You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Dave <sn...@gmail.com> on 2007/03/23 15:22:46 UTC
VOTE: Release Apache Roller 2.3.1 RC1 fix release
Roller 2.3.1: minor release to fix security risk form and licensing issue
*** Fixes for Cross-site Scripting (XSS) vulnerabilities
Fixed multiple XSS vulnerabilities. Changes were isoluated in these files:
- WEB-INF/lib/rollerweb.jar
Now strips HTML from all incoming comment fields
- WEB-INF/classes/comments.vm
Now HTML-escapes all comment-form fields before display
- weblog/CommentManagement.jsp
Now HTML-escapes all comment-form fields before display
- tags/date.jsp
Now HTML-escapes value field of date widget
- theme/head.jsp
Eliminated the "look" request parameter, which was for debugging only
*** Licensing issue with JavaMail and Activation jars
The JavaMail and Activation jars (mail.jar and activation.jar) included in
Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible
with Apache licensing policy. So these jars have been removed from the release
and instructions have been added to the Installation Guide that explain
how to get them and add them to Roller.
Apache Roller 2.3.1 RC1 files are available here:
http://people.apache.org/~snoopdave/apache-roller-2.3.1/