You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2017/08/01 18:32:44 UTC
svn commit: r20704 - /release/commons/email/RELEASE-NOTES.txt
Author: bodewig
Date: Tue Aug 1 18:32:44 2017
New Revision: 20704
Log:
mention CVE in Commons Email's release notes
Modified:
release/commons/email/RELEASE-NOTES.txt
Modified: release/commons/email/RELEASE-NOTES.txt
==============================================================================
--- release/commons/email/RELEASE-NOTES.txt (original)
+++ release/commons/email/RELEASE-NOTES.txt Tue Aug 1 18:32:44 2017
@@ -1,4 +1,4 @@
- Commons Email Package
+ Apache Commons Email
Version 1.5
Release Notes
@@ -15,8 +15,12 @@ downloads, reports, and bug status:
http://commons.apache.org/email/
-This is a major release which adds some new features and fixes several bugs
-present in the 1.4.0 release. All current users are encouraged to upgrade.
+This is a major and security bugfix release which adds some new
+features and fixes several bugs present in the 1.4 release. All
+current users are encouraged to upgrade.
+
+For the security bugfix see
+https://commons.apache.org/proper/commons-email/security-reports.html#Fixed_in_Apache_Commons_Email_1.5
CHANGES FROM 1.4:
-----------------
@@ -55,6 +59,9 @@ Issue: EMAIL-154. Thanks to Ken Geis, Ba
* DataSourceClassPathResolver doesn't close InputStream when resolving resources
Issue: EMAIL-167. Thanks to Lucian Burja.
+* CVE-2017-9801 - stripped all line-breaks from subjects in order to
+ prevent SMTP header injection.
+
CHANGES FROM 1.3.3:
-----------------
@@ -315,4 +322,4 @@ Java 2 Enterprise Edition 1.4 users must
JavaMail and JAF indicated above are available to their applications;
the J2EE 1.4 specification only requires earlier versions.
-Earlier versions of J2EE are not supported.
\ No newline at end of file
+Earlier versions of J2EE are not supported.