Mailing-List: contact commits-help@jackrabbit.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@jackrabbit.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1507010 - /jackrabbit/branches/2.6/RELEASE-NOTES.txt
Date: Thu, 25 Jul 2013 15:20:32 -0000
To: commits@jackrabbit.apache.org
From: jukka@apache.org
Message-Id: <20130725152032.AC8EA2388993@eris.apache.org>

Author: jukka
Date: Thu Jul 25 15:20:32 2013
New Revision: 1507010

URL: http://svn.apache.org/r1507010
Log:
2.6: Update release notes.

Modified:
    jackrabbit/branches/2.6/RELEASE-NOTES.txt

Modified: jackrabbit/branches/2.6/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.6/RELEASE-NOTES.txt?rev=1507010&r1=1507009&r2=1507010&view=diff
==============================================================================
--- jackrabbit/branches/2.6/RELEASE-NOTES.txt (original)
+++ jackrabbit/branches/2.6/RELEASE-NOTES.txt Thu Jul 25 15:20:32 2013
@@ -1,4 +1,4 @@
-Release Notes -- Apache Jackrabbit -- Version 2.6.2
+Release Notes -- Apache Jackrabbit -- Version 2.6.3
 
 Introduction
 ------------
@@ -7,9 +7,35 @@ This is Apache Jackrabbit(TM) 2.6, a ful
 Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
 specified in the Java Specification Request 283 (JSR 283).
 
-Apache Jackrabbit 2.6.2 is a patch release that contains fixes and
-improvements over Jackrabbit 2.6. Jackrabbit 2.6.x releases are
-considered stable and targeted for production use.
+Apache Jackrabbit 2.6.3 is a patch release that contains fixes and
+improvements over Jackrabbit 2.6. This release also contains a security fix.
+Jackrabbit 2.6.x releases are considered stable and targeted for production
+use.
+
+Security advisory (JCR-3630)
+----------------------------
+
+As reported by Noel Dunne and Lars Krapf, there was a cross-site scripting 
+(XSS) vulnerability in the jackrabbit-jcr-server component, used for providing
+WebDAV access to the repository. This release fixes the issue.
+
+Changes since Jackrabbit 2.6.2
+------------------------------
+
+Improvements
+
+  [JCR-2029] JCR Remoting: Use DAV:lockroot to expose the lock-holding node
+  [JCR-3322] add TCK coverage of isNodeType(expandedName)
+  [JCR-3625] make port number for webdav integration tests configurable
+  [JCR-3626] NodeTypeTest.getPrimaryItemName can get ssssslllllloooowwwww
+
+Bug fixes
+
+  [JCR-3228] WebDav/DavEx remoting throws workspace mismatch exceptions ...
+  [JCR-3605] Possible Deadlock during TimeoutHandler is running
+  [JCR-3610] html excerpt broken when one of the indexed properties contains
+  [JCR-3617] Inconsistent CachingHierarchyManager under concurrent access
+  [JCR-3630] XSS in DirListingExportHandler
 
 Changes since Jackrabbit 2.6.1
 ------------------------------
@@ -35,41 +61,41 @@ Changes since Jackrabbit 2.6.0
 
 Improvements
 
-  [JCR-3495] - Unregister from PrivilegeRegistry and NodeTypeRegistry on Session.logout()
-  [JCR-3513] - Slower range query execution
-  [JCR-3516] - Search index consistency check should report and fix wrong parent relation
-  [JCR-3517] - Search index consistency check should be able to double check its reported issues
-  [JCR-3519] - Disable IOCounters based on log level
-  [JCR-3535] - Davex remoting should support absolute path hrefs
-  [JCR-3553] - improve error logging for unexpected path formats
-  [JCR-3566] - add TCK test for NaN and infinity double property values
-  [JCR-3577] - Allow creation of users with 'null' password
-  [JCR-3587] - RepositoryImpl should expose the collection of PersistenceManager instances in use
+  [JCR-3495] Unregister from PrivilegeRegistry and NodeTypeRegistry on ...
+  [JCR-3513] Slower range query execution
+  [JCR-3516] Search index consistency check should report and fix wrong ...
+  [JCR-3517] Search index consistency check should be able to double ...
+  [JCR-3519] Disable IOCounters based on log level
+  [JCR-3535] Davex remoting should support absolute path hrefs
+  [JCR-3553] improve error logging for unexpected path formats
+  [JCR-3566] add TCK test for NaN and infinity double property values
+  [JCR-3577] Allow creation of users with 'null' password
+  [JCR-3587] RepositoryImpl should expose the collection of ...
 
