Lenart <lu...@apache.org>wrote:
> 2013/9/21 Yaragalla Muralidhar <ya...@gmail.com>:
> > when ever we do modifications in the code the webapp is trying to reload
> > automatically. at that point of time there is error happening and the
> > webapp gets undeployed. Is this solved or still the problem exist?
>
> eeeee...... I don't know what you talking about :\
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
2013/9/21 Yaragalla Muralidhar <ya...@gmail.com>:
> when ever we do modifications in the code the webapp is trying to reload
> automatically. at that point of time there is error happening and the
> webapp gets undeployed. Is this solved or still the problem exist?
eeeee...... I don't know what you talking about :\
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Yaragalla Muralidhar <ya...@gmail.com>.
when ever we do modifications in the code the webapp is trying to reload
automatically. at that point of time there is error happening and the
webapp gets undeployed. Is this solved or still the problem exist?
*Thanks and Regards,*
Muralidhar Yaragalla.
*
*
On Sat, Sep 21, 2013 at 9:36 PM, Lukasz Lenart <lu...@apache.org>wrote:
> The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
> available as a "General Availability" release.The GA designation is
> our highest quality grade.
>
> Apache Struts 2 is an elegant, extensible framework for creating
> enterprise-ready Java web applications. The framework is designed to
> streamline the full development cycle, from building, to deploying, to
> maintaining applications over time.
>
> This release includes important security fixes:
> - S2-018 - Broken Access Control Vulnerability in Apache Struts2
> - S2-019 - Dynamic Method Invocation disabled by default
>
> All developers are strongly advised to update existing Struts 2
> applications to Struts 2.3.15.2
>
> Struts 2.3.15.2 is available in a full distribution, or as separate
> library, source, example and documentation distributions, from the
> releases page.
> * http://struts.apache.org/download.cgi#struts23152
>
> The release is also available from the central Maven repository under
> Group ID "org.apache.struts".
>
> The 2.3.x series of the Apache Struts framework has a minimum
> requirement of the following specification versions:
> * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
> * Java 2 Standard Platform Edition (J2SE) 5
>
> The release notes are available online at:
> * http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html
>
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.appropriate, file a tracking
> ticket:
> * https://issues.apache.org/jira/browse/WW
>
>
> - The Apache Struts group.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Emi Lu <em...@encs.concordia.ca>.
On 09/23/2013 10:38 AM, Volker Krebs wrote:
> Am 23.09.2013 16:23, schrieb Emi Lu:
>> Good morning,
>>
>> Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
>>
>>
>> (1) jsp:
>> <s:form
>> name = "loginForm"
>> namespace= "/Login"
>> action = "ProcessLoginAction"
>> method = "post"
>> theme="simple"
>> >
>>
>> <s:submit value="Login"
>> theme="simple"
>> action="loginProcessLoginAction" /> --- never call
>> loginProcessLoginAction
>>
>>
>>
>> (2) struts.xml
>> <package name="Login" namespace="/Login" extends="tiles-default">
>> <action name="*ProcessLoginAction" method="{1}"
>> class="ProcessLoginAction">
>> <result name="success" type="tiles">main_menu</result>
>> <result name="ajax_check" >
>> /WEB-INF/pages/errorinfo/ajax_error_check.jsp
>> </result>
>> </action>
>>
>>
>> (3) ProcessLoginAction.java
>> public String login() throws Exception
>> {
>> try
>> {
>> ......
>> }catch(Exception e)
>> {
>> log.error("login Error: " + e.getMessage());
>> log.error(e);
>> this.addActionError("login Error: " + e.getMessage());
>> }
>> return "success";
>> }
>>
>>
>> The problem is that "loginProcessLoginAction in jsp page" is never be
>> called.
>>
>> Could you help?
>> Thanks,
>> Emi
>>
>
> We have the same Problem.
