You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by Jukka Zitting <ju...@gmail.com> on 2009/01/13 19:45:36 UTC
[VOTE] Release Apache Jackrabbit 1.5.1
Hi,
I have posted a candidate for the Apache Jackrabbit 1.5.1 release at
http://people.apache.org/~jukka/jackrabbit/1.5.1/
See the RELEASE-NOTES.txt file (also included at the end of this
message) for details on release contents and latest changes. The
release candidate is a jar archive of the sources in
http://svn.apache.org/repos/asf/jackrabbit/tags/1.5.1. The SHA1
checksum of the jackrabbit-1.5.1-src.jar release package is
0aad51971cc4e002033471a923630cb4c57d2b17.
Please vote on releasing this package as Apache Jackrabbit 1.5.1. The
vote is open for the next 72 hours and passes if a majority of at
least three +1 Jackrabbit PMC votes are cast.
[ ] +1 Release this package as Apache Jackrabbit 1.5.1
[ ] -1 Do not release this package because...
With the source release I have also included pre-compiled binaries for
the main deployment packages (webapp, jca, standalone) as well as a
staged Maven repository containing pre-compiled versions of all the
components that have been changed since 1.5.0. If this vote passes, I
will make the source release and the deployment packages available on
the Jackrabbit download page and publish the other binaries in the
central Maven repository.
Here's my +1.
BR,
Jukka Zitting
Release Notes -- Apache Jackrabbit -- Version 1.5.1
Introduction
------------
Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more. See the Jackrabbit web site at http://jackrabbit.apache.org/ for
more information.
Apache Jackrabbit 1.5.1 is a security and bug fix release that fixes
issues reported against previous releases. This release is fully
compatible with the earlier 1.5.0 release.
Most notably, this release fixes the following security vulnerability.
Thanks to the Red Hat Security Response Team for reporting this issue.
* CVE-2009-0026: Cross site scripting issues in webapp (JCR-1925)
The search.jsp and swr.jsp pages in the Jackrabbit webapp are
vulnerable to script injection. This release fixes the issue
by properly escaping all user input.
This issue affects both the Jackrabbit 1.4 and 1.5.0 releases.
If you are unable to upgrade to 1.5.1 at this point, you can
work around this issue by disabling the search.jsp and swr.jsp
pages in the Jackrabbit webapp.
See below for a full listing of fixes included in this release.
Changes in this release
-----------------------
All the fixes in this release are listed below per affected component.
The modified components have had their version numbers upgraded to 1.5.1;
other components are still at version 1.5.0.
jackrabbit-core
Bug fixes
[JCR-1823] Repository.login throws IllegalStateException
[JCR-1838] Garbage collection deletes temporary files in FileDataStore
[JCR-1920] Custom LoginModule configurations broken in 1.5.0
[JCR-1931] SharedFieldCache$StringIndex memory leak causing OOM's
jackrabbit-jcr-commons
Bug fixes
[JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException
jackrabbit-jcr-server
Bug fixes
[JCR-1902] Warning while building DAV:parent-set for root-node resource
jackrabbit-jcr-servlet
Bug fixes
[JCR-1910] RMIRemoteBindingServlet fails to initialize if the RMI ...
jackrabbit-standalone
Bug fixes
[JCR-1912] RMI reference not automatically bound by the standalone server
jackrabbit-webapp
Security fixes
[JCR-1925] CVE-2009-0026: Cross site scripting issues in webapp
Bug fixes
[JCR-1920] The 1.5.0 webapp points to 1.4 javadocs
[JCR-1930] Extra </div> in populate.jsp
jackrabbit-webdav
Bug fixes
[JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException
You can look up individual issues for more details in the Jackrabbit
issue tracker at
https://issues.apache.org/jira/browse/JCR
Release Contents
----------------
This release consists of a single source archive (jackrabbit-1.5.1-src.jar)
that contains all the Apache Jackrabbit components. Use the following
commands (or the equivalent in your system) to build the release with
Maven 2 and Java 1.4 or higher:
jar xf jackrabbit-1.5.1-src.jar
cd jackrabbit-1.5.1-src
mvn install
Note that the OCM components require Java 5 or higher, and are not included
in the build when using Java 1.4.
The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.
The build will result in the following components (with artifactIds in
parenthesis) being built and installed in your local Maven repository.
