You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2015/05/08 08:53:31 UTC
[1/7] struts-site git commit: Drops deprecated options
Repository: struts-site
Updated Branches:
refs/heads/master 3b86b5d6b -> 2d0160d67
Drops deprecated options
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/7f8b0c8a
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/7f8b0c8a
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/7f8b0c8a
Branch: refs/heads/master
Commit: 7f8b0c8a77148278488b0bb3a713f9a189c7f243
Parents: 3b86b5d
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Fri May 8 08:36:08 2015 +0200
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Fri May 8 08:36:08 2015 +0200
----------------------------------------------------------------------
_config.yml | 1 -
source/archetype-catalog.xml | 3 ---
2 files changed, 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-site/blob/7f8b0c8a/_config.yml
----------------------------------------------------------------------
diff --git a/_config.yml b/_config.yml
index c3926a5..030f90b 100644
--- a/_config.yml
+++ b/_config.yml
@@ -2,7 +2,6 @@ name: Apache Struts
markdown: kramdown
markdown_ext: md
highlighter: pygments
-pygments: true
source: source
destination: content
encoding: UTF-8
http://git-wip-us.apache.org/repos/asf/struts-site/blob/7f8b0c8a/source/archetype-catalog.xml
----------------------------------------------------------------------
diff --git a/source/archetype-catalog.xml b/source/archetype-catalog.xml
index c6bf595..fbbd2ee 100644
--- a/source/archetype-catalog.xml
+++ b/source/archetype-catalog.xml
@@ -1,6 +1,3 @@
----
-layout: nil
----
<?xml version="1.0" encoding="UTF-8"?>
<archetype-catalog xmlns="http://maven.apache.org/plugins/maven-archetype-plugin/archetype-catalog/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
[4/7] struts-site git commit: Adds new announcement
Posted by lu...@apache.org.
Adds new announcement
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/563d943e
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/563d943e
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/563d943e
Branch: refs/heads/master
Commit: 563d943ee4da41046d7d39dde18b8539023410f1
Parents: 0e3b967
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Fri May 8 08:43:40 2015 +0200
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Fri May 8 08:43:40 2015 +0200
----------------------------------------------------------------------
source/announce.md | 168 ++----------------------------------------------
1 file changed, 7 insertions(+), 161 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-site/blob/563d943e/source/announce.md
----------------------------------------------------------------------
diff --git a/source/announce.md b/source/announce.md
index 6fc205a..ac62f0c 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -5,12 +5,12 @@ title: Announcements
# Announcements
<p class="pull-right">
- Skip to: <a href="announce-2013.html">Announcements - 2013</a>
+ Skip to: <a href="announce-2014.html">Announcements - 2014</a>
</p>
-#### 7 December 2014 - Struts 2.3.20 General Availability with Security Fix Release {#a20141207}
+#### 6 May 2015 - Struts 2.3.20.1 General Availability with Security Fix Release {#a20150506}
-The Apache Struts group is pleased to announce that Struts 2.3.20 is available as a "General Availability"
+The Apache Struts group is pleased to announce that Struts 2.3.20.1 is available as a "General Availability"
release. The GA designation is our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
@@ -19,33 +19,8 @@ to maintaining applications over time.
One medium security issue was solved with this release:
- - [S2-023](http://struts.apache.org/docs/s2-023.html)
- Generated value of token can be predictable
-
-Besides that, this release contains several fixes and improvements just to mention few of them:
-
- - merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
- - extended existing security mechanism to block access to given Java packages and Classes
- - collection Parameters for `RedirectResult`
- - make `ParametersInterceptor` supports chinese in hash key by default
- - `themes.properties` can be loaded using `ServletContext` allows to put template folder under WEB-INF or on classpath
- - new tag `datetextfield`
- - only valid Ognl expressions are cached
- - custom `TextProvider` can be used for validation errors of model driven actions
- - `datetimepicker`'s label fixed
- - `PropertiesJudge` removed and properties are checked in `SecurityMemberAccess`
- - resource reloading works in IBM JVM
- - default reloading settings were removed from default.properties
- - `commons-fileupload` library upgraded to version 1.3.1 to fix potential security vulnerability
- - the scheme attribute accepts expressions in `s:url` tag
- - solves problem with infinite loop in `FastByteArrayOutputStream`
- - `LocalizedTextUtil` supports many ClassLoaders
- - Bill of Materials pom was introduced
- - `debug=browser|console` was migrated to jQuery
- - `struts_dojo.js` was fixed
- - interface `org/apache/struts2/views/TagLibrary` was restored and marked as `@Depreacted`
-
-and many other small improvements, please careful read the [version notes](http://struts.apache.org/docs/version-notes-2320.html).
