jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From resc...@apache.org
Subject svn commit: r1681074 - /jackrabbit/branches/2.6/RELEASE-NOTES.txt
Date Fri, 22 May 2015 11:43:10 GMT
Author: reschke
Date: Fri May 22 11:43:09 2015
New Revision: 1681074

URL: http://svn.apache.org/r1681074
Prepare release notes for Jackrabbit 2.6.6


Modified: jackrabbit/branches/2.6/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.6/RELEASE-NOTES.txt?rev=1681074&r1=1681073&r2=1681074&view=diff
--- jackrabbit/branches/2.6/RELEASE-NOTES.txt (original)
+++ jackrabbit/branches/2.6/RELEASE-NOTES.txt Fri May 22 11:43:09 2015
@@ -9,16 +9,58 @@ specified in the Java Specification Requ
 Apache Jackrabbit 2.6.6 is a patch release that contains fixes and
 improvements over Jackrabbit 2.6. This release also contains a security fix
-for Jackrabbit 2.6.2 and earlier. Jackrabbit 2.6.x releases are considered
+for Jackrabbit 2.6.5 and earlier. Jackrabbit 2.6.x releases are considered
 stable and targeted for production use.
+Security advisory (JCR-3883 / CVE-2015-1833)
+This release fixes an important security issue in the jackrabbit-webdav module
+reported by Mikhail Egorov.
+When processing a WebDAV request body containing XML, the XML parser can be 
+instructed to read content from network resources accessible to the host, 
+identified by URI schemes such as "http(s)" or  "file". Depending on the 
+WebDAV request, this can not only be used to trigger internal network 
+requests, but might also be used to insert said content into the request, 
+potentially exposing it to the attacker and others (for instance, by inserting
+said content in a WebDAV property value using a PROPPATCH request). See also
+IETF RFC 4918, Section 20.6.
+Users of the jackrabbit-webdav module are advised to immediately update the
+module to this release or disable WebDAV access to the repository.
 Changes since Jackrabbit 2.6.5
-  [JCR-3628] Embed cause in org.apache.jackrabbit.core.SessionImpl ...
+  [JCR-3573] Improve token based login concurrency
+  [JCR-3628] Embed cause in org.apache.jackrabbit.core.SessionImpl#getNodeByIdentifier while
rethrowing IllegalArgumentException
+  [JCR-3687] Backport improvements made to token based auth in OAK
+  [JCR-3810] StreamWrapper can attempt to reset other types of InputStreams
+  [JCR-3826] AbstractPrincipalProvider cachesize is not configurable
+Bug fixes
+  [JCR-3235] ArrayIndexOfOufBounds in TargetImportHandler$BufferedStringValue.append()
+  [JCR-3693] Lucene configuration - aggregation definition : problem with include-property
+  [JCR-3709] DBDataStore updates 2 times the lastModified Date on touch when GC is running
+  [JCR-3711] RepositoryChecker versioning cleanup may leave repaired node in invalid type
+  [JCR-3721] Slow and actively called NodeId.toString()
+  [JCR-3761] TokenInfo#resetExpiration always fails with ConstraintViolationException
+  [JCR-3770] refine validateHierarchy check in order to avoid false-positives
+  [JCR-3773] Lucene ConsistencyCheck reports nodes under jcr:nodeTypes as deleted
+  [JCR-3783] Deadlock due to IOException in WorkspaceUpdateChannel.updatePrepared()
+  [JCR-3784] ReplacePropertyWhileOthersReadTest fails when run with ConcurrentTestSuite
+  [JCR-3798] NPE while building path in lucene index consistency checker
+  [JCR-3809] ConnectionHelper swallows exception when it fails to reset binary streams after
a failed SQL statement execution
+  [JCR-3811] AppendRecord should allow reattempting database insertions of journal records
should the initial attempt fail
+  [JCR-3814] IllegalStateException in LockManager#unlock
+  [JCR-3821] SeededSecureRandom thread can prevent Jackrabbit from shutting down
+  [JCR-3840] NodeTypeDefDiff does not take same-name child type definitions into account
+  [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)  
 Changes since Jackrabbit 2.6.4

View raw message