[ ] Leave at test build [ ] Alpha [ ] Beta [X] General Availability (GA) Already in production and working great!
Markus Am 11.07.2017 um 09:10 schrieb Lukasz Lenart: > The Apache Struts 2.5.12 test build is now available. With this > release the following security vulnerabilities were addressed: > > - Possible DoS attack when using URLValidator, see > https://cwiki.apache.org/confluence/display/WW/S2-047 > - A DoS attack is available for Spring secured actions, see > https://cwiki.apache.org/confluence/display/WW/S2-049 > > Except that, the following issues were also addressed: > > Bug > [WW-3171] - "double" and "Double" are not validated with the same > decimal séparator > [WW-3357] - ognl.MethodFailedException when you do not enter a value > for a field mapped to an int. > [WW-3650] - Double Value Conversion with requestLocale=de > [WW-3659] - strange behavior of s:a tag with s:include tag inside > [WW-3905] - The TextProvider injection in ActionSupport isn't quite > integrated into the framework's core DI > [WW-4105] - Struts2 raise java.lang.ClassCastException when Result type is > chain > [WW-4472] - @InputConfig annotation is not working when integrating > with spring aop > [WW-4528] - ChainingInterceptor does not handle lists correctly for > excludes and includes > [WW-4578] - Validators do not work for multiple values > [WW-4581] - BigDecimal are not converted according context locale > [WW-4663] - NullPointerException when displaying a form without action > attribute > [WW-4665] - Struts2 JSR286 Portlet fileupload not working > [WW-4694] - AnnotationWorkflowInterceptor doesn't work with spring > proxied action > [WW-4736] - Upgrade to Log4j2 version 2.8 > [WW-4737] - Array-of-null parameters are converted to arrays containing "null" > [WW-4739] - <s:reset> tag does not properly interpret the attribute tabindex > [WW-4740] - NullPointer in com.opensymphony.xwork2.ActionSupport.getLocale > [WW-4741] - Http Sessions forcefully created for all requests using > I18nInterceptor with default Storage value. > [WW-4746] - cssErrorClass attribute has no effect on label tag > [WW-4747] - s:file generates input tag with "value" attribute > [WW-4750] - Why JSONValidationInterceptor return Status Code 400 > BAD_REQUEST instead of 200 SUCCESS > [WW-4758] - @autowired does not work since Struts 2.3.28.1 > [WW-4772] - Convention Plugin can't use ${message} > [WW-4773] - Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1 > [WW-4774] - Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues HTTPS to HTTP > [WW-4775] - Action class Attributes(value stack) is not getting > populated through Ajax url request parms > [WW-4784] - <s:url tag is not working after Struts 2.5.10.1 migration > [WW-4786] - Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin > gives a NoSuchDefinitionException > [WW-4788] - Parameters which are added via ServletDispatcherResult > aren't availabe in #parameters > [WW-4790] - struts 2.5.10.1 upgrade cause more frequent garbage collection > [WW-4794] - Subreport call "Caused by: java.lang.ClassCastException: > org.apache.struts2.views.jasperreports.ValueStackDataSource cannot be > cast to java.util.Collection" > [WW-4800] - Aspects are not executed when chaining AOPed actions > [WW-4801] - Duplicate hidden input field checkboxListHandler > [WW-4804] - inputtransferselect does not auto-select its elements > [WW-4810] - Calling empty locale > > Improvement > [WW-1534] - The value of checkbox getted in server-side is "false" > when no any checkbox been selected. > [WW-3924] - refactor file upload framework > [WW-3952] - creditCard validator available in Struts 1 missing in Struts 2 > [WW-4149] - No easy way to have an empty interceptor stack if have default > stack > [WW-4210] - @TypeConversion converter attribut to class > [WW-4714] - Convert LocalizedTextUtil into a bean with default implementation > [WW-4743] - NPE in StrutsTilesContainerFactory when resource isn't found > [WW-4744] - AnnotationWorkflowInterceptor should supports non-public > annotated methods > [WW-4748] - Upgrade commons-lang3 to 3.5 > [WW-4749] - Buffer/Flush behaviour in FreemarkerResult > [WW-4751] - Struts2 should know and consider config time class of user's > Actions > [WW-4752] - getters of exclude-sets in OgnlUtil should return > immutable collections > [WW-4753] - Make DelegatingValidatorContext injectable > [WW-4754] - Mark site-graph plugin as deprecated > [WW-4756] - Use TextProviderFactory instead of TextProvider as bean's > dependency > [WW-4757] - Create LocaleProviderFactory and uses instead of LocaleProvider > [WW-4761] - Improve error logging in DefaultDispatcherErrorHandler > [WW-4762] - DefaultLocalizedTextProvider refactoring > [WW-4764] - Make jakarta-stream multipart parser more extensbile > [WW-4767] - Make Multipart parsers more extensible > [WW-4768] - Add proper validation if request is a multipart request > [WW-4769] - Make SecurityMethodAccess excluded classes & packages > definitions immutable > [WW-4771] - minor typos in confluence page "security.html" > [WW-4780] - Upgrade to Log4j2 2.8.2 > [WW-4785] - Allow disable file upload support via an configurable option > [WW-4787] - TestCase XWorkMapPropertyAccessorTest should be moved to > src/test/java > [WW-4791] - Stop using DefaultLocalizedTextProvider#localeFromString > static util method > [WW-4793] - Don't add JBossFileManager as a possible FileManager when > not on JBoss > [WW-4795] - There is no @LongRangeFieldValidator annotation to support > LongRangeFieldValidator > [WW-4805] - At least a DoS attack is available for Spring secured actions > [WW-4809] - Upgrade to commons-lang 3.6 > [WW-4812] - Update commons-fileupload > > New Feature > [WW-3399] - JCR(JSR-170) Struts2 plugin > > Release notes: > * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12 > > Distribution: > * https://dist.apache.org/repos/dist/dev/struts/2.5.12/ > > Maven 2 staging repository: > * https://repository.apache.org/content/repositories/staging/ > > Once you have had a chance to review the test build, please respond > with a vote on its quality: > > [ ] Leave at test build > [ ] Alpha > [ ] Beta > [ ] General Availability (GA) > > Everyone who has tested the build is invited to vote. Votes by PMC > members are considered binding. A vote passes if there are at least > three binding +1s and more +1s than -1s. > > The vote will remain open for at least 24 hours, longer upon request. > A vote can be amended at any time to upgrade or downgrade the quality > of the release based on future experience. If an initial vote > designates the build as "Beta", the release will be submitted for > mirroring and announced to the user list. Once released as a public > beta, subsequent quality votes on a build may be held on the user > list. > > As always, the act of voting carries certain obligations. A binding > vote not only states an opinion, but means that the voter is agreeing > to help do the work. > > > Kind regards --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