+ - [S2-024](/docs/s2-024.html)
+ Wrong `excludeParams` overrides those defined in `DefaultExcludedPatternsChecker`
**All developers are strongly advised to perform this action.**
@@ -55,140 +30,11 @@ Servlet API 2.4, JSP API 2.0, and Java 5.
Should any issues arise with your use of any version of the Struts framework,
please post your comments to the user list, and, if appropriate, file a tracking ticket.
-#### 3 May 2014 - Struts 2.3.16.3 General Availability Release - Security Fix Release {#a20140503}
-
-The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a "General Availability"
-release. The GA designation is our highest quality grade.
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-One medium security issue was solved with this release:
-
- - [S2-022](http://struts.apache.org/docs/s2-022.html)
- Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals
-
-All developers are strongly advised to perform this action.
-
-#### 24 April 2014 - Struts 2.3.16.2 General Availability Release - Security Fix Release {#a20140424}
-
-The Apache Struts group is pleased to announce that Struts 2.3.16.2 is available as a "General Availability"
-release. The GA designation is our highest quality grade.
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-Two security issues were solved with this release:
-
- - [S2-021](http://struts.apache.org/docs/s2-021.html)
- Improves excluded params to avoid ClassLoader manipulation via ParametersInterceptor
- - [S2-021](http://struts.apache.org/docs/s2-021.html)
- Adds excluded params to CookieInterceptor to avoid ClassLoader manipulation when the interceptors is configured
- to accept all cookie names (wildcard matching via "*")
-
-All developers are strongly advised to perform this action.
-
-#### 24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation {#a20140424}
-
-In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately,
-the correction wasn't sufficient.
-
-A security fix release fully addressing this issue is in preparation and will be released as soon as possible.
-
-Once the release is available, all Struts 2 users are strongly recommended to update their installations.
-
-**Until the release is available, all Struts 2 users are strongly recommended to apply the following mitigation:**
-
-In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern
-found at the beginning of the excludeParams list:
-
- <interceptor-ref name="params">
- <param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
- </interceptor-ref>
-
-If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration
-as in the following example. Given you are using defaultStack so far, change your packages from
-
- <package name="default" namespace="/" extends="struts-default">
- <default-interceptor-ref name="defaultStack" />
- ...
- ...
- </package>
-
-to
-
- <package name="default" namespace="/" extends="struts-default">
- <interceptors>
- <interceptor-stack name="secureDefaultStack">
- <interceptor-ref name="defaultStack">
- <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
- </interceptor-ref>
- </interceptor-stack>
- </interceptors>
-
- <default-interceptor-ref name="secureDefaultStack" />
- ...
- </package>
-
-Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours.
-Please prepare for upgrading all Struts 2 based production systems to the new release version once available.
-
-#### 2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release {#a20140302}
-
-The Apache Struts group is pleased to announce that Struts 2.3.16.1 is available as a "General Availability"
-release. The GA designation is our highest quality grade.
-
-Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from building, to deploying,
-to maintaining applications over time.
-
-Two security issues were solved with this release:
-
- - [S2-020](http://struts.apache.org/docs/s2-020.html) ClassLoader manipulation
- via request parameters
- - [S2-020](http://struts.apache.org/docs/s2-020.html) Commons FileUpload library was upgraded
- to version 1.3.1 to prevent DoS attacks
-
-All developers are strongly advised to perform this action.
-
-#### 21 February 2014 - Immediately upgrade commons-fileupload to version 1.3.1 {#a20140221}
-
-The Apache Struts Team recommends to immediately upgrade your Struts 2
-based projects to use the latest released version of Commons
-FileUpload library, which is currently 1.3.1. This is necessary to
-prevent your publicly accessible web site from being exposed to
-possible DoS attacks (see \[1] \[2]).
