You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by ma...@apache.org on 2019/04/30 15:02:32 UTC
[archiva-web-content] branch master updated: Apache Archiva Main
site deployment
This is an automated email from the ASF dual-hosted git repository.
martin_s pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/archiva-web-content.git
The following commit(s) were added to refs/heads/master by this push:
new dc9aa90 Apache Archiva Main site deployment
dc9aa90 is described below
commit dc9aa900c84e0dd0214b008be0f2d11a5c4e897f
Author: Martin Stockhammer <m....@web.de>
AuthorDate: Tue Apr 30 17:02:28 2019 +0200
Apache Archiva Main site deployment
---
developers/releasing.html | 10 ++++++----
index.html | 6 +++---
security.html | 22 ++++++++++++++++++++++
3 files changed, 31 insertions(+), 7 deletions(-)
diff --git a/developers/releasing.html b/developers/releasing.html
index 0a0970d..7cb774a 100644
--- a/developers/releasing.html
+++ b/developers/releasing.html
@@ -160,7 +160,9 @@ gpg -v archiva-jetty-${ARCHV}-bin.zip.asc</pre></div>
<p>The documentation is deployed as part of the process to the final location for review in the vote:</p>
<div class="source"><pre class="prettyprint">git checkout archiva-${ARCHV} # Checkout the release version of archiva
cd archiva-doc
-mvn site-deploy</pre></div>
+mvn site:site
+mvn site:stage # Check the content in target/staging
+cp -r target/staging/* <web-content-git>/docs/${ARCHV}/ # Copy to the git web content repository</pre></div>
<p>If the vote doesn't pass, the documentation will need to be removed from the server for redeployment.</p>
<p>Commit the sources and binaries from <tt>org/apache/archiva/archiva-jetty</tt> and <tt>org/apache/archiva/archiva</tt> to the svn distribution tree. First in dev tree: <tt>https://dist.apache.org/repos/dist/dev/archiva/</tt></p>
<div class="source"><pre class="prettyprint">svn co https://dist.apache.org/repos/dist/dev/archiva/ archiva-dev-release
@@ -174,17 +176,17 @@ REDBV=2.6 # New redback version
sh ./release-script-redback-svn.sh $REDBV ${RELEASE_URL}/</pre></div>
<p>If the vote pass they will be copied to release tree: <tt>https://dist.apache.org/repos/dist/release/archiva</tt></p>
<p>Call for a vote in the dev list and wait for 72 hrs. for the vote results. 3 binding votes are necessary for the release to be finalized. If the vote fails or needs to be canceled, the version number should not be re-used if the version was made available for public download. After the vote has passed, move the files from dist dev to dist release:</p>
-<div class="source"><pre class="prettyprint">svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/relase/archiva/
+<div class="source"><pre class="prettyprint">svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/release/archiva/
# Move also the POM and Redback and Redback Component releases, if there are new ones.</pre></div>
<p>To sync the jars to Maven Central, you need to merge the repository archiva-releases-stage to "Central Rsync Repository"</p>
<p>Mark the appropriate release version in JIRA as complete.</p>
-<p>Update the archiva site (https://svn.apache.org/repos/asf/archiva/site/) for the versions and release notes URL:</p>
+<p>Update the archiva site (https://gitbox.apache.org/repos/asf/archiva-site.git) for the versions and release notes URL:</p>
<p>Mostly these properties of the pom.xml should be edited:</p>
<div class="source"><pre class="prettyprint"> <archivaReleaseVersion>2.2.3</archivaReleaseVersion>
<archivaReleaseDate>16th May 2017</archivaReleaseDate>
<archivaCurrentDevVersion>3.0.0-SNAPSHOT</archivaCurrentDevVersion></pre></div>
-<p>Run <tt>mvn site:run</tt> and verify the changes. Commit your changes. Then run <tt>mvn site-deploy</tt>.</p>
+<p>Run <b>deploySite.sh</b>. The script will give the information where to check the content locally and asks before pushing to the remote repository.</p>
<p>Once mirroring done (can be 24H): remove previous versions from https://dist.apache.org/repos/dist/release/archiva/</p>
<p>Publish the reference docs (sh ./deploySite.sh in the archiva-modules directory) from the release tag. You may have to exclude the archiva-webapp module to do this, and will require MAVEN_OPTS=-Xmx256m. You may need to use Maven 2.2.1 instead of Maven 3.x for this.</p>
<p>Send out an announcement of the release to:</p>
diff --git a/index.html b/index.html
index 75d5d7e..8a1b32a 100644
--- a/index.html
+++ b/index.html
@@ -133,9 +133,9 @@
<div class="hero-unit">
<span class="bignumber badge badge-warning">NEW</span>
-<p><b>Our code source is now using git, so you can propose pull requests using <a class="externalLink" href="https://github.com/apache/archiva">github mirror</a></b></p>
-
-<p><b>30th April 2019 release of 2.2.4 See <a class="externalLink" href="http://archiva.apache.org/docs/2.2.4/tour/index.html">Quick Tour</a></b></p>
+<p><b>30th April 2019: The new Apache Archiva release version 2.2.4 is ready for download </b>.
