From ce34254a8ecbc81d9446ee3968120c3bb4f8a5cf Mon Sep 17 00:00:00 2001 From: Lukasz Lenart Date: Tue, 21 Apr 2026 10:09:07 +0200 Subject: [PATCH 1/3] docs: add EOL versions page and cross-link from related pages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add source/eol-versions.md — dedicated page explaining what EOL means, listing EOL branches, and linking to commercial support options (neutral wording) - Update index.html — generalize the Struts 2.5.x EOL card to cover all EOL versions and link to the new page - Update download.md — add note in Prior Releases section pointing to eol-versions - Update releases.md — add note before the Prior Releases table and in the Older Releases bullet - Update commercial-support.md — clarify HeroDevs entry description and update date Co-Authored-By: Claude Sonnet 4.6 --- source/commercial-support.md | 6 +++--- source/download.md | 4 ++++ source/eol-versions.md | 42 ++++++++++++++++++++++++++++++++++++ source/index.html | 9 ++++---- source/releases.md | 5 ++++- 5 files changed, 58 insertions(+), 8 deletions(-) create mode 100644 source/eol-versions.md diff --git a/source/commercial-support.md b/source/commercial-support.md index 6c8f6d665..c2c37c896 100644 --- a/source/commercial-support.md +++ b/source/commercial-support.md @@ -21,7 +21,7 @@ Explore commercial support options for Apache Struts and JavaEE applications thr For detailed assistance, kindly reach out to them directly. Help us keep this list current; if you’re aware of other supportive companies, please share details with us. -Last updated: **2024-12-23** +Last updated: **2026-04-21** - SoftwareMill - contact details: @@ -31,11 +31,11 @@ Last updated: **2024-12-23** - [+48 22 188 11 33](tel:+48221881133) (PL) - [+44 56 0156 3406](tel:+445601563406) (UK) - scope of support: consulting, Java & UI development, audit -- HeroDevs +- HeroDevs — Never-Ending Support (NES) - contact details: - email: [hello@herodevs.com](mailto:hello@herodevs.com) - phone: [+1 877-586-1965](tel:+18775861965) - - scope of support: Extended Long-Term Security Support for Apache Struts, CVE Remediation + - scope of support: extended security coverage and CVE remediation for EOL Apache Struts versions ## How to add a new company diff --git a/source/download.md b/source/download.md index a773bcd31..99650fe96 100644 --- a/source/download.md +++ b/source/download.md @@ -98,6 +98,10 @@ version of Struts in the 6.x series. If you are looking for other versions than above please check the Apache Archive site. +Versions no longer listed above are End-of-Life (EOL) and receive no further security patches from the Apache Struts Team. +If your organization requires continued security coverage for an EOL version, see the [End-of-Life versions](eol-versions.html) +page for available options. + ## Verify the integrity of the files {#verify} We recommend that you verify the integrity of the downloaded files using the PGP or MD5/SHA256 signatures. diff --git a/source/eol-versions.md b/source/eol-versions.md new file mode 100644 index 000000000..e10ffd700 --- /dev/null +++ b/source/eol-versions.md @@ -0,0 +1,42 @@ +--- +layout: default +title: End-of-Life Versions +--- + +# End-of-Life Apache Struts Versions +{:.no_toc} + +* Will be replaced with the ToC, excluding a header +{:toc} + +## What End-of-Life means + +When a Struts version reaches End-of-Life (EOL), the Apache Struts Team no longer provides +security patches, bug fixes, or updates for that branch. Users are strongly encouraged to +migrate to a [currently supported release](download.cgi). + +The user mailing list and issue tracker are the **only** support options hosted by the Apache +Struts project for supported versions. EOL versions receive no support at all from the project. + +## EOL versions + +| Branch | EOL date | Announcement | +|--------|----------|--------------| +| Struts 2.5.x | 30 October 2023 | [Announcement](announce-2023#a20231030) | +| Struts 2.3.x | 12 September 2019 | [Announcement](announce-2019#a20190912) | +| Struts 1.x | 5 April 2013 | [Announcement](struts1eol-announcement.html) | + +For a full list of individual releases that are no longer recommended due to known security issues, +see the [Releases](releases.html#prior-releases) page. + +## Commercial support for EOL versions + +If migration is not immediately feasible, third-party vendors offer extended security support +for EOL Struts versions. The Apache Software Foundation does not endorse any commercial offering; +the following is provided for informational purposes only. + +{:.alert .alert-info} +[HeroDevs Never-Ending Support (NES)](https://www.herodevs.com/support/struts-nes){:rel="nofollow" target="_blank"} +— extended security coverage and CVE remediation for EOL Apache Struts versions. + +For a full list of commercial support options, see the [Commercial Support](commercial-support.html) page. \ No newline at end of file diff --git a/source/index.html b/source/index.html index da570d2e9..6dcb5789f 100644 --- a/source/index.html +++ b/source/index.html @@ -69,11 +69,12 @@