Pre-built binary artifacts of these components are also available on
the on the central Maven repository.
* Jackrabbit Parent POM (jackrabbit-parent)
The Maven parent POM for all Jackrabbit components.
* Jackrabbit API (jackrabbit-api)
Interface extensions that Apache Jackrabbit supports in
addition to the standard JCR API.
* Jackrabbit JCR Commons (jackrabbit-jcr-commons)
General-purpose classes for use with the JCR API.
* Jackrabbit JCR Tests (jackrabbit-jcr-tests)
Set of JCR API test cases designed for testing the compliance
of an implementation. Note that this is not the official JCR TCK!
* Jackrabbit JCR Benchmarks (jackrabbit-jcr-benchmark)
Framework for JCR performance tests.
* Jackrabbit Core (jackrabbit-core)
Core of the Apache Jackrabbit content repository implementation.
* Jackrabbit Text Extractors (jackrabbit-text-extractors)
Text extractor classes that allow Jackrabbit to extract text content
from binary properties for full text indexing.
* Jackrabbit JCR-RMI (jackrabbit-jcr-rmi)
RMI remoting layer for the JCR API.
* Jackrabbit WebDAV Library (jackrabbit-webdav)
Interfaces and common utility classes used for building a
WebDAV server or client.
* Jackrabbit JCR Server (jackrabbit-jcr-server)
WebDAV servlet implementations based on JCR.
* Jackrabbit JCR Servlets (jackrabbit-jcr-servlet)
Set of servlets and other classes designed to make it easier to use
Jackrabbit and other JCR content repositories in web applications.
* Jackrabbit Repository Classloader (jackrabbit-classloader)
Java classloader for loading classes from JCR content repositories.
* Jackrabbit Web Application (jackrabbit-webapp)
Deployable Jackrabbit installation with WebDAV support for JCR.
* Jackrabbit JCA Resource Adapter (jackrabbit-jca)
J2EE Connector Architecture (JCA) resource adapter for Jackrabbit.
* Jackrabbit SPI (jackrabbit-spi)
The SPI defines a layer within a JSR-170 implementation that separates
the transient space from the persistent layer.
* Jackrabbit SPI Commons (jackrabbit-spi-commons)
This component contains generic utility classes that might be used
to build an SPI implementation.
* Jackrabbit SPI2JCR (jackrabbit-spi2jcr)
This component contains a SPI implementation wrapping around an
implementation of JSR-170.
* Jackrabbit JCR2SPI (jackrabbit-jcr2spi)
This component contains an implementation of the JSR-170 API and
covers the functionality that is not delegated to the SPI
implementation.
* Jackrabbit Standalone (jackrabbit-standalone)
Jackrabbit server in a self-contained runnable jar.
* Jackrabbit OCM (jackrabbit-ocm)
Object-Content mapping tool for persisting and accessing Java objects
in a JCR content repository.
* Jackrabbit OCM Node Management (jackrabbit-ocm-nodemanagement)
This component simplifies registration of node types and namespaces
referenced in OCM mapping descriptors.
Re: [VOTE] Release Apache Jackrabbit 1.5.1
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Thu, Jan 15, 2009 at 1:46 PM, Thomas Müller <th...@day.com> wrote:
> The license is incorrect in some files.
Bugger, those must have been incorrect already in 1.5.0. I'll fix the
headers and re-roll this release candidate as 1.5.2.
This vote is cancelled.
BR,
Jukka Zitting
Re: [VOTE] Release Apache Jackrabbit 1.5.1
Posted by Thomas Müller <th...@day.com>.