-
-Your project is affected if it uses the built-in file upload mechanism
-of Struts 2, which defaults to the use of commons-fileupload. The
-updated commons-fileupload library is a drop-in replacement for the
-vulnerable version. Deployed applications can be hardened by replacing
-the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
-Maven based Struts 2 projects, the following dependency needs to be
-added:
-
- <dependency>
- <groupId>commons-fileupload</groupId>
- <artifactId>commons-fileupload</artifactId>
- <version>1.3.1</version>
- </dependency>
-
-More details can be found here:
-
- 1. <a href="http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1">
- http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1</a>
- 2. <a href="http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E">
- http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E</a>
-
-All developers are strongly advised to perform this action.
-
<p class="pull-right">
- Skip to: <a href="announce-2013.html">Announcements - 2013</a>
+ Skip to: <a href="announce-2014.html">Announcements - 2014</a>
</p>
<p class="pull-left">
<strong>Next:</strong>
<a href="kickstart.html">Kickstart FAQ</a>
-</p>
\ No newline at end of file
+</p>
[7/7] struts-site git commit: Update required Java version
Posted by lu...@apache.org.
Update required Java version
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/2d0160d6
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/2d0160d6
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/2d0160d6
Branch: refs/heads/master
Commit: 2d0160d67a7136fc18582440506f8a68ac74d740
Parents: 26f7af6
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Fri May 8 08:52:58 2015 +0200
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Fri May 8 08:52:58 2015 +0200
----------------------------------------------------------------------
source/announce.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-site/blob/2d0160d6/source/announce.md
----------------------------------------------------------------------
diff --git a/source/announce.md b/source/announce.md
index ac62f0c..50e3efe 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -25,7 +25,7 @@ One medium security issue was solved with this release:
**All developers are strongly advised to perform this action.**
The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
-Servlet API 2.4, JSP API 2.0, and Java 5.
+Servlet API 2.4, JSP API 2.0, and Java 6.
Should any issues arise with your use of any version of the Struts framework,
please post your comments to the user list, and, if appropriate, file a tracking ticket.
[6/7] struts-site git commit: Updates copyright year
Posted by lu...@apache.org.
Updates copyright year
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/26f7af61
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/26f7af61
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/26f7af61
Branch: refs/heads/master
Commit: 26f7af61f5eb5d291226231890f86b28375094e2
Parents: 5a62b10
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Fri May 8 08:50:21 2015 +0200
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Fri May 8 08:50:21 2015 +0200
----------------------------------------------------------------------
source/_includes/footer.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-site/blob/26f7af61/source/_includes/footer.html
----------------------------------------------------------------------
diff --git a/source/_includes/footer.html b/source/_includes/footer.html
index 244900d..e34829c 100644
--- a/source/_includes/footer.html
+++ b/source/_includes/footer.html
@@ -1,7 +1,7 @@
<footer class="container">
<div class="col-md-12">
- Copyright © 2000-2014 <a href="http://www.apache.org/">The Apache Software Foundation </a>.
+ Copyright © 2000-2015 <a href="http://www.apache.org/">The Apache Software Foundation </a>.
All Rights Reserved.
</div>
<div class="col-md-12">
[3/7] struts-site git commit: Moves announcements into dedicated file
for given year
Posted by lu...@apache.org.
Moves announcements into dedicated file for given year
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/0e3b967b
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/0e3b967b
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/0e3b967b
Branch: refs/heads/master
Commit: 0e3b967b22ca11854d4c475500e3266c7b27c5e1
Parents: 0bc7997
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Fri May 8 08:40:26 2015 +0200
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Fri May 8 08:40:26 2015 +0200
----------------------------------------------------------------------
source/announce-2014.md | 194 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 194 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-site/blob/0e3b967b/source/announce-2014.md
----------------------------------------------------------------------
diff --git a/source/announce-2014.md b/source/announce-2014.md
new file mode 100644
index 0000000..c1d5b35
--- /dev/null
+++ b/source/announce-2014.md
@@ -0,0 +1,194 @@
+---
+layout: default
+title: Announcements 2014
+---
+# Announcements 2014
+
+<p class="pull-right">
+ Skip to: <a href="announce-2013.html">Announcements - 2013</a>
+</p>
+
+#### 7 December 2014 - Struts 2.3.20 General Availability with Security Fix Release {#a20141207}
+
+The Apache Struts group is pleased to announce that Struts 2.3.20 is available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.