Google's Patch Reward program

-

Apache Struts 2.5.x EOL

+

End-of-Life Struts Versions

- The Apache Struts Team informs about discontinuing support for Struts 2.5.x branch, we recommend migration - to the latest version of Struts, read more in - Announcement + Some Struts versions are no longer supported and receive no further security patches. + We recommend migrating to the latest release. + If migration is not immediately feasible, see End-of-Life versions + for available options.

diff --git a/source/releases.md b/source/releases.md index 842374e03..53b4f8535 100644 --- a/source/releases.md +++ b/source/releases.md @@ -23,6 +23,7 @@ repositories, like [ibiblio.](http://ibiblio.org) the [Apache Maven Repository](https://repository.apache.org/content/groups/snapshots/). - **Older Releases** are available here - [Archive Site](https://archive.apache.org/dist/struts/) + - For support options on older releases, see [End-of-Life versions](eol-versions.html) Project releases have been approved by the vote of the Apache Struts [Project Management Committee.](bylaws.html) Support for a release is provided by [project volunteers](volunteers.html) @@ -37,7 +38,9 @@ The user mailing list and issue tracker are the **only** support options hosted ## Prior Releases {#prior-releases} As a courtesy, we retain archival copies of the website for releases that initially were considered -"General Availability" but which has been reclassified as "Not recommended" since they contain security issues +"General Availability" but which has been reclassified as "Not recommended" since they contain security issues. +If you are running one of the versions below and cannot migrate, see the [End-of-Life versions](eol-versions.html) +page for available options. | Release | Release Date | Vulnerability | Version Notes | |-----------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------| From 6e0ee18583e354e1f5ee6e04f5d4c136a4f5280c Mon Sep 17 00:00:00 2001 From: Lukasz Lenart Date: Tue, 21 Apr 2026 10:14:52 +0200 Subject: [PATCH 2/3] docs: add End-of-Life Versions to Support navigation menu Co-Authored-By: Claude Sonnet 4.6 --- source/_includes/header.html | 1 + source/index.html | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/source/_includes/header.html b/source/_includes/header.html index 9285bec62..300aebec8 100644 --- a/source/_includes/header.html +++ b/source/_includes/header.html @@ -42,6 +42,7 @@
  • Issue Tracker
  • Reporting Security Issues
  • Commercial Support
    • +
  • End-of-Life Versions
  • Version Notes
  • Security Bulletins
    • diff --git a/source/index.html b/source/index.html index 6dcb5789f..83551f523 100644 --- a/source/index.html +++ b/source/index.html @@ -39,13 +39,12 @@

    Apache Struts {{ site.prev_version }} GA

    Version notes
    -

    CVE-2025-64775 File leak in multipart request processing causes disk exhaustion (DoS)

    -

    - Upgrade to Apache Struts 6.8.0 or 7.1.1 to mitigate the vulnerability. -

    +

    End-of-Life Struts Versions

    - Read more in the Announcement or in - the Security Bulletin S2-068 + Some Struts versions are no longer supported and receive no further security patches. + We recommend migrating to the latest release. + If migration is not immediately feasible, see End-of-Life versions + for available options.

    @@ -69,12 +68,13 @@

    Google's Patch Reward program

    -

    End-of-Life Struts Versions

    +

    CVE-2025-64775 File leak in multipart request processing causes disk exhaustion (DoS)

    - Some Struts versions are no longer supported and receive no further security patches. - We recommend migrating to the latest release. - If migration is not immediately feasible, see End-of-Life versions - for available options. + Upgrade to Apache Struts 6.8.0 or 7.1.1 to mitigate the vulnerability. +

    +

    + Read more in the Announcement or in + the Security Bulletin S2-068

    From 80b118fc55ccc50108df26b85b08df3203747975 Mon Sep 17 00:00:00 2001 From: Lukasz Lenart Date: Wed, 29 Apr 2026 16:46:14 +0200 Subject: [PATCH 3/3] chore: trigger staging build Co-Authored-By: Claude Opus 4.7