lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <510143ac0901200520t7c5eb03bh2216862188d7c7a4@mail.gmail.com>
Date: Tue, 20 Jan 2009 14:20:51 +0100
From: "Jukka Zitting" <jukka@...che.org>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Cc: security@...che.org, private@...krabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit 1.5.2 released

The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit version 1.5.2. The release is available for download
at:

    http://jackrabbit.apache.org/downloads.html

See the full release notes below for details about this release.


Release Notes -- Apache Jackrabbit -- Version 1.5.2

Introduction
------------

Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more. See the Jackrabbit web site at http://jackrabbit.apache.org/ for
more information.

Apache Jackrabbit 1.5.2 is a security and bug fix release that fixes
issues reported against previous releases. This release is fully
compatible with the earlier 1.5.0 release.

Most notably, this release fixes the following security vulnerability.
Thanks to the Red Hat Security Response Team for reporting this issue.

  * CVE-2009-0026: Cross site scripting issues in webapp (JCR-1925)

    The search.jsp and swr.jsp pages in the Jackrabbit webapp are
    vulnerable to script injection. This release fixes the issue
    by properly escaping all user input.

    This issue affects both the Jackrabbit 1.4 and 1.5.0 releases.
    If you are unable to upgrade to 1.5.2 at this point, you can
    work around this issue by disabling the search.jsp and swr.jsp
    pages in the Jackrabbit webapp.

See below for a full listing of fixes included in this release.

Changes in this release
-----------------------

All the fixes in this release are listed below per affected component.
The modified components have had their version numbers upgraded to 1.5.2;
other components are still at version 1.5.0. Jackrabbit version 1.5.1
was cancelled due to incorrect license headers in the source code.

jackrabbit

  Bug fixes
  [JCR-1936] Incorrect license headers in multiple components

jackrabbit-core

  Bug fixes
  [JCR-1823] Repository.login throws IllegalStateException
  [JCR-1838] Garbage collection deletes temporary files in FileDataStore
  [JCR-1846] Jackrabbit thread contention issue due to fat lock
  [JCR-1920] Custom LoginModule configurations broken in 1.5.0
  [JCR-1931] SharedFieldCache$StringIndex memory leak causing OOM's

jackrabbit-jcr-commons

  Bug fixes
  [JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException

jackrabbit-jcr-server

  Bug fixes
  [JCR-1902] Warning while building DAV:parent-set for root-node resource

jackrabbit-jcr-servlet

  Bug fixes
  [JCR-1910] RMIRemoteBindingServlet fails to initialize if the RMI ...

jackrabbit-standalone

  Bug fixes
  [JCR-1912] RMI reference not automatically bound by the standalone server

jackrabbit-webapp

  Security fixes
  [JCR-1925] CVE-2009-0026: Cross site scripting issues in webapp

  Bug fixes
  [JCR-1920] The 1.5.0 webapp points to 1.4 javadocs
  [JCR-1930] Extra </div> in populate.jsp

jackrabbit-webdav

  Bug fixes
  [JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException

You can look up individual issues for more details in the Jackrabbit
issue tracker at https://issues.apache.org/jira/browse/JCR.

Release Contents
----------------

This release consists of a single source archive (jackrabbit-1.5.2-src.jar)
that contains all the Apache Jackrabbit components. Use the following
commands (or the equivalent in your system) to build the release with
Maven 2 and Java 1.4 or higher:

    jar xf jackrabbit-1.5.2-src.jar
    cd jackrabbit-1.5.2-src
    mvn install

Note that the OCM components require Java 5 or higher, and are not included
in the build when using Java 1.4.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.

The build will result in the following components (with artifactIds in
parenthesis) being built and installed in your local Maven repository.
Pre-built binary artifacts of these components are also available on
the on the central Maven repository.

  * Jackrabbit Parent POM (jackrabbit-parent)
    The Maven parent POM for all Jackrabbit components.

  * Jackrabbit API (jackrabbit-api)
    Interface extensions that Apache Jackrabbit supports in
    addition to the standard JCR API.

  * Jackrabbit JCR Commons (jackrabbit-jcr-commons)
    General-purpose classes for use with the JCR API.

  * Jackrabbit JCR Tests (jackrabbit-jcr-tests)
    Set of JCR API test cases designed for testing the compliance
    of an implementation. Note that this is not the official JCR TCK!

  * Jackrabbit JCR Benchmarks (jackrabbit-jcr-benchmark)
    Framework for JCR performance tests.

  * Jackrabbit Core (jackrabbit-core)
    Core of the Apache Jackrabbit content repository implementation.

  * Jackrabbit Text Extractors (jackrabbit-text-extractors)
    Text extractor classes that allow Jackrabbit to extract text content
    from binary properties for full text indexing.

  * Jackrabbit JCR-RMI (jackrabbit-jcr-rmi)
    RMI remoting layer for the JCR API.

  * Jackrabbit WebDAV Library (jackrabbit-webdav)
    Interfaces and common utility classes used for building a
    WebDAV server or client.

  * Jackrabbit JCR Server (jackrabbit-jcr-server)
    WebDAV servlet implementations based on JCR.

  * Jackrabbit JCR Servlets (jackrabbit-jcr-servlet)
    Set of servlets and other classes designed to make it easier to use
    Jackrabbit and other JCR content repositories in web applications.

  * Jackrabbit Repository Classloader (jackrabbit-classloader)
    Java classloader for loading classes from JCR content repositories.

  * Jackrabbit Web Application (jackrabbit-webapp)
    Deployable Jackrabbit installation with WebDAV support for JCR.

  * Jackrabbit JCA Resource Adapter (jackrabbit-jca)
    J2EE Connector Architecture (JCA) resource adapter for Jackrabbit.

  * Jackrabbit SPI (jackrabbit-spi)
    The SPI defines a layer within a JSR-170 implementation that separates
    the transient space from the persistent layer.

  * Jackrabbit SPI Commons (jackrabbit-spi-commons)
    This component contains generic utility classes that might be used
    to build an SPI implementation.

  * Jackrabbit SPI2JCR (jackrabbit-spi2jcr)
    This component contains a SPI implementation wrapping around an
    implementation of JSR-170.

  * Jackrabbit JCR2SPI (jackrabbit-jcr2spi)
    This component contains an implementation of the JSR-170 API and
    covers the functionality that is not delegated to the SPI
    implementation.

  * Jackrabbit Standalone (jackrabbit-standalone)
    Jackrabbit server in a self-contained runnable jar.

  * Jackrabbit OCM (jackrabbit-ocm)
    Object-Content mapping tool for persisting and accessing Java objects
    in a JCR content repository.

  * Jackrabbit OCM Node Management (jackrabbit-ocm-nodemanagement)
    This component simplifies registration of node types and namespaces
    referenced in OCM mapping descriptors.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