From commits-return-22474-archive-asf-public=cust-asf.ponee.io@jackrabbit.apache.org Wed Feb 19 15:00:30 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 23EB9180658 for ; Wed, 19 Feb 2020 16:00:30 +0100 (CET) Received: (qmail 12746 invoked by uid 500); 19 Feb 2020 15:00:29 -0000 Mailing-List: contact commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list commits@jackrabbit.apache.org Received: (qmail 12737 invoked by uid 99); 19 Feb 2020 15:00:29 -0000 Received: from Unknown (HELO svn01-us-east.apache.org) (13.90.137.153) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Feb 2020 15:00:29 +0000 Received: from svn01-us-east.apache.org (svn01-us-east.apache.org [127.0.0.1]) by svn01-us-east.apache.org (ASF Mail Server at svn01-us-east.apache.org) with ESMTP id 5D93F17A010 for ; Wed, 19 Feb 2020 15:00:29 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1874199 - in /jackrabbit/site/trunk/src/site/markdown: downloads.md index.md Date: Wed, 19 Feb 2020 15:00:29 -0000 To: commits@jackrabbit.apache.org From: reschke@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20200219150029.5D93F17A010@svn01-us-east.apache.org> Author: reschke Date: Wed Feb 19 15:00:29 2020 New Revision: 1874199 URL: http://svn.apache.org/viewvc?rev=1874199&view=rev Log: oak 1.4.26 Modified: jackrabbit/site/trunk/src/site/markdown/downloads.md jackrabbit/site/trunk/src/site/markdown/index.md Modified: jackrabbit/site/trunk/src/site/markdown/downloads.md URL: http://svn.apache.org/viewvc/jackrabbit/site/trunk/src/site/markdown/downloads.md?rev=1874199&r1=1874198&r2=1874199&view=diff ============================================================================== --- jackrabbit/site/trunk/src/site/markdown/downloads.md (original) +++ jackrabbit/site/trunk/src/site/markdown/downloads.md Wed Feb 19 15:00:29 2020 @@ -57,6 +57,22 @@ See the `LICENSE.txt` file contained in + +Apache Jackrabbit Oak 1.4.26 (February 19th, 2020) +-------------------------------------------------- +Apache Jackrabbit Oak 1.4.26 is an incremental feature release based on +and compatible with earlier stable Jackrabbit Oak 1.x +releases. Jackrabbit Oak 1.4.x releases are considered stable and +targeted for production use. + +See the [full release notes](https://www.apache.org/dist/jackrabbit/oak/1.4.26/RELEASE-NOTES.txt) for more details. + +* [jackrabbit-oak-1.4.26-src.zip](https://www.apache.org/dyn/closer.lua/jackrabbit/oak/1.4.26/jackrabbit-oak-1.4.26-src.zip) + (10M, source zip, [pgp](https://www.apache.org/dist/jackrabbit/oak/1.4.26/jackrabbit-oak-1.4.26-src.zip.asc), [sha512](https://www.apache.org/dist/jackrabbit/oak/1.4.26/jackrabbit-oak-1.4.26-src.zip.sha512)) + + + + Apache Jackrabbit 2.21.0 (February 14th, 2020) ---------------------------------------------- @@ -156,23 +172,6 @@ See the [full release notes](https://www - - -Apache Jackrabbit Oak 1.4.25 (January 20th, 2020) -------------------------------------------------- -Apache Jackrabbit Oak 1.4.25 is an incremental feature release based on -and compatible with earlier stable Jackrabbit Oak 1.x -releases. Jackrabbit Oak 1.4.x releases are considered stable and -targeted for production use. - -See the [full release notes](https://www.apache.org/dist/jackrabbit/oak/1.4.25/RELEASE-NOTES.txt) for more details. - -* [jackrabbit-oak-1.4.25-src.zip](https://www.apache.org/dyn/closer.lua/jackrabbit/oak/1.4.25/jackrabbit-oak-1.4.25-src.zip) - (10M, source zip, [pgp](https://www.apache.org/dist/jackrabbit/oak/1.4.25/jackrabbit-oak-1.4.25-src.zip.asc), [sha512](https://www.apache.org/dist/jackrabbit/oak/1.4.25/jackrabbit-oak-1.4.25-src.zip.sha512)) - - - - Apache Jackrabbit 2.20.0 (January 7th, 2020) Modified: jackrabbit/site/trunk/src/site/markdown/index.md URL: http://svn.apache.org/viewvc/jackrabbit/site/trunk/src/site/markdown/index.md?rev=1874199&r1=1874198&r2=1874199&view=diff ============================================================================== --- jackrabbit/site/trunk/src/site/markdown/index.md (original) +++ jackrabbit/site/trunk/src/site/markdown/index.md Wed Feb 19 15:00:29 2020 @@ -35,6 +35,26 @@ more information. Apache Jackrabbit is a project of the [Apache Software Foundation](http://www.apache.org/) ## Apache Jackrabbit News +#### February 19th, 2020: CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure vulnerability (updated) +We just fixed a recently reported vulnerability in Apache Jackrabbit Oak: +The optional [initial password change and password expiration features](https://jackrabbit.apache.org/oak/docs/security/user/expiry.html) are prone to a +sensitive information disclosure vulnerability. The code mandates the changed password to +be passed as an additional attribute to the credentials object but does not remove it upon +processing during the first phase of the authentication. In combination with additional, +independent authentication mechanisms, this may lead to the new password being disclosed. +Mitigation: 1.12.0 - 1.22.0 should be upgraded to [1.24.0](downloads.html#latest). 1.10.x should be upgraded to [1.10.8](downloads.html#oak1.10). +1.8.x should be upgraded to [1.8.20](downloads.html#oak1.8). +1.6.x should be upgraded to [1.6.20](downloads.html#oak1.6). +1.4.x should be upgraded to [1.4.26](downloads.html#oak1.4). +For older maintained and affected branches (1.2.x), patches +are available and releases will follow. See [OAK-8870](https://issues.apache.org/jira/browse/OAK-8870) +for more information. + +#### February 19th, 2020: Apache Jackrabbit Oak 1.4.26 released +Jackrabbit Oak 1.4.26 is a patch release that contains fixes and +improvements over the previous 1.4.x release. See the +[downloads](downloads.html#oak1.4) page for more details. + #### February 14th, 2020: Apache Jackrabbit 2.21.0 released Apache Jackrabbit 2.21.0 is an unstable release cut directly from trunk, with a focus on new features and other improvements. See the