Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

            Apache Struts 2.3.x End-Of-Life (EOL) Announcement
                             16 November 2018


        AusCERT Security Bulletin Summary

Product:           Apache Struts
Publisher:         The Apache Software Foundation
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

The Apache Struts Project Team would like to inform you that the
Struts 2.3.x web framework will reach its end of life in 6 months and
won't be longer officially supported.


This announcement takes place on 2018-11-14 and starting from that
date we will only support Apache Struts 2.3.x in case of security
vulnerabilities. Within those 6 months period you can expect that we
do our best to keep Struts 2.3.x branch secure but some of the
security related changes cannot happen without architectural changes
that can affect backward compatibility. This what happened to Struts
2.5.x, we introduced some internal changes to improve overall
framework'ls security.

Questions and Answers

With the announcement of Struts 2.3.x EOL, what happens to Struts
2.3.x resources?

All resources will stay where they are. The documentation will still
be accessible from the Apache Struts homepage, as well as the
downloads for all released Struts 2.3.x versions. All of the Struts
2.3.x source code can be found in the Apache Struts Git repository
under branch support-2-3, now and in future. All released Maven
artifacts will still be accessible in Maven Central.

Given a major security problem or a serious bug is reported for Struts
2.3.x in near future, can we expect a new release with fixes?

Yes, we will continue to support Struts 2.3.x in case of security
issues for the next 6 months, after that time we won=E2=80=99t support this
branch in any case.

Is there an immediate need to eliminate Struts 2.3.x from my projects?

As far as the Struts team is currently aware of, there is no urgent
issue posing the immediate need to eliminate Struts 2.3.x usage from
your projects. However, you should consider migration to the latest
available version as we stop supporting this version in 6 months.

We plan to start a new project based on Struts 2.3.x. Can we still do so?

Basically yes, but we would not recommend doing so. As long as no code
line is written, it is very easy to conceptually select the latest
version of Struts 2.

My friends / colleagues and I would like to see Struts 2.3.x being
maintained again. What can we do?

You are free to put effort in Struts 2.3.x. There are basically one
possibility: fork the existing source and support it on your own.

On behalf of the Apache Struts Team

Kind regards
- --=20
+ 48 606 323 122 http://www.lenart.org.pl/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967