> This relates to http://struts.apache.org/release/2.3.x/docs/s2-018.html
> But there it says
> "Backward Compatibility
> After upgrading to Struts >= 2.3.15.2, applications using the "action:"
> should still work as expected."
>
> I'm still trying to figure out what exactly the problem is.
> I don't like this Security through obscurity approach.
The document does not say what 15.2 does not support related to
<s:submit action="loginAction"> & in struts.xml.
What causing cannot do action anymore? How to fix it ?
Thanks a lot!
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Volker Krebs <vo...@abas.de>.
Am 23.09.2013 16:23, schrieb Emi Lu:
> Good morning,
>
> Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
>
>
> (1) jsp:
> <s:form
> name = "loginForm"
> namespace= "/Login"
> action = "ProcessLoginAction"
> method = "post"
> theme="simple"
> >
>
> <s:submit value="Login"
> theme="simple"
> action="loginProcessLoginAction" /> --- never call
> loginProcessLoginAction
>
>
>
> (2) struts.xml
> <package name="Login" namespace="/Login" extends="tiles-default">
> <action name="*ProcessLoginAction" method="{1}"
> class="ProcessLoginAction">
> <result name="success" type="tiles">main_menu</result>
> <result name="ajax_check" >
> /WEB-INF/pages/errorinfo/ajax_error_check.jsp
> </result>
> </action>
>
>
> (3) ProcessLoginAction.java
> public String login() throws Exception
> {
> try
> {
> ......
> }catch(Exception e)
> {
> log.error("login Error: " + e.getMessage());
> log.error(e);
> this.addActionError("login Error: " + e.getMessage());
> }
> return "success";
> }
>
>
> The problem is that "loginProcessLoginAction in jsp page" is never be
> called.
>
> Could you help?
> Thanks,
> Emi
>
We have the same Problem.
This relates to http://struts.apache.org/release/2.3.x/docs/s2-018.html
But there it says
"Backward Compatibility
After upgrading to Struts >= 2.3.15.2, applications using the "action:"
should still work as expected."
I'm still trying to figure out what exactly the problem is.
I don't like this Security through obscurity approach.
Greetings
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
2013/10/16 Greg Lindholm <gr...@gmail.com>:
> Is there any estimated time of release for 2.3.15.3?
Under Vote till today's evening, then pushed to central, then site
update and done :-)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Greg Lindholm <gr...@gmail.com>.
Is there any estimated time of release for 2.3.15.3?
On Wed, Oct 16, 2013 at 9:23 AM, Markus Fischer <Ma...@knipp.de>wrote:
> Hi Łukasz,
>
> > The latest version is here:
> > http://people.apache.org/builds/struts/2.3.15.3
>
> thanks for the update and the quick turnaround on this.
>
> I can confirm that with Struts-2.3.15.3, my issues with "action:"
> buttons are fixed. I. e., Backward Compatibility for applications using
> the "action:" prefix as stated in S2-018 is restored.
>
> Many thanks!
> Markus
>
> http://struts.apache.org/release/2.3.x/docs/s2-018.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
2013/10/16 Markus Fischer <Ma...@knipp.de>:
> Hi Łukasz,
>
>> The latest version is here:
>> http://people.apache.org/builds/struts/2.3.15.3
>
> thanks for the update and the quick turnaround on this.
>
> I can confirm that with Struts-2.3.15.3, my issues with "action:"
> buttons are fixed. I. e., Backward Compatibility for applications using
> the "action:" prefix as stated in S2-018 is restored.
SuperB! Thanks a lot!
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Markus Fischer <Ma...@knipp.de>.
Hi Łukasz,
> The latest version is here:
> http://people.apache.org/builds/struts/2.3.15.3
thanks for the update and the quick turnaround on this.
I can confirm that with Struts-2.3.15.3, my issues with "action:"
buttons are fixed. I. e., Backward Compatibility for applications using
the "action:" prefix as stated in S2-018 is restored.
Many thanks!
