David: the recommended hardened version for financial services industry is Struts 2.5.10.1..here is why:
"If you are using Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1," Apache says in a March 6 security alert. "You can also switch to a different implementation of the Multipart parser." https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761 [https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/apache-struts-2-under-zero-day-attack-update-now-showcase_image-9-a-9761.jpg]<https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761> Apache Struts 2 Under Zero-Day Attack, Update Now<https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761> www.bankinfosecurity.com Apache Struts 2 users are being warned to upgrade immediately, after attackers began targeting a zero-day flaw in the widely used, open source Java EE platform. David and Lukasz please confirm Martin ______________________________________________ ________________________________ From: David Greene <da...@securelink.com> Sent: Tuesday, September 19, 2017 9:43 AM To: Struts Users Mailing List Subject: Re: Which Struts Version To Use? Just from my personal experience, migrating from 2.3.x to 2.5.x was a very small development task. I was actually surprised at how few changes were required. As someone else mentioned, a little bit of regex to weed out the now-unused tag arguments was probably the 'hardest' part. I would recommend just biting the (small) bullet and going with 2.5.x if Java 1.6 isn't required in your environment. -David On Tue, Sep 19, 2017 at 1:11 AM, Lukasz Lenart <lukaszlen...@apache.org> wrote: > Bruce > > Struts 2.5.x is not only due to build on JDK7, also there were few > important architectural changes which may be backward incompatible in > some cases. Also 2.5.x brings more new features and improvements that > also at some point can break backward comaptibility. 2.5.x is a good > choice when you start a new development project or you need a ned > feature which is available in 2.5.x only. > > That's why I keep 2.3.x branch just to port security fixes and allow > easier transition to 2.5.x (or 2.6.x soon). There is no exact plans > how long 2.3.x will be around, I do plan switch to JDK7 (lack of tools > to support build on JDK6) and then 2.3.x will be branded as 2.4.x but > still with the same scope - only security fixes. So 2.3.x/2.4.x will > stay with us for longer :) > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ Łukasz Lenart - strona domowa<http://www.lenart.org.pl/> www.lenart.org.pl oto ja aplikacje. pierwszy program napisałem w wieku 15. lat na Commodore VIC-20, dla przyjemności, nie dla pieniędzy i ciągle tak jest - przyjemność ... > > PS. Please remember that Struts doesn't follow strict semantic > versioning, "2" means "Struts 2" so Struts 2.5.x is "Struts 2 version > 5.x" where Struts 2.3.x means "Struts 2 version 3.x" :) > > 2017-09-18 21:29 GMT+02:00 bruceaphill...@gmail.com < > bruceaphill...@gmail.com>: > > Thank you for the reply. > > > > I still don't understand why there are two active branches, especially > since JDK7 was EOL some time ago. > > > > If the 2.3.X line is going to be ended soon and the 2.5.X line is the > future then I'd like to get our Struts apps on 2.5.X > > > > But if 2.3.X is going to be maintained for the next 1-2 years then I'd > feel comfortable updating to 2.3.X > > > > Another consideration is that all our newer web apps use Spring MVC and > do not use Struts 2. We only have some legacy web apps that still use > Struts 2. If the time commitment in converting from Struts 2.3.X to 2.5.X > is high then we might as well just convert those apps to Spring MVC. > > > > It would be great if the Struts 2 PMC would publicly state what the > future plan is for Struts 2 or if there is already a published plan please > let know. > > > > Bruce > > > > On 2017-09-18 10:15, "Jason D. Burkert" <jason.burk...@craytek.com> > wrote: > >> On 2017-09-18 11:05 AM, Phillips, Bruce A wrote: > >> > We still have a couple of web apps that are using Struts version > 2.3.32 > >> > > >> > We want to update those web apps to the latest version of Struts but > I’m not sure what version to update to. > >> > > >> > I see a 2.5.13 and a 2.3.34 – both tags seem to be recently created. > >> > > >> > Should I update to 2.5.13 or should I stay on the 2.3.X line? > >> > > >> > Why are there different production tags (2.5.X and 2.3.X) ? > >> > > >> > Thank You, > >> > > >> > Bruce Phillips > >> > > >> > >> Hello Bruce, > >> > >> If you have existing web apps using 2.3.32 it would be easiest to update > >> to 2.3.34 for the latest security updates. > >> > >> In the future, to use the 2.5.x series, you'll need to perform some > >> migration steps. Review the Version Notes for 2.5 to get started, > >> especially "Internal Changes" and "Package names have changed". > >> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5 Version Notes 2.5 - Apache Software Foundation<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5> cwiki.apache.org These are the notes for the Struts 2.5 distribution. For prior notes in this release series, see Version Notes 2.3.28.1. If you are a Maven user, you might want to ... > >> > >> As to why there are both 2.3.x series and 2.5.x series releases, my > >> understanding is that one significant reason is "Struts2 is now build > >> with JDK7" as of the first 2.5 release. > >> > >> -Jason > >> > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >