You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@roller.apache.org by Dave <sn...@gmail.com> on 2007/03/23 15:22:46 UTC

VOTE: Release Apache Roller 2.3.1 RC1 fix release

Roller 2.3.1: minor release to fix security risk form and licensing issue

*** Fixes for Cross-site Scripting (XSS) vulnerabilities

Fixed multiple XSS vulnerabilities. Changes were isoluated in these files:

- WEB-INF/lib/rollerweb.jar
  Now strips HTML from all incoming comment fields

- WEB-INF/classes/comments.vm
  Now HTML-escapes all comment-form fields before display

- weblog/CommentManagement.jsp
  Now HTML-escapes all comment-form fields before display

- tags/date.jsp
  Now HTML-escapes value field of date widget

- theme/head.jsp
  Eliminated the "look" request parameter, which was for debugging only

*** Licensing issue with JavaMail and Activation jars

The JavaMail and Activation jars (mail.jar and activation.jar) included in
Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible
with Apache licensing policy. So these jars have been removed from the release
and instructions have been added to the Installation Guide that explain
how to get them and add them to Roller.


Apache Roller 2.3.1 RC1 files are available here:
http://people.apache.org/~snoopdave/apache-roller-2.3.1/