BCL in 2.3 needs fixing

[Henri Yandell <fl...@gmail.com>]

Sorry for not bringing this up earlier.

We need to remove the javamail and activation jars from the 2.3
release as well (and re-pgp/md5 it).

Dave, is this something you have time for as 2.3 RM, or do you need
someone to volunteer?

Hen

Re: BCL in 2.3 needs fixing

[Anil Gangolli <an...@busybuddha.org>]

Thanks.  FWIW I'm now running Roller 2.3.1 on my site, which I upgraded to 
by overlaying the WEB-INF/lib jars only.  It seems to be working.

----- Original Message ----- 
From: "Dave" <sn...@gmail.com>
To: <ro...@incubator.apache.org>
Cc: "Henri Yandell" <fl...@gmail.com>
Sent: Monday, November 20, 2006 1:12 PM
Subject: Re: BCL in 2.3 needs fixing


> Henri,
>
> I've created and signed a new release of Roller 3.2 with 1) fixes for
> the comment XSS problem and 2) no BCL jars. I updated the change list
> and install docs accordingly. Please give it a quick test so we can
> replace the existing 2.3  release with this new one.
>
> Here are the release files:
> http://people.apache.org/~snoopdave/apache-roller-2.3.1/
>
> And ere's what I added the CHANGES.txt doc:
>
> Roller 2.3.1: minor release to fix security risk form and licensing issue
>
> *** Security risk in comment form
>
> Allowing commenters to leave HTML in comments is a potential security
> risk because it allows commenters can add malicious Javascipt code.
> You can disable HTML in comments via the Roller admin interface, but
> in Roller 2.3 and earlier versions of Roller, attackers could still
> add malicious HTML to the name, email and URL fields.
>
> We fixed the problem in Roller 2.3.1 and all subsequent versions of
> Roller by stripping all HTML from name, email and comment fields at
> comment post time.
>
> *** Licensing issue with JavaMail and Activation jars
>
> The JavaMail and Activation jars (mail.jar and activation.jar)
> included in Roller 2.3 were licensed under Sun's Binary Code License,
> which is incompatible with Apache licensing policy. So these jars have
> been removed from the release and instructions have been added to the
> Installation Guide that explain how to get them and add them to
> Roller.
>
>
> - Dave
>
>
>
> On 11/11/06, Henri Yandell <fl...@gmail.com> wrote:
>> On 11/10/06, Dave <sn...@gmail.com> wrote:
>> > On 11/10/06, Henri Yandell <fl...@gmail.com> wrote:
>> > > Sorry for not bringing this up earlier.
>> > >
>> > > We need to remove the javamail and activation jars from the 2.3
>> > > release as well (and re-pgp/md5 it).
>> >
>> > Yes and we have a security fix in 2.3.1 that we never formally 
>> > released.
>> >
>> > > Dave, is this something you have time for as 2.3 RM, or do you need
>> > > someone to volunteer?
>> >
>> > I'll have time for some RM work next week for 3.1 and I can easily add 
>> > 2.3.1.
>>
>> Either 2.3.1 with a vote to release it - and removing 2.3 from the
>> mirrors/archives, or just modifying 2.3 to not contain the jars is
>> fine by me.
>>
>> Hen
>>
> 

Re: BCL in 2.3 needs fixing

[Henri Yandell <fl...@gmail.com>]

Looks good to me. Diffs with 2.3 tar.gz's show very few things
changed, and ones you'd expect to be changed.

Has there already been a vote to release 2.3.1?

Hen

On 11/20/06, Dave <sn...@gmail.com> wrote:
> Henri,
>
> I've created and signed a new release of Roller 3.2 with 1) fixes for
> the comment XSS problem and 2) no BCL jars. I updated the change list
> and install docs accordingly. Please give it a quick test so we can
> replace the existing 2.3  release with this new one.
>
> Here are the release files:
> http://people.apache.org/~snoopdave/apache-roller-2.3.1/
>
> And ere's what I added the CHANGES.txt doc:
>
> Roller 2.3.1: minor release to fix security risk form and licensing issue
>
> *** Security risk in comment form
>
> Allowing commenters to leave HTML in comments is a potential security
> risk because it allows commenters can add malicious Javascipt code.
> You can disable HTML in comments via the Roller admin interface, but
> in Roller 2.3 and earlier versions of Roller, attackers could still
> add malicious HTML to the name, email and URL fields.
>
> We fixed the problem in Roller 2.3.1 and all subsequent versions of
> Roller by stripping all HTML from name, email and comment fields at
> comment post time.
>
> *** Licensing issue with JavaMail and Activation jars
>
> The JavaMail and Activation jars (mail.jar and activation.jar)
> included in Roller 2.3 were licensed under Sun's Binary Code License,
> which is incompatible with Apache licensing policy. So these jars have
> been removed from the release and instructions have been added to the
> Installation Guide that explain how to get them and add them to
> Roller.
>
>
> - Dave
>
>
>
> On 11/11/06, Henri Yandell <fl...@gmail.com> wrote:
> > On 11/10/06, Dave <sn...@gmail.com> wrote:
> > > On 11/10/06, Henri Yandell <fl...@gmail.com> wrote:
> > > > Sorry for not bringing this up earlier.
> > > >
> > > > We need to remove the javamail and activation jars from the 2.3
> > > > release as well (and re-pgp/md5 it).
> > >
> > > Yes and we have a security fix in 2.3.1 that we never formally released.
> > >
> > > > Dave, is this something you have time for as 2.3 RM, or do you need
> > > > someone to volunteer?
> > >
> > > I'll have time for some RM work next week for 3.1 and I can easily add 2.3.1.
> >
> > Either 2.3.1 with a vote to release it - and removing 2.3 from the
> > mirrors/archives, or just modifying 2.3 to not contain the jars is
> > fine by me.
> >
> > Hen
> >
>