Markus
http://struts.apache.org/release/2.3.x/docs/s2-018.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
2013/10/11 Volker Krebs <vo...@abas.de>:
> Am 11.10.2013 13:22, schrieb Lukasz Lenart:
>
>> 2013/10/11 Volker Krebs <vo...@abas.de>:
>>>
>>> Thank you, good news.
>>>
>>> If you want you can give me the current state and I can run it on our
>>> test
>>> system. We're implicitly testing quite a lot of struts2 functionality.
>>
>>
>> That would be awesome, but I cannot share any details related to a
>> security vulnerability :\
>>
>>
>
> Thats no problem. Just mail me a link where I can download 15.3-all
The latest version is here:
http://people.apache.org/builds/struts/2.3.15.3
Thanks in advance!
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Volker Krebs <vo...@abas.de>.
Am 11.10.2013 13:22, schrieb Lukasz Lenart:
> 2013/10/11 Volker Krebs <vo...@abas.de>:
>> Thank you, good news.
>>
>> If you want you can give me the current state and I can run it on our test
>> system. We're implicitly testing quite a lot of struts2 functionality.
>
> That would be awesome, but I cannot share any details related to a
> security vulnerability :\
>
>
Thats no problem. Just mail me a link where I can download 15.3-all
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
2013/10/11 Volker Krebs <vo...@abas.de>:
> Thank you, good news.
>
> If you want you can give me the current state and I can run it on our test
> system. We're implicitly testing quite a lot of struts2 functionality.
That would be awesome, but I cannot share any details related to a
security vulnerability :\
Thanks!
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Volker Krebs <vo...@abas.de>.
Thank you, good news.
If you want you can give me the current state and I can run it on our
test system. We're implicitly testing quite a lot of struts2 functionality.
Am 11.10.2013 09:33, schrieb Lukasz Lenart:
> Patch is under review now, so the release should be out next week.
>
>
> Regards
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
Patch is under review now, so the release should be out next week.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/10/11 Volker Krebs <vo...@abas.de>:
> Hello Lukasz,
> do you have any news according the 15.3 ?
> We are waiting for it to update our customer projects.
>
> Thanks
> Volker
>
> Am 23.09.2013 20:12, schrieb Lukasz Lenart:
>
>> Hi,
>>
>> Yes, we know already :\ I'm working on a new solution, should be ready
>> next week.
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Volker Krebs <vo...@abas.de>.
Hello Lukasz,
do you have any news according the 15.3 ?
We are waiting for it to update our customer projects.
Thanks
Volker
Am 23.09.2013 20:12, schrieb Lukasz Lenart:
> Hi,
>
> Yes, we know already :\ I'm working on a new solution, should be ready
> next week.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
Hi,
Yes, we know already :\ I'm working on a new solution, should be ready
next week.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/9/23 Emi Lu <em...@encs.concordia.ca>:
> Good morning,
>
> Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
>
>
> (1) jsp:
> <s:form
> name = "loginForm"
> namespace= "/Login"
> action = "ProcessLoginAction"
> method = "post"
> theme="simple"
>>
>
> <s:submit value="Login"
> theme="simple"
> action="loginProcessLoginAction" /> --- never call
> loginProcessLoginAction
>
>
>
> (2) struts.xml
> <package name="Login" namespace="/Login" extends="tiles-default">
> <action name="*ProcessLoginAction" method="{1}" class="ProcessLoginAction">
> <result name="success" type="tiles">main_menu</result>
> <result name="ajax_check" >
> /WEB-INF/pages/errorinfo/ajax_error_check.jsp
> </result>
> </action>
>
>
> (3) ProcessLoginAction.java
> public String login() throws Exception
> {
> try
> {
> ......
> }catch(Exception e)
> {
> log.error("login Error: " + e.getMessage());
> log.error(e);
> this.addActionError("login Error: " + e.getMessage());
> }
> return "success";
> }
>
>
> The problem is that "loginProcessLoginAction in jsp page" is never be
> called.
>
> Could you help?
