•  Merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
•  Extended existing security mechanism to block access to given Java packages and Classes, see #11 or read Internal security mechanism
• Collection Parameters for RedirectResults, WW-4224
• Make ParametersInterceptor supports chinese in hash key by default, 
  WW-4250
• themes.properties can be loaded using ServletContext allows to put template folder under WEB-INF or on classpath, WW-4260
• New tag datetextfield, WW-3493
• Only valid Ognl expressions are cached, WW-4146
• CustomTextProvider can be used for validation errors of model driven actions, 
  WW-4202
• datetimepicker's label fixed, WW-4254
• PropertiesJudge removed and properties are checked in SecurityMemberAccess, WW-4257
• resource reloading works in IBM JVM, WW-4266
• default reloading settings were removed from default.properties, WW-4267
•  commons-fileupload library upgraded to version 1.3.1 to fix potential security vulnerability, 
  WW-4286
• The scheme attribute accepts expressions in s:url tag, WW-4024
• Solves problem with infinite loop in FastByteArrayOutputStream, WW-4383
• LocalizedTextUtil supports many ClassLoaders, WW-4379
• Bill of Materials pom was introduced, WW-4326
• debug=browser|console was migrated to jQuery, WW-4322
• struts_dojo.js was fixed, WW-4349
• interface org/apache/struts2/views/TagLibrary was restored and marked as @Depreacted, WW-4255
• <s:hidden/> tag is wrapped with <tr/> and <td/> tags to match layout of other tags in xhtml theme, WW-4297
• and many other small improvements, please see the release notes

      摘自http://struts.apache.org/docs/version-notes-2320.html