You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by Marcel Reutegger <mr...@apache.org> on 2015/05/21 11:22:04 UTC

[ANNOUNCE] Apache Jackrabbit 2.10.1 released

The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit 2.10.1. This release fixes an important security issue in
the jackrabbit-webdav module reported by Mikhail Egorov.

The release is available for download at:

 http://jackrabbit.apache.org/downloads.html

See the full release notes below for details about this release.

Release Notes -- Apache Jackrabbit -- Version 2.10.1

Introduction
------------

This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation of the
Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).

Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
stable and targeted for production use.

Security advisory (JCR-3883 / CVE-2015-1833)
--------------------------------------------

This release fixes an important security issue in the jackrabbit-webdav module
reported by Mikhail Egorov.

When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or  "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.

Users of the jackrabbit-webdav module are advised to immediately update the
module to this release or disable WebDAV access to the repository. Users
on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
apply the fix to the corresponding 2.x branch or disable WebDAV access until
official releases of those earlier versions are available. Patches for 2.x
branches are attached to the JIRA issue.

Changes since Jackrabbit 2.10.0
-------------------------------

Bug fixes

  [JCR-3853] JCR2SPI: Load ac provider resource
  [JCR-3871] POI Vulnerabilities
  [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
  [JCR-3873] CachingDataStore not safe against crashes, corrupted
uploads file will prevent system startup
  [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped
  [JCR-3878] Fix test case failure in jackrabbit-data
  [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack

Improvements

  [JCR-3864] CachingDatastore -cache file sizes to save remote call to
remote datastore( S3DS)
  [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
  [JCR-3869] CachingDataStore for SAN or NFS mounted storage
  [JCR-3879] Remove contention in AsyncUploadCache to improve performance
  [JCR-3881] Change CachingFDS configuration properties

New Features

  [JCR-3836] Allow to get an Authorizable of a given type

Sub-tasks

  [JCR-3837] Add AuthorizableTypeException in user security API package

In addition to the above-mentioned changes, this release contains
all the changes included up to the Apache Jackrabbit 2.10.0 release.

For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at

    https://issues.apache.org/jira/browse/JCR

Release Contents
----------------

This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.

About Apache Jackrabbit
-----------------------

Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more.

For more information, visit http://jackrabbit.apache.org/

About The Apache Software Foundation
------------------------------------

Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.

For more information, visit http://www.apache.org/

Trademarks
----------

Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the Apache
Jackrabbit project logo are trademarks of The Apache Software Foundation.

CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)

Posted by Julian Reschke <ju...@greenbytes.de>.

Dear readers,

we just fixed a recently reported vulnerability in Apache Jackrabbit's 
WebDAV module; see

- the attached CVE report

- patches for all currently maintained Jackrabbit branches

We just released Jackrabbit 2.10.1 (see below) and we'll get to the 
other branches shortly. Check the CVE for details about what to do for 
earlier branches if you can't wait for a release.

Thanks to <0a...@gmail.com> for bringing this to our attention and 
giving valuable feedback while we investigated the problem.

Thanks and best regards, Julian

-------- Forwarded Message --------
Subject: [ANNOUNCE] Apache Jackrabbit 2.10.1 released
Date: Thu, 21 May 2015 11:22:04 +0200
From: Marcel Reutegger <mr...@apache.org>
Reply-To: users@jackrabbit.apache.org
To: announce@apache.org, announce@jackrabbit.apache.org, Jackrabbit 
Developers <de...@jackrabbit.apache.org>, Jackrabbit Users 
<us...@jackrabbit.apache.org>, 0ang3el 0ang3el <0a...@gmail.com>, 
security@apache.org, oss-security@lists.openwall.com, 
bugtraq@securityfocus.com

The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit 2.10.1. This release fixes an important security issue in
the jackrabbit-webdav module reported by Mikhail Egorov.

The release is available for download at:

  http://jackrabbit.apache.org/downloads.html

See the full release notes below for details about this release.

Release Notes -- Apache Jackrabbit -- Version 2.10.1

Introduction
------------

This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation 
of the
Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).

Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
stable and targeted for production use.

Security advisory (JCR-3883 / CVE-2015-1833)
--------------------------------------------

This release fixes an important security issue in the jackrabbit-webdav 
module
reported by Mikhail Egorov.

When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or  "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by 
inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.

Users of the jackrabbit-webdav module are advised to immediately update the
module to this release or disable WebDAV access to the repository. Users
on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
apply the fix to the corresponding 2.x branch or disable WebDAV access until
official releases of those earlier versions are available. Patches for 2.x
branches are attached to the JIRA issue.

Changes since Jackrabbit 2.10.0
-------------------------------

Bug fixes

   [JCR-3853] JCR2SPI: Load ac provider resource
   [JCR-3871] POI Vulnerabilities
   [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
   [JCR-3873] CachingDataStore not safe against crashes, corrupted
uploads file will prevent system startup
   [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped
   [JCR-3878] Fix test case failure in jackrabbit-data
   [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack

Improvements

   [JCR-3864] CachingDatastore -cache file sizes to save remote call to
remote datastore( S3DS)
   [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
   [JCR-3869] CachingDataStore for SAN or NFS mounted storage
   [JCR-3879] Remove contention in AsyncUploadCache to improve performance
   [JCR-3881] Change CachingFDS configuration properties

New Features

   [JCR-3836] Allow to get an Authorizable of a given type

Sub-tasks

   [JCR-3837] Add AuthorizableTypeException in user security API package

In addition to the above-mentioned changes, this release contains
all the changes included up to the Apache Jackrabbit 2.10.0 release.

For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at

     https://issues.apache.org/jira/browse/JCR

Release Contents
----------------

This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.

About Apache Jackrabbit
-----------------------

Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more.

For more information, visit http://jackrabbit.apache.org/

About The Apache Software Foundation
------------------------------------

Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.

For more information, visit http://www.apache.org/

Trademarks
----------

Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the 
Apache
Jackrabbit project logo are trademarks of The Apache Software Foundation.

Re: 2.* release plans, was: [ANNOUNCE] Apache Jackrabbit 2.10.1 released

Posted by Marcel Reutegger <mr...@adobe.com>.

Hi,

this is fixed in Jackrabbit 2.10.1. See:
https://svn.apache.org/repos/asf/jackrabbit/tags/jackrabbit-2.10.1/jackrabb
it-core/src/main/java/org/apache/jackrabbit/core/query/lucene/NodeIndexer.j
ava


and JCR-3871 for the related JIRA issue.

Regards
 Marcel

On 27/05/15 20:31, "hsp" wrote:

>Hi,
>
>There is a NPE problem in jack 2.10 .
>in line 
>at
>org.apache.jackrabbit.core.query.lucene.NodeIndexer.isSupportedMediaType(N
>odeIndexer.java:934)
>
>
> supportedMediaTypes = parser.getSupportedTypes(null);
>
>would be
> supportedMediaTypes = parser.getSupportedTypes(new ParseContext());
>
>
>
>
>
>
>--
>View this message in context:
>http://jackrabbit.510166.n4.nabble.com/ANNOUNCE-Apache-Jackrabbit-2-10-1-r
>eleased-tp4662462p4662501.html
>Sent from the Jackrabbit - Dev mailing list archive at Nabble.com.

Re: 2.* release plans, was: [ANNOUNCE] Apache Jackrabbit 2.10.1 released

Posted by hsp <pi...@ibest.com.br>.

Hi,

There is a NPE problem in jack 2.10 .
in line 
at
org.apache.jackrabbit.core.query.lucene.NodeIndexer.isSupportedMediaType(NodeIndexer.java:934)


 supportedMediaTypes = parser.getSupportedTypes(null);

would be
 supportedMediaTypes = parser.getSupportedTypes(new ParseContext());






--
View this message in context: http://jackrabbit.510166.n4.nabble.com/ANNOUNCE-Apache-Jackrabbit-2-10-1-released-tp4662462p4662501.html
Sent from the Jackrabbit - Dev mailing list archive at Nabble.com.

