* Quartz: http://www.opensymphony.com/quartz
* Release notes and changes: http://wiki.opensymphony.com/display/QRTZ1/Quartz+1.6.1
* Download: http://www.opensymphony.com/quartz/download.action

This version will be the final one where major features will get into the 2.0.0 release train. The current plan is to release 2.0.0 RC2 in a week or two, and soon after (a week) release 2.0.0 GA. Both releases will only include bug fixes. This has been a long road, and 2.0.0 has become a really nice release. So please, if you are using old Compass version, take the time to upgrade to 2.0.0 RC1 and give us feedback (make sure you read the upgrade.txt file).

The release can be downloaded here. Full release notes can be found here.

The release can be downloaded here. Full release notes can be found here.

This release, approximately 3 months after WebWork 2.2.5, is a
maintainance release, due to a critical security issue found in XWork,
allowing users to execute arbituary any OGNL expression. See here for more details

* Release Notes
* Changelog
* Download here

This release is backwords compatible with WebWork 2.2.5 and is a drop
in replacement.

We would like to thank both users and contributors of WebWork for
helping out, submiting patches, testing, providing feedback and
participating in various discussion.

The WebWork Development Team

This release specifically addresses a critical security issue allowing users to execute arbituary any OGNL expression.
We encourage all users of XWork 1.2.x/2.0.x, WebWork 2.2.x and Struts 2.0.x to update to these releases.

• Download here

Summary

Remote code exploit on form validation error

Who should read this: All XWork 1.2.x, XWork 2.x, WebWork 2.2.x, Struts 2 developers
Impact of vulnerability: Remote code execution
Maximum security rating: Critical
Recommendation: Developers should either apply the patch or upgrade XWork immediately
Affected Software: WebWork 2.1 (with altSyntax enabled), WebWork 2.2.0 - WebWork 2.2.5, Struts 2.0.0 - Struts 2.0.8
Non-Affected Software: WebWork 2.0, WebWork 2.1 (with altSyntax disabled, which is the default)
Original JIRA Ticket: WW-2030

Problem

The 'altSyntax' feature of WebWork 2.1+ and Struts 2 allows OGNL expressions to be inserted into text strings and is processed recursively. This allows a malicious user to submit a string, usually through an HTML text field, containing an OGNL expression that will then be executed by the server if the form validation has failed. For example, say we had this form that required the 'phoneNumber' field to not be blank:

<s:form action="editUser">
  <s:textfield name="name" />
  <s:textfield name="phoneNumber" />
</s:form>

The user could leave the 'phoneNumber' field blank to trigger the validation error, then populate the 'name' field with "%{1+1}". When the form is re-displayed to the user, the value of the 'name' field will be '2'. The reason is the value field is, by default, processed as "%{name}", and since OGNL expressions are evaluated recursively, it is evaluated as if the expression was "%{ %{1+1}}".

The OGNL parsing code is actually in XWork and not in WebWork 2 or Struts 2.

Solution

The fixed version of XWork changes the OGNL parsing so that it is not recursive. Therefore, in the example above, the result will be the expected "%{1+1}". You can either obtain the latest version of WebWork 2 or Struts 2, which contains the fixed XWork library, or download the fixed XWork library directly. Alternatively, you can obtain the patch and apply it to the XWork source code yourself.

We would like to thank both users and contributors of XWork, WebWork and Struts2 for
helping out, submiting patches, testing, providing feedback and
participating in various discussion.

The XWork Development Team

This maintenance release of 2.4 has two bug fixes:

* The cacheFlushed method is not being invoked on the CacheEntryEventListener
* CacheFilter max-age parameter MAX_AGE_NO_INIT not set properly

This release can be downloaded now.

Furthermore this release enhances the CacheFilter and allows a better integration with the Spring Framework and JMX Monitoring.

• Setting CacheFilter parameters runtime
• Lazy initialization in CacheFilter in order to ease spring integration
• Allow disabling cacheing for special http methods (e.g. POST/DELETE/PUT) in CacheFilter
• CacheFilter allow reentrance over different filter configurations

• Hibernate 3.2 integration support
• JMX Monitoring/Administration via Spring
• Improve oscache.properties loading
• Performance improvment for large disk persistence usage

This release can be downloaded now.

This 2.2.5 release, 6 months after WebWork 2.2.4, marks the final chapter for the WebWork framework.

Struts 2, its successor, had its first GA release, and in a final push, the WebWork team wanted to do a big effort to bring in as many optimizations and bug fixes as possible before shifting developer focus.

• Release notes
• Changelog
• Download here

This release is fully backwards compatible with WebWork 2.2.4. You can just replace the existing WebWork and XWork jars with the news ones from 2.2.5.

Like always, we would like to thank both regular users and contributors, for helping out, submitting patches, testing, and providing general feedback.

The development of WebWork 2 and XWork 1 slowly grinds to a halt, so if you're looking for bleeding edge technologies or new features, you are more than welcome to try Struts 2.

The WebWork Development Team