+
+One medium security issue was solved with this release:
+
+ - [S2-023](http://struts.apache.org/docs/s2-023.html)
+ Generated value of token can be predictable
+
+Besides that, this release contains several fixes and improvements just to mention few of them:
+
+ - merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
+ - extended existing security mechanism to block access to given Java packages and Classes
+ - collection Parameters for `RedirectResult`
+ - make `ParametersInterceptor` supports chinese in hash key by default
+ - `themes.properties` can be loaded using `ServletContext` allows to put template folder under WEB-INF or on classpath
+ - new tag `datetextfield`
+ - only valid Ognl expressions are cached
+ - custom `TextProvider` can be used for validation errors of model driven actions
+ - `datetimepicker`'s label fixed
+ - `PropertiesJudge` removed and properties are checked in `SecurityMemberAccess`
+ - resource reloading works in IBM JVM
+ - default reloading settings were removed from default.properties
+ - `commons-fileupload` library upgraded to version 1.3.1 to fix potential security vulnerability
+ - the scheme attribute accepts expressions in `s:url` tag
+ - solves problem with infinite loop in `FastByteArrayOutputStream`
+ - `LocalizedTextUtil` supports many ClassLoaders
+ - Bill of Materials pom was introduced
+ - `debug=browser|console` was migrated to jQuery
+ - `struts_dojo.js` was fixed
+ - interface `org/apache/struts2/views/TagLibrary` was restored and marked as `@Depreacted`
+
+and many other small improvements, please careful read the [version notes](http://struts.apache.org/docs/version-notes-2320.html).
+
+**All developers are strongly advised to perform this action.**
+
+The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 5.
+
+Should any issues arise with your use of any version of the Struts framework,
+please post your comments to the user list, and, if appropriate, file a tracking ticket.
+
+#### 3 May 2014 - Struts 2.3.16.3 General Availability Release - Security Fix Release {#a20140503}
+
+The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.
+
+One medium security issue was solved with this release:
+
+ - [S2-022](http://struts.apache.org/docs/s2-022.html)
+ Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals
+
+All developers are strongly advised to perform this action.
+
+#### 24 April 2014 - Struts 2.3.16.2 General Availability Release - Security Fix Release {#a20140424}
+
+The Apache Struts group is pleased to announce that Struts 2.3.16.2 is available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.
+
+Two security issues were solved with this release:
+
+ - [S2-021](http://struts.apache.org/docs/s2-021.html)
+ Improves excluded params to avoid ClassLoader manipulation via ParametersInterceptor
+ - [S2-021](http://struts.apache.org/docs/s2-021.html)
+ Adds excluded params to CookieInterceptor to avoid ClassLoader manipulation when the interceptors is configured
+ to accept all cookie names (wildcard matching via "*")
+
+All developers are strongly advised to perform this action.
+
+#### 24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation {#a20140424}
+
+In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately,
+the correction wasn't sufficient.
+
+A security fix release fully addressing this issue is in preparation and will be released as soon as possible.
+
+Once the release is available, all Struts 2 users are strongly recommended to update their installations.
+
+**Until the release is available, all Struts 2 users are strongly recommended to apply the following mitigation:**
+
+In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern
+found at the beginning of the excludeParams list:
+
+ <interceptor-ref name="params">
+ <param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+ </interceptor-ref>
+
+If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration
+as in the following example. Given you are using defaultStack so far, change your packages from
+
+ <package name="default" namespace="/" extends="struts-default">
+ <default-interceptor-ref name="defaultStack" />
+ ...
+ ...
+ </package>
+
+to
+
+ <package name="default" namespace="/" extends="struts-default">
+ <interceptors>
+ <interceptor-stack name="secureDefaultStack">
+ <interceptor-ref name="defaultStack">
+ <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+ </interceptor-ref>
+ </interceptor-stack>
+ </interceptors>
+
+ <default-interceptor-ref name="secureDefaultStack" />
+ ...
+ </package>
+
+Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours.
+Please prepare for upgrading all Struts 2 based production systems to the new release version once available.
+
+#### 2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release {#a20140302}
+
+The Apache Struts group is pleased to announce that Struts 2.3.16.1 is available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.