> Thanks,
> Emi
>
>
>
> On 09/21/2013 12:06 PM, Lukasz Lenart wrote:
>>
>> The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
>> available as a "General Availability" release.The GA designation is
>> our highest quality grade.
>>
>> Apache Struts 2 is an elegant, extensible framework for creating
>> enterprise-ready Java web applications. The framework is designed to
>> streamline the full development cycle, from building, to deploying, to
>> maintaining applications over time.
>>
>> This release includes important security fixes:
>> - S2-018 - Broken Access Control Vulnerability in Apache Struts2
>> - S2-019 - Dynamic Method Invocation disabled by default
>>
>> All developers are strongly advised to update existing Struts 2
>> applications to Struts 2.3.15.2
>>
>> Struts 2.3.15.2 is available in a full distribution, or as separate
>> library, source, example and documentation distributions, from the
>> releases page.
>> * http://struts.apache.org/download.cgi#struts23152
>>
>> The release is also available from the central Maven repository under
>> Group ID "org.apache.struts".
>>
>> The 2.3.x series of the Apache Struts framework has a minimum
>> requirement of the following specification versions:
>> * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
>> * Java 2 Standard Platform Edition (J2SE) 5
>>
>> The release notes are available online at:
>> * http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html
>>
>> Should any issues arise with your use of any version of the Struts
>> framework, please post your comments to the user list, and, if
>> appropriate, file a tracking ticket.appropriate, file a tracking
>> ticket:
>> * https://issues.apache.org/jira/browse/WW
>>
>>
>> - The Apache Struts group.
>>
>>
>> Regards
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Posted by Emi Lu <em...@encs.concordia.ca>.
Good morning,
Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
(1) jsp:
<s:form
name = "loginForm"
namespace= "/Login"
action = "ProcessLoginAction"
method = "post"
theme="simple"
>
<s:submit value="Login"
theme="simple"
action="loginProcessLoginAction" /> --- never call
loginProcessLoginAction
(2) struts.xml
<package name="Login" namespace="/Login" extends="tiles-default">
<action name="*ProcessLoginAction" method="{1}" class="ProcessLoginAction">
<result name="success" type="tiles">main_menu</result>
<result name="ajax_check" >
/WEB-INF/pages/errorinfo/ajax_error_check.jsp
</result>
</action>
(3) ProcessLoginAction.java
public String login() throws Exception
{
try
{
......
}catch(Exception e)
{
log.error("login Error: " + e.getMessage());
log.error(e);
this.addActionError("login Error: " + e.getMessage());
}
return "success";
}
The problem is that "loginProcessLoginAction in jsp page" is never be
called.
Could you help?
Thanks,
Emi
On 09/21/2013 12:06 PM, Lukasz Lenart wrote:
> The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
> available as a "General Availability" release.The GA designation is
> our highest quality grade.
>
> Apache Struts 2 is an elegant, extensible framework for creating
> enterprise-ready Java web applications. The framework is designed to
> streamline the full development cycle, from building, to deploying, to
> maintaining applications over time.
>
> This release includes important security fixes:
> - S2-018 - Broken Access Control Vulnerability in Apache Struts2
> - S2-019 - Dynamic Method Invocation disabled by default
>
> All developers are strongly advised to update existing Struts 2
> applications to Struts 2.3.15.2
>
> Struts 2.3.15.2 is available in a full distribution, or as separate
> library, source, example and documentation distributions, from the
> releases page.
> * http://struts.apache.org/download.cgi#struts23152
>
> The release is also available from the central Maven repository under
> Group ID "org.apache.struts".
>
> The 2.3.x series of the Apache Struts framework has a minimum
> requirement of the following specification versions:
> * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
> * Java 2 Standard Platform Edition (J2SE) 5
>
> The release notes are available online at:
> * http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html
>
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.appropriate, file a tracking
> ticket:
> * https://issues.apache.org/jira/browse/WW
>
>
> - The Apache Struts group.
>
>
> Regards
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org