[jira] [Commented] (WW-4917) Clarification on security status and support for Struts 2.3

Sun, 11 Feb 2018 06:57:48 -0800 

    [ 
https://issues.apache.org/jira/browse/WW-4917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16359962#comment-16359962
 ] 

Lukasz Lenart commented on WW-4917:
-----------------------------------

There is no known security issues related to 2.3.x series or rather there is no 
issue that would require releasing a new version. Yet, we do not consider 
2.3.34 as the best available version of the Apache Struts, you should migrate 
to Struts 2.5. That's why Struts 2.3.34 is listed as a "Not Recommended" 
release. Our development focus is on 2.5 series now and incoming 2.6 series. 
The 2.3.x series is still maintained but only in case of high security issues, 
you shouldn't expect any other fixes. Still, there is no exact date to EOL the 
2.3.x series.

> Clarification on security status and support for Struts 2.3
> -----------------------------------------------------------
>
>                 Key: WW-4917
>                 URL: https://issues.apache.org/jira/browse/WW-4917
>             Project: Struts 2
>          Issue Type: Task
>          Components: Documentation
>    Affects Versions: 2.3.34
>            Reporter: Richard Taylor
>            Priority: Minor
>              Labels: security
>
> Hi
>  
> Can you kindly provide clarity as to the exact status of the 2.3 series in 
> terms of ongoing support and security status.
>  
>  
> On the Struts web page [https://struts.apache.org/]
>  
> I found the statement:
>  
> "It's the latest release of Struts 2.3.x which contains the latest security 
> fixes, read more in 
> [Announcement|https://struts.apache.org/announce.html#a20170907] or in 
> [Version notes|https://struts.apache.org/docs/version-notes-2334.html]";
>  
> Yet, on the page at [https://struts.apache.org/releases.html] it is stated 
> that :
>  
> h2. "Prior Releases
> As a courtesy, we retain archival copies of the website for releases that 
> initially were considered "General Availability" but which has been 
> reclassified as "Not recommended" since they contain security issues
> "
> And version 2.3.34 is listed here.
>  
>  
> Lastly - I find no EOL announcement for 2.3.x
>  
> So in summary the question is:
>  
> *1 Is the 2.3 series EOL?*
> *2 Does 2.3.34 contain any known security bugs?*
>  
>  
> Thanking you in advance 
>  
> Richard



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to