Hi,
The license is incorrect in some files. I ran
java -jar rat-0.4.1.jar . | grep -v ASL | grep ? | grep "\.java"
and got:
!????? ./jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/User.java
!????? ./jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java
!????? ./jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
!????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/api/jsr283/retention/AbstractRetentionTest.java
!????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/TestAll.java
!????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationTest.java
!????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/TestAll.java
!????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/principal/TestAll.java
!????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AdministratorTest.java
!????? ./jackrabbit-ocm/src/main/java/org/apache/jackrabbit/ocm/manager/objectconverter/impl/AbstractLazyLoader.java
!????? ./jackrabbit-ocm/src/main/java/org/apache/jackrabbit/ocm/manager/objectconverter/impl/OcmProxy.java
!????? ./jackrabbit-ocm/src/main/java/org/apache/jackrabbit/ocm/manager/objectconverter/impl/OcmProxyUtils.java
!????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/MultiValueWithObjectCollection.java
!????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/SimpleAnnotedAbstractClass.java
!????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/SimpleAnnotedClass.java
!????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/SimpleInterface.java
!????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/UnmappedInterface.java
!????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/version/Author.java
!????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/version/PressRelease.java
Regards,
Thomas
On Tue, Jan 13, 2009 at 7:45 PM, Jukka Zitting <ju...@gmail.com> wrote:
> Hi,
>
> I have posted a candidate for the Apache Jackrabbit 1.5.1 release at
>
> http://people.apache.org/~jukka/jackrabbit/1.5.1/
>
> See the RELEASE-NOTES.txt file (also included at the end of this
> message) for details on release contents and latest changes. The
> release candidate is a jar archive of the sources in
> http://svn.apache.org/repos/asf/jackrabbit/tags/1.5.1. The SHA1
> checksum of the jackrabbit-1.5.1-src.jar release package is
> 0aad51971cc4e002033471a923630cb4c57d2b17.
>
> Please vote on releasing this package as Apache Jackrabbit 1.5.1. The
> vote is open for the next 72 hours and passes if a majority of at
> least three +1 Jackrabbit PMC votes are cast.
>
> [ ] +1 Release this package as Apache Jackrabbit 1.5.1
> [ ] -1 Do not release this package because...
>
> With the source release I have also included pre-compiled binaries for
> the main deployment packages (webapp, jca, standalone) as well as a
> staged Maven repository containing pre-compiled versions of all the
> components that have been changed since 1.5.0. If this vote passes, I
> will make the source release and the deployment packages available on
> the Jackrabbit download page and publish the other binaries in the
> central Maven repository.
>
> Here's my +1.
>
> BR,
>
> Jukka Zitting
>
>
>
> Release Notes -- Apache Jackrabbit -- Version 1.5.1
>
> Introduction
> ------------
>
> Apache Jackrabbit is a fully conforming implementation of the Content
> Repository for Java Technology API (JCR). A content repository is a
> hierarchical content store with support for structured and unstructured
> content, full text search, versioning, transactions, observation, and
> more. See the Jackrabbit web site at http://jackrabbit.apache.org/ for
> more information.
>
> Apache Jackrabbit 1.5.1 is a security and bug fix release that fixes
> issues reported against previous releases. This release is fully
> compatible with the earlier 1.5.0 release.
>
> Most notably, this release fixes the following security vulnerability.
> Thanks to the Red Hat Security Response Team for reporting this issue.
>
> * CVE-2009-0026: Cross site scripting issues in webapp (JCR-1925)
>
> The search.jsp and swr.jsp pages in the Jackrabbit webapp are
> vulnerable to script injection. This release fixes the issue
> by properly escaping all user input.
>
> This issue affects both the Jackrabbit 1.4 and 1.5.0 releases.
> If you are unable to upgrade to 1.5.1 at this point, you can
> work around this issue by disabling the search.jsp and swr.jsp
> pages in the Jackrabbit webapp.
>
> See below for a full listing of fixes included in this release.
>
> Changes in this release
> -----------------------
>
> All the fixes in this release are listed below per affected component.
> The modified components have had their version numbers upgraded to 1.5.1;
> other components are still at version 1.5.0.
>
> jackrabbit-core
>
> Bug fixes
> [JCR-1823] Repository.login throws IllegalStateException
> [JCR-1838] Garbage collection deletes temporary files in FileDataStore
> [JCR-1920] Custom LoginModule configurations broken in 1.5.0
> [JCR-1931] SharedFieldCache$StringIndex memory leak causing OOM's
>
> jackrabbit-jcr-commons
>
> Bug fixes
> [JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException
>
> jackrabbit-jcr-server
>
> Bug fixes
> [JCR-1902] Warning while building DAV:parent-set for root-node resource
>
> jackrabbit-jcr-servlet
>
> Bug fixes
> [JCR-1910] RMIRemoteBindingServlet fails to initialize if the RMI ...