+ This is a bugfix release. Please have a look at the <a class="externalLink" href="http://archiva.apache.org/docs/2.2.4/release-notes.html">release notes</a> for further information.
+ As this release contains <b>security fixes</b>, we recommend to update to the new version immediately. </p>
</div>
</div>
</div>
diff --git a/security.html b/security.html
index 6789ea5..31bd078 100644
--- a/security.html
+++ b/security.html
@@ -126,6 +126,8 @@
<p>For more information about reporting vulnerabilities, see the <a class="externalLink" href="http://www.apache.org/security/"> Apache Security Team</a> page.</p>
<p>This is a list of known issues</p>
<ul>
+<li><a href="#CVE-2019-0213:_Apache_Archiva_XSS_may_be_stored_in_central_UI_configuration">CVE-2019-0213: Apache Archiva XSS may be stored in central UI configuration</a></li>
+<li><a href="#CVE-2019-0214:_Apache_Archiva_arbitrary_file_write_and_delete_on_the_server">CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server</a></li>
<li><a href="#CVE-2017-5657:_Apache_Archiva_CSRF_vulnerabilities_for_various_REST_endpoints">CVE-2017-5657: Apache Archiva CSRF vulnerabilities for various REST endpoints</a></li>
<li><a href="#CVE-2013-2251:_Apache_Archiva_Remote_Command_Execution">CVE-2013-2251: Apache Archiva Remote Command Execution</a></li>
<li><a href="#CVE-2013-2187:_Apache_Archiva_Cross-Site_Scripting_vulnerability">CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability</a></li>
@@ -135,6 +137,26 @@
<li><a href="#CVE-2011-0533:_Apache_Archiva_cross-site_scripting_vulnerability">CVE-2011-0533: Apache Archiva cross-site scripting vulnerability</a></li>
<li><a href="#CVE-2010-3449:_Apache_Archiva_CSRF_Vulnerability">CVE-2010-3449: Apache Archiva CSRF Vulnerability</a></li></ul>
<div class="section">
+<h3><a name="CVE-2019-0213:_Apache_Archiva_XSS_may_be_stored_in_central_UI_configuration"></a><a name="CVE-2019-0213">CVE-2019-0213</a>: Apache Archiva XSS may be stored in central UI configuration</h3>
+<p>It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised. </p>
+<p>Versions Affected:</p>
+<ul>
+<li>All versions before 2.2.4</li></ul>
+<p>Mitigation:</p>
+<ul>
+<li>Upgrade to <a href="./download.cgi"> Archiva 2.2.4 or higher</a></li>
+<li>Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users are assigned to admin role.</li></ul></div>
+<div class="section">
+<h3><a name="CVE-2019-0214:_Apache_Archiva_arbitrary_file_write_and_delete_on_the_server"></a><a name="CVE-2019-0214">CVE-2019-0214</a>: Apache Archiva arbitrary file write and delete on the server</h3>
+<p>It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.</p>
+<p>Versions Affected:</p>
+<ul>
+<li>All versions before 2.2.4</li></ul>
+<p>Mitigation:</p>
+<ul>
+<li>It is highly recommended to upgrade to <a href="./download.cgi"> Archiva 2.2.4 or higher</a>, where additional validations are implemented to prevent such malicious parameter values.</li>
+<li>As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user may have only write permission to the directories needed.</li></ul></div>
+<div class="section">
<h3><a name="CVE-2017-5657:_Apache_Archiva_CSRF_vulnerabilities_for_various_REST_endpoints"></a><a name="CVE-2017-5657">CVE-2017-5657</a>: Apache Archiva CSRF vulnerabilities for various REST endpoints</h3>
<p>Several REST service endpoints of Apache Archiva are not protected against CSRF attacks. A malicious site opened in the same browser as the archiva site, may send HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. adminstrator rights).</p>
<p>Versions Affected:</p>