Re: 2.* release plans, was: [ANNOUNCE] Apache Jackrabbit 2.10.1 released

Posted by Marcel Reutegger <mr...@adobe.com>.

Hi,

it has been a while since I last did a release on a windows
box. IIRC I used putty/pageant on a regular windows command
line.

I will do the 2.8 release.

Regards
 Marcel

On 27/05/15 10:25, "Julian Reschke" wrote:

>On 2015-05-22 13:54, Julian Reschke wrote:
>> On 2015-05-22 07:52, Julian Reschke wrote:
>>> OK,
>>>
>>> we have dealt with the emergency, but there's some aftermath left to
>>>do.
>>>
>>> - We need to do proper releases of 2.8, 2.6, 2.4, 2.2, and 2.0.
>>>
>>> - Once done with that, we should announce end-of-life for 2.2 and 2.0.
>>>
>>> Do we have any volunteers for doing some of the releases?
>>>
>>> Best regards, Julian
>>
>> In the meantime I have
>>
>> 1) created versions for future 2.4/6/8 release in JIRA, and
>>
>> 2) prepared the release notes for 2.0/2/4/6/8 in Subversion
>>
>> With respect to starting the release: we probably need wait until early
>> next week, otherwise we'll have a weekend and a public holiday (at least
>> here) within the 72 hours period.
>
>...in the meantime I tried to do a release:prepare. It currently fails
>for me (Windows, Cygwin). Does anybody else who is on Windows have
>instructions on how to get this done?
>
>Alternatively, it would be great if other committers with release
>experience could help out for some of these branches.
>
>Best regards, Julian

Re: 2.* release plans, was: [ANNOUNCE] Apache Jackrabbit 2.10.1 released

Posted by Julian Reschke <ju...@greenbytes.de>.

On 2015-05-22 13:54, Julian Reschke wrote:
> On 2015-05-22 07:52, Julian Reschke wrote:
>> OK,
>>
>> we have dealt with the emergency, but there's some aftermath left to do.
>>
>> - We need to do proper releases of 2.8, 2.6, 2.4, 2.2, and 2.0.
>>
>> - Once done with that, we should announce end-of-life for 2.2 and 2.0.
>>
>> Do we have any volunteers for doing some of the releases?
>>
>> Best regards, Julian
>
> In the meantime I have
>
> 1) created versions for future 2.4/6/8 release in JIRA, and
>
> 2) prepared the release notes for 2.0/2/4/6/8 in Subversion
>
> With respect to starting the release: we probably need wait until early
> next week, otherwise we'll have a weekend and a public holiday (at least
> here) within the 72 hours period.

...in the meantime I tried to do a release:prepare. It currently fails 
for me (Windows, Cygwin). Does anybody else who is on Windows have 
instructions on how to get this done?

Alternatively, it would be great if other committers with release 
experience could help out for some of these branches.

Best regards, Julian

2.* release plans, was: [ANNOUNCE] Apache Jackrabbit 2.10.1 released

Posted by Julian Reschke <ju...@greenbytes.de>.

On 2015-05-22 07:52, Julian Reschke wrote:
> OK,
>
> we have dealt with the emergency, but there's some aftermath left to do.
>
> - We need to do proper releases of 2.8, 2.6, 2.4, 2.2, and 2.0.
>
> - Once done with that, we should announce end-of-life for 2.2 and 2.0.
>
> Do we have any volunteers for doing some of the releases?
>
> Best regards, Julian

In the meantime I have

1) created versions for future 2.4/6/8 release in JIRA, and

2) prepared the release notes for 2.0/2/4/6/8 in Subversion

With respect to starting the release: we probably need wait until early 
next week, otherwise we'll have a weekend and a public holiday (at least 
here) within the 72 hours period.

Best regards, Julian

Re: [ANNOUNCE] Apache Jackrabbit 2.10.1 released

Posted by Julian Reschke <ju...@greenbytes.de>.