>
> jackrabbit-standalone
>
> Bug fixes
> [JCR-1912] RMI reference not automatically bound by the standalone server
>
> jackrabbit-webapp
>
> Security fixes
> [JCR-1925] CVE-2009-0026: Cross site scripting issues in webapp
>
> Bug fixes
> [JCR-1920] The 1.5.0 webapp points to 1.4 javadocs
> [JCR-1930] Extra </div> in populate.jsp
>
> jackrabbit-webdav
>
> Bug fixes
> [JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException
>
> You can look up individual issues for more details in the Jackrabbit
> issue tracker at
>
> https://issues.apache.org/jira/browse/JCR
>
> Release Contents
> ----------------
>
> This release consists of a single source archive (jackrabbit-1.5.1-src.jar)
> that contains all the Apache Jackrabbit components. Use the following
> commands (or the equivalent in your system) to build the release with
> Maven 2 and Java 1.4 or higher:
>
> jar xf jackrabbit-1.5.1-src.jar
> cd jackrabbit-1.5.1-src
> mvn install
>
> Note that the OCM components require Java 5 or higher, and are not included
> in the build when using Java 1.4.
>
> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
> signature that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at
> https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.
>
> The build will result in the following components (with artifactIds in
> parenthesis) being built and installed in your local Maven repository.
> Pre-built binary artifacts of these components are also available on
> the on the central Maven repository.
>
> * Jackrabbit Parent POM (jackrabbit-parent)
> The Maven parent POM for all Jackrabbit components.
>
> * Jackrabbit API (jackrabbit-api)
> Interface extensions that Apache Jackrabbit supports in
> addition to the standard JCR API.
>
> * Jackrabbit JCR Commons (jackrabbit-jcr-commons)
> General-purpose classes for use with the JCR API.
>
> * Jackrabbit JCR Tests (jackrabbit-jcr-tests)
> Set of JCR API test cases designed for testing the compliance
> of an implementation. Note that this is not the official JCR TCK!
>
> * Jackrabbit JCR Benchmarks (jackrabbit-jcr-benchmark)
> Framework for JCR performance tests.
>
> * Jackrabbit Core (jackrabbit-core)
> Core of the Apache Jackrabbit content repository implementation.
>
> * Jackrabbit Text Extractors (jackrabbit-text-extractors)
> Text extractor classes that allow Jackrabbit to extract text content
> from binary properties for full text indexing.
>
> * Jackrabbit JCR-RMI (jackrabbit-jcr-rmi)
> RMI remoting layer for the JCR API.
>
> * Jackrabbit WebDAV Library (jackrabbit-webdav)
> Interfaces and common utility classes used for building a
> WebDAV server or client.
>
> * Jackrabbit JCR Server (jackrabbit-jcr-server)
> WebDAV servlet implementations based on JCR.
>
> * Jackrabbit JCR Servlets (jackrabbit-jcr-servlet)
> Set of servlets and other classes designed to make it easier to use
> Jackrabbit and other JCR content repositories in web applications.
>
> * Jackrabbit Repository Classloader (jackrabbit-classloader)
> Java classloader for loading classes from JCR content repositories.
>
> * Jackrabbit Web Application (jackrabbit-webapp)
> Deployable Jackrabbit installation with WebDAV support for JCR.
>
> * Jackrabbit JCA Resource Adapter (jackrabbit-jca)
> J2EE Connector Architecture (JCA) resource adapter for Jackrabbit.
>
> * Jackrabbit SPI (jackrabbit-spi)
> The SPI defines a layer within a JSR-170 implementation that separates
> the transient space from the persistent layer.
>
> * Jackrabbit SPI Commons (jackrabbit-spi-commons)
> This component contains generic utility classes that might be used
> to build an SPI implementation.
>
> * Jackrabbit SPI2JCR (jackrabbit-spi2jcr)
> This component contains a SPI implementation wrapping around an
> implementation of JSR-170.
>
> * Jackrabbit JCR2SPI (jackrabbit-jcr2spi)
> This component contains an implementation of the JSR-170 API and
> covers the functionality that is not delegated to the SPI
> implementation.
>
> * Jackrabbit Standalone (jackrabbit-standalone)
> Jackrabbit server in a self-contained runnable jar.
>
> * Jackrabbit OCM (jackrabbit-ocm)
> Object-Content mapping tool for persisting and accessing Java objects
> in a JCR content repository.
>
> * Jackrabbit OCM Node Management (jackrabbit-ocm-nodemanagement)
> This component simplifies registration of node types and namespaces
> referenced in OCM mapping descriptors.
>