Re: BCL in 2.3 needs fixing

[Dave <sn...@gmail.com>]

Henri,

I've created and signed a new release of Roller 3.2 with 1) fixes for
the comment XSS problem and 2) no BCL jars. I updated the change list
and install docs accordingly. Please give it a quick test so we can
replace the existing 2.3  release with this new one.

Here are the release files:
http://people.apache.org/~snoopdave/apache-roller-2.3.1/

And ere's what I added the CHANGES.txt doc:

Roller 2.3.1: minor release to fix security risk form and licensing issue

*** Security risk in comment form

Allowing commenters to leave HTML in comments is a potential security
risk because it allows commenters can add malicious Javascipt code.
You can disable HTML in comments via the Roller admin interface, but
in Roller 2.3 and earlier versions of Roller, attackers could still
add malicious HTML to the name, email and URL fields.

We fixed the problem in Roller 2.3.1 and all subsequent versions of
Roller by stripping all HTML from name, email and comment fields at
comment post time.

*** Licensing issue with JavaMail and Activation jars

The JavaMail and Activation jars (mail.jar and activation.jar)
included in Roller 2.3 were licensed under Sun's Binary Code License,
which is incompatible with Apache licensing policy. So these jars have
been removed from the release and instructions have been added to the
Installation Guide that explain how to get them and add them to
Roller.


- Dave



On 11/11/06, Henri Yandell <fl...@gmail.com> wrote:
> On 11/10/06, Dave <sn...@gmail.com> wrote:
> > On 11/10/06, Henri Yandell <fl...@gmail.com> wrote:
> > > Sorry for not bringing this up earlier.
> > >
> > > We need to remove the javamail and activation jars from the 2.3
> > > release as well (and re-pgp/md5 it).
> >
> > Yes and we have a security fix in 2.3.1 that we never formally released.
> >
> > > Dave, is this something you have time for as 2.3 RM, or do you need
> > > someone to volunteer?
> >
> > I'll have time for some RM work next week for 3.1 and I can easily add 2.3.1.
>
> Either 2.3.1 with a vote to release it - and removing 2.3 from the
> mirrors/archives, or just modifying 2.3 to not contain the jars is
> fine by me.
>
> Hen
>

Re: BCL in 2.3 needs fixing

[Henri Yandell <fl...@gmail.com>]

On 11/10/06, Dave <sn...@gmail.com> wrote:
> On 11/10/06, Henri Yandell <fl...@gmail.com> wrote:
> > Sorry for not bringing this up earlier.
> >
> > We need to remove the javamail and activation jars from the 2.3
> > release as well (and re-pgp/md5 it).
>
> Yes and we have a security fix in 2.3.1 that we never formally released.
>
> > Dave, is this something you have time for as 2.3 RM, or do you need
> > someone to volunteer?
>
> I'll have time for some RM work next week for 3.1 and I can easily add 2.3.1.

Either 2.3.1 with a vote to release it - and removing 2.3 from the
mirrors/archives, or just modifying 2.3 to not contain the jars is
fine by me.

Hen

Re: BCL in 2.3 needs fixing

[Dave <sn...@gmail.com>]

On 11/10/06, Henri Yandell <fl...@gmail.com> wrote:
> Sorry for not bringing this up earlier.
>
> We need to remove the javamail and activation jars from the 2.3
> release as well (and re-pgp/md5 it).

Yes and we have a security fix in 2.3.1 that we never formally released.

> Dave, is this something you have time for as 2.3 RM, or do you need
> someone to volunteer?

I'll have time for some RM work next week for 3.1 and I can easily add 2.3.1.

- Dave