OK,

we have dealt with the emergency, but there's some aftermath left to do.

- We need to do proper releases of 2.8, 2.6, 2.4, 2.2, and 2.0.

- Once done with that, we should announce end-of-life for 2.2 and 2.0.

Do we have any volunteers for doing some of the releases?

Best regards, Julian


On 2015-05-21 11:22, Marcel Reutegger wrote:
> The Apache Jackrabbit community is pleased to announce the release of
> Apache Jackrabbit 2.10.1. This release fixes an important security issue in
> the jackrabbit-webdav module reported by Mikhail Egorov.
>
> The release is available for download at:
>
>   http://jackrabbit.apache.org/downloads.html
>
> See the full release notes below for details about this release.
>
> Release Notes -- Apache Jackrabbit -- Version 2.10.1
>
> Introduction
> ------------
>
> This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation of the
> Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
> specified in the Java Specification Request 283 (JSR 283).
>
> Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
> improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
> stable and targeted for production use.
>
> Security advisory (JCR-3883 / CVE-2015-1833)
> --------------------------------------------
>
> This release fixes an important security issue in the jackrabbit-webdav module
> reported by Mikhail Egorov.
>
> When processing a WebDAV request body containing XML, the XML parser can be
> instructed to read content from network resources accessible to the host,
> identified by URI schemes such as "http(s)" or  "file". Depending on the
> WebDAV request, this can not only be used to trigger internal network
> requests, but might also be used to insert said content into the request,
> potentially exposing it to the attacker and others (for instance, by inserting
> said content in a WebDAV property value using a PROPPATCH request). See also
> IETF RFC 4918, Section 20.6.
>
> Users of the jackrabbit-webdav module are advised to immediately update the
> module to this release or disable WebDAV access to the repository. Users
> on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
> apply the fix to the corresponding 2.x branch or disable WebDAV access until
> official releases of those earlier versions are available. Patches for 2.x
> branches are attached to the JIRA issue.
>
> Changes since Jackrabbit 2.10.0
> -------------------------------
>
> Bug fixes
>
>    [JCR-3853] JCR2SPI: Load ac provider resource
>    [JCR-3871] POI Vulnerabilities
>    [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
>    [JCR-3873] CachingDataStore not safe against crashes, corrupted
> uploads file will prevent system startup
>    [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped
>    [JCR-3878] Fix test case failure in jackrabbit-data
>    [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
>
> Improvements
>
>    [JCR-3864] CachingDatastore -cache file sizes to save remote call to
> remote datastore( S3DS)
>    [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
>    [JCR-3869] CachingDataStore for SAN or NFS mounted storage
>    [JCR-3879] Remove contention in AsyncUploadCache to improve performance
>    [JCR-3881] Change CachingFDS configuration properties
>
> New Features
>
>    [JCR-3836] Allow to get an Authorizable of a given type
>
> Sub-tasks
>
>    [JCR-3837] Add AuthorizableTypeException in user security API package
>
> In addition to the above-mentioned changes, this release contains
> all the changes included up to the Apache Jackrabbit 2.10.0 release.
>
> For more detailed information about all the changes in this and other
> Jackrabbit releases, please see the Jackrabbit issue tracker at
>
>      https://issues.apache.org/jira/browse/JCR
>
> Release Contents
> ----------------
>
> This release consists of a single source archive packaged as a zip file.
> The archive can be unpacked with the jar tool from your JDK installation.
> See the README.txt file for instructions on how to build this release.
>
> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
> signature that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at
> https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.
>
> About Apache Jackrabbit
> -----------------------
>
> Apache Jackrabbit is a fully conforming implementation of the Content
> Repository for Java Technology API (JCR). A content repository is a
> hierarchical content store with support for structured and unstructured
> content, full text search, versioning, transactions, observation, and
> more.
>
> For more information, visit http://jackrabbit.apache.org/
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides organizational,
> legal, and financial support for more than 140 freely-available,
> collaboratively-developed Open Source projects. The pragmatic Apache License
> enables individual and commercial users to easily deploy Apache software;
> the Foundation's intellectual property framework limits the legal exposure
> of its 3,800+ contributors.
>
> For more information, visit http://www.apache.org/
>
> Trademarks
> ----------
>
> Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the Apache
> Jackrabbit project logo are trademarks of The Apache Software Foundation.
>


-- 
<green/>bytes GmbH, Hafenweg 16, D-48155 Münster, Germany
Amtsgericht Münster: HRB5782

CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)

Posted by Julian Reschke <ju...@greenbytes.de>.