 Bug Fixes
 
-  [JCR-3276] - JCA Adpater not handling transaction suspension correctly
-  [JCR-3382] - ItemManager.getNode does not do a permission check when the item data is in the item manager cache
-  [JCR-3498] - OUTER JOIN behavior is improperly excluding some values
-  [JCR-3512] - DelayedDelete in MultiDatastore does not work correctly
-  [JCR-3518] - Build fails on Mac OS + JDK 7
-  [JCR-3521] - IllegalArgumentException thrown on a box running java7 with a sorted query
-  [JCR-3523] - Workspace.copy changes WeakReferences to References
-  [JCR-3539] - NotQuery#advance (and for older versions skipTo) violates Lucene advance contract in case a Filter is used
-  [JCR-3540] - locator for RootCollection generates a broken href when using absolutePath setting
-  [JCR-3545] - unknown REPORT should cause status code 409/DAV:supported-report
-  [JCR-3546] - header fields values such as "Location" need to be resolved against the request uri
-  [JCR-3549] - URIResolverImpl needs to handle absolute paths in addition to absolute URIs
-  [JCR-3551] - DavEx cannot handle Double.NaN properties
-  [JCR-3552] - Principal associated with Group does not update members
-  [JCR-3554] - RepositoryService.getReferences needs to deal with absolute paths in hrefs
-  [JCR-3562] - Adding a child node named {foo fails but bar} works
-  [JCR-3578] - use absolute paths in DeltaV request bodies, and resolve hrefs in responses properly
-  [JCR-3570] - Make immediately Repository start configureable in JCAManagedConnectionFactory
-  [JCR-3576] - handle absolute paths in observation response bodies
-  [JCR-3580] - JcrPrivilegeReport needs to deal with both absolute paths and absolute URIs in payloads
-  [JCR-3581] - Incorrect bitwise arithmetic in BitsetENTCacheImpl.BitsetKey.compareTo implementation - wrong bit mask value used  
-  [JCR-3583] - UPDATE method needs to deal with both absolute paths and absolute URIs in payloads
+  [JCR-3276] JCA Adpater not handling transaction suspension correctly
+  [JCR-3382] ItemManager.getNode does not do a permission check when the ...
+  [JCR-3498] OUTER JOIN behavior is improperly excluding some values
+  [JCR-3512] DelayedDelete in MultiDatastore does not work correctly
+  [JCR-3518] Build fails on Mac OS + JDK 7
+  [JCR-3521] IllegalArgumentException thrown on a box running java7 with ...
+  [JCR-3523] Workspace.copy changes WeakReferences to References
+  [JCR-3539] NotQuery#advance (and for older versions skipTo) violates ...
+  [JCR-3540] locator for RootCollection generates a broken href when ...
+  [JCR-3545] unknown REPORT should cause status code 409/DAV:supported-report
+  [JCR-3546] header fields values such as "Location" need to be resolved ...
+  [JCR-3549] URIResolverImpl needs to handle absolute paths in addition ...
+  [JCR-3551] DavEx cannot handle Double.NaN properties
+  [JCR-3552] Principal associated with Group does not update members
+  [JCR-3554] RepositoryService.getReferences needs to deal with absolute ...
+  [JCR-3562] Adding a child node named {foo fails but bar} works
+  [JCR-3578] use absolute paths in DeltaV request bodies, and resolve ...
+  [JCR-3570] Make immediately Repository start configureable in ...
+  [JCR-3576] handle absolute paths in observation response bodies
+  [JCR-3580] JcrPrivilegeReport needs to deal with both absolute paths ...
+  [JCR-3581] Incorrect bitwise arithmetic in BitsetENTCacheImpl.BitsetKey....
+  [JCR-3583] UPDATE method needs to deal with both absolute paths and ...
 
 
 Changes since Jackrabbit 2.4.0