On the Struts home page, it says, "We have released two older versions of Apache Struts which *contain the latest security fixes.* Please read announcement for* 2.3.20.3* ..."
Those notes say, "This release addresses *two* potential security vulnerabilities," and then lists three issues, S2-029, S2-031, and S2-032. The notes for S2-029 say to use version 2.3.28, and the notes for S2-031 and S2-032 say to use version 2.3.20*.2. *S2-030 only mentions 2.3.28. I really appreciate the maintenance of the older releases. Specifically, changes in OGNL 3.0.13 cause some failures that are hard to find statically, and perhaps other incompatibilities lurk in newer versions. I am safe to take the announcement at face value, and assume that 2.3.20.3 contains fixes for all known vulnerabilities, disregarding the details of the bulletins themselves? Is there a plan to provide security updates for 2.3.20 and 2.3.24? How long will they be supported? Thanks for the help! Doug