Child pages
  • Version Notes 2.5.30
Skip to end of metadata
Go to start of metadata

(tick) These are the notes for the Struts 2.5.30 distribution.

(tick) For prior notes in this release series, see Version Notes 2.5.29

  • If you are a Maven user, you might want to get started using the Maven Archetype.
Maven Dependency
<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.5.30</version>
</dependency>

You can also use Struts Archetype Catalog like below

Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Staging Repository
<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

Yasser's PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation.

How to test

  • Run all your app tests, you shouldn't see any WARN log like below:

Expression [so-and-so] isn't allowed by pattern [so-and-so]! See Accepted / Excluded patterns at
https://struts.apache.org/security/

  • See if following components are still functioning correctly regarding java-scripts:
    forms with client side validations
    doubleselect
    combobox
  • Check also StreamResults, AliasInterceptors and JasperReportResults if they are still working as expected.

Dependency

  • [WW-5170] - Upgrade Jackson-Core to version 2.10.5 and Jackson-Databind to 2.10.5.1
  • [WW-5172] - Upgrade freemarker to 2.3.31

Issue Detail

Issue List

Other resources