Dear readers,

we just fixed a recently reported vulnerability in Apache Jackrabbit's 
WebDAV module; see

- the attached CVE report

- patches for all currently maintained Jackrabbit branches

We just released Jackrabbit 2.10.1 (see below) and we'll get to the 
other branches shortly. Check the CVE for details about what to do for 
earlier branches if you can't wait for a release.

Thanks to <0a...@gmail.com> for bringing this to our attention and 
giving valuable feedback while we investigated the problem.

Thanks and best regards, Julian

-------- Forwarded Message --------
Subject: [ANNOUNCE] Apache Jackrabbit 2.10.1 released
Date: Thu, 21 May 2015 11:22:04 +0200
From: Marcel Reutegger <mr...@apache.org>
Reply-To: users@jackrabbit.apache.org
To: announce@apache.org, announce@jackrabbit.apache.org, Jackrabbit 
Developers <de...@jackrabbit.apache.org>, Jackrabbit Users 
<us...@jackrabbit.apache.org>, 0ang3el 0ang3el <0a...@gmail.com>, 
security@apache.org, oss-security@lists.openwall.com, 
bugtraq@securityfocus.com

The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit 2.10.1. This release fixes an important security issue in
the jackrabbit-webdav module reported by Mikhail Egorov.

The release is available for download at:

  http://jackrabbit.apache.org/downloads.html

See the full release notes below for details about this release.

Release Notes -- Apache Jackrabbit -- Version 2.10.1

Introduction
------------

This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation 
of the
Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).

Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
stable and targeted for production use.

Security advisory (JCR-3883 / CVE-2015-1833)
--------------------------------------------

This release fixes an important security issue in the jackrabbit-webdav 
module
reported by Mikhail Egorov.

When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or  "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by 
inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.

Users of the jackrabbit-webdav module are advised to immediately update the
module to this release or disable WebDAV access to the repository. Users
on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
apply the fix to the corresponding 2.x branch or disable WebDAV access until
official releases of those earlier versions are available. Patches for 2.x
branches are attached to the JIRA issue.

Changes since Jackrabbit 2.10.0
-------------------------------

Bug fixes

   [JCR-3853] JCR2SPI: Load ac provider resource
   [JCR-3871] POI Vulnerabilities
   [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
   [JCR-3873] CachingDataStore not safe against crashes, corrupted
uploads file will prevent system startup
   [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped
   [JCR-3878] Fix test case failure in jackrabbit-data
   [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack

Improvements

   [JCR-3864] CachingDatastore -cache file sizes to save remote call to
remote datastore( S3DS)
   [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
   [JCR-3869] CachingDataStore for SAN or NFS mounted storage
   [JCR-3879] Remove contention in AsyncUploadCache to improve performance
   [JCR-3881] Change CachingFDS configuration properties

New Features

   [JCR-3836] Allow to get an Authorizable of a given type

Sub-tasks

   [JCR-3837] Add AuthorizableTypeException in user security API package

In addition to the above-mentioned changes, this release contains
all the changes included up to the Apache Jackrabbit 2.10.0 release.

For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at

     https://issues.apache.org/jira/browse/JCR

Release Contents
----------------

This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.

About Apache Jackrabbit
-----------------------

Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more.

For more information, visit http://jackrabbit.apache.org/

About The Apache Software Foundation
------------------------------------

Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.

For more information, visit http://www.apache.org/

Trademarks
----------

Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the 
Apache
Jackrabbit project logo are trademarks of The Apache Software Foundation.