+
+Two security issues were solved with this release:
+
+ - [S2-020](http://struts.apache.org/docs/s2-020.html) ClassLoader manipulation
+ via request parameters
+ - [S2-020](http://struts.apache.org/docs/s2-020.html) Commons FileUpload library was upgraded
+ to version 1.3.1 to prevent DoS attacks
+
+All developers are strongly advised to perform this action.
+
+#### 21 February 2014 - Immediately upgrade commons-fileupload to version 1.3.1 {#a20140221}
+
+The Apache Struts Team recommends to immediately upgrade your Struts 2
+based projects to use the latest released version of Commons
+FileUpload library, which is currently 1.3.1. This is necessary to
+prevent your publicly accessible web site from being exposed to
+possible DoS attacks (see \[1] \[2]).
+
+Your project is affected if it uses the built-in file upload mechanism
+of Struts 2, which defaults to the use of commons-fileupload. The
+updated commons-fileupload library is a drop-in replacement for the
+vulnerable version. Deployed applications can be hardened by replacing
+the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
+Maven based Struts 2 projects, the following dependency needs to be
+added:
+
+ <dependency>
+ <groupId>commons-fileupload</groupId>
+ <artifactId>commons-fileupload</artifactId>
+ <version>1.3.1</version>
+ </dependency>
+
+More details can be found here:
+
+ 1. <a href="http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1">
+ http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1</a>
+ 2. <a href="http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E">
+ http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E</a>
+
+All developers are strongly advised to perform this action.
+
+<p class="pull-right">
+ Skip to: <a href="announce-2013.html">Announcements - 2013</a>
+</p>
+
+<p class="pull-left">
+ <strong>Next:</strong>
+ <a href="kickstart.html">Kickstart FAQ</a>
+</p>
[2/7] struts-site git commit: Updates info about released version
Posted by lu...@apache.org.
Updates info about released version
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/0bc79977
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/0bc79977
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/0bc79977
Branch: refs/heads/master
Commit: 0bc79977e530e2980d47d3075c42e185d0109e13
Parents: 7f8b0c8
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Fri May 8 08:39:47 2015 +0200
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Fri May 8 08:39:47 2015 +0200
----------------------------------------------------------------------
_config.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-site/blob/0bc79977/_config.yml
----------------------------------------------------------------------
diff --git a/_config.yml b/_config.yml
index 030f90b..b46bed0 100644
--- a/_config.yml
+++ b/_config.yml
@@ -27,7 +27,7 @@ kramdown:
root:
# Simplifies introducing changes related to the latest release
-current_version: 2.3.20
-current_version_short: 2320
-release_date: 7 december 2014
-release_date_short: 20141207
+current_version: 2.3.20.1
+current_version_short: 23201
+release_date: 6 may 2015
+release_date_short: 20150506
[5/7] struts-site git commit: Updates hero unit on main page
Posted by lu...@apache.org.
Updates hero unit on main page
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/5a62b101
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/5a62b101
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/5a62b101
Branch: refs/heads/master
Commit: 5a62b101ca400167ea09e2366586e4204efaf9dc
Parents: 563d943
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Fri May 8 08:45:56 2015 +0200
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Fri May 8 08:45:56 2015 +0200
----------------------------------------------------------------------
source/index.html | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-site/blob/5a62b101/source/index.html
----------------------------------------------------------------------
diff --git a/source/index.html b/source/index.html
index a5bd787..6cafea6 100644
--- a/source/index.html
+++ b/source/index.html
@@ -24,7 +24,10 @@ title: Welcome to the Apache Struts project
<div class="row">
<div class="column col-md-4">
<h2>Struts {{ site.current_version }} GA</h2>
- <p>Apache Struts {{ site.current_version }} GA has been released<br/>on {{ site.release_date }}.</p>
+ <p>
+ Apache Struts {{ site.current_version }} GA has been released<br/>on {{ site.release_date }}.
+ One medium security issue was solved with this release: <a href="/docs/s2-024.html">S2-024</a>.
+ </p>
Read more in <a href="announce.html#a{{ site.release_date_short }}">Announcement</a> or in
<a href="/docs/version-notes-{{ site.current_version_short }}.html">Version notes</a>
</div>