You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by Julian Reschke <re...@apache.org> on 2020/01/28 13:18:11 UTC
[ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
From: ${username}@apache.org
To: announce@apache.org, announce@jackrabbit.apache.org,
users@jackrabbit.apache.org, dev@jackrabbit.apache.org,
oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit Oak 1.24.0. The release is available for download at:
http://jackrabbit.apache.org/downloads.html
See the full release notes below for details about this release:
Release Notes -- Apache Jackrabbit Oak -- Version 1.24.0
Introduction
------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
Apache Jackrabbit Oak 1.24.0 is an incremental feature release based
on and compatible with earlier stable Jackrabbit Oak 1.x
releases. This release is considered stable and targeted for
production use.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
Changes in Oak 1.24.0
---------------------
Bug
[OAK-8780] - Remove the synchronized block on the FSBackend
[OAK-8845] - Function-based indexing don't support ordering
[OAK-8863] - Oak-doc should cover BinaryUploadOptions usage
[OAK-8870] - UserAuthentication.authenticate should remove pw attribute
Improvement
[OAK-6632] - [upgrade] oak-upgrade should support azure blobstorage
Task
[OAK-8856] - Update httpcore dependency to 4.4.13
[OAK-8867] - Update httpclient/mime dependencies to 4.5.11
In addition to the above-mentioned changes, this release contains all
changes up to the previous release.
For more detailed information about all the changes in this and other
Oak releases, please see the Oak issue tracker at
https://issues.apache.org/jira/browse/OAK
Release Contents
----------------
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.md file for instructions on how to build this release.
The source archive is accompanied by SHA512 checksums and a
PGP signature that you can use to verify the authenticity of your
download. The public key used for the PGP signature can be found at
https://www.apache.org/dist/jackrabbit/KEYS.
About Apache Jackrabbit Oak
---------------------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
For more information, visit http://jackrabbit.apache.org/oak
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.
For more information, visit http://www.apache.org/
CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure
vulnerability
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Dear Readers
We just fixed a recently reported vulnerability in Apache Jackrabbit Oak.
CVE-2020-1940:
Apache Jackrabbit Oak sensitive information disclosure vulnerability
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Jackrabbit Oak (org.apache.jackrabbit.oak-core) 1.2.0 to 1.22.0
Description:
The optional initial password change and password expiration features [1] are prone to a
sensitive information disclosure vulnerability. The code mandates the changed password to
be passed as an additional attribute to the credentials object but does not remove it upon
processing during the first phase of the authentication. In combination with additional,
independent authentication mechanisms, this may lead to the new password being disclosed.
Mitigation:
1.12.0 - 1.22.0 should be upgraded to 1.24.0
1.10.x should be upgraded to 1.10.8
For older maintained and affected branches (1.2.x, 1.4.x, 1.6.x, 1.8.x) please find patches attached.
Credits:
The issue was reported by Andrew Khoury and Russ Wright of Adobe.
References:
[1] http://jackrabbit.apache.org/oak/docs/security/user/expiry.html
Kind regards
Angela
________________________________________
From: Julian Reschke <re...@apache.org>
Sent: Tuesday, January 28, 2020 2:18 PM
To: announce@apache.org; announce@jackrabbit.apache.org; users@jackrabbit.apache.org; dev@jackrabbit.apache.org; oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
From: ${username}@apache.org
To: announce@apache.org, announce@jackrabbit.apache.org,
users@jackrabbit.apache.org, dev@jackrabbit.apache.org,
oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit Oak 1.24.0. The release is available for download at:
http://jackrabbit.apache.org/downloads.html
See the full release notes below for details about this release:
Release Notes -- Apache Jackrabbit Oak -- Version 1.24.0
Introduction
------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
Apache Jackrabbit Oak 1.24.0 is an incremental feature release based
on and compatible with earlier stable Jackrabbit Oak 1.x
releases. This release is considered stable and targeted for
production use.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
Changes in Oak 1.24.0
---------------------
Bug
[OAK-8780] - Remove the synchronized block on the FSBackend
[OAK-8845] - Function-based indexing don't support ordering
[OAK-8863] - Oak-doc should cover BinaryUploadOptions usage
[OAK-8870] - UserAuthentication.authenticate should remove pw attribute
Improvement
[OAK-6632] - [upgrade] oak-upgrade should support azure blobstorage
Task
[OAK-8856] - Update httpcore dependency to 4.4.13
[OAK-8867] - Update httpclient/mime dependencies to 4.5.11
In addition to the above-mentioned changes, this release contains all
changes up to the previous release.
For more detailed information about all the changes in this and other
Oak releases, please see the Oak issue tracker at
https://issues.apache.org/jira/browse/OAK
Release Contents
----------------
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.md file for instructions on how to build this release.
The source archive is accompanied by SHA512 checksums and a
PGP signature that you can use to verify the authenticity of your
download. The public key used for the PGP signature can be found at
https://www.apache.org/dist/jackrabbit/KEYS.
About Apache Jackrabbit Oak
---------------------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
For more information, visit http://jackrabbit.apache.org/oak
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.
For more information, visit http://www.apache.org/
CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure
vulnerability
Posted by Angela Schreiber <an...@adobe.com>.
Dear Readers
We just fixed a recently reported vulnerability in Apache Jackrabbit Oak.
CVE-2020-1940:
Apache Jackrabbit Oak sensitive information disclosure vulnerability
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Jackrabbit Oak (org.apache.jackrabbit.oak-core) 1.2.0 to 1.22.0
Description:
The optional initial password change and password expiration features [1] are prone to a
sensitive information disclosure vulnerability. The code mandates the changed password to
be passed as an additional attribute to the credentials object but does not remove it upon
processing during the first phase of the authentication. In combination with additional,
independent authentication mechanisms, this may lead to the new password being disclosed.
Mitigation:
1.12.0 - 1.22.0 should be upgraded to 1.24.0
1.10.x should be upgraded to 1.10.8
For older maintained and affected branches (1.2.x, 1.4.x, 1.6.x, 1.8.x) please find patches attached.
Credits:
The issue was reported by Andrew Khoury and Russ Wright of Adobe.
References:
[1] http://jackrabbit.apache.org/oak/docs/security/user/expiry.html
Kind regards
Angela
________________________________________
From: Julian Reschke <re...@apache.org>
Sent: Tuesday, January 28, 2020 2:18 PM
To: announce@apache.org; announce@jackrabbit.apache.org; users@jackrabbit.apache.org; dev@jackrabbit.apache.org; oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
From: ${username}@apache.org
To: announce@apache.org, announce@jackrabbit.apache.org,
users@jackrabbit.apache.org, dev@jackrabbit.apache.org,
oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit Oak 1.24.0. The release is available for download at:
http://jackrabbit.apache.org/downloads.html
See the full release notes below for details about this release:
Release Notes -- Apache Jackrabbit Oak -- Version 1.24.0
Introduction
------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
Apache Jackrabbit Oak 1.24.0 is an incremental feature release based
on and compatible with earlier stable Jackrabbit Oak 1.x
releases. This release is considered stable and targeted for
production use.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
Changes in Oak 1.24.0
---------------------
Bug
[OAK-8780] - Remove the synchronized block on the FSBackend
[OAK-8845] - Function-based indexing don't support ordering
[OAK-8863] - Oak-doc should cover BinaryUploadOptions usage
[OAK-8870] - UserAuthentication.authenticate should remove pw attribute
Improvement
[OAK-6632] - [upgrade] oak-upgrade should support azure blobstorage
Task
[OAK-8856] - Update httpcore dependency to 4.4.13
[OAK-8867] - Update httpclient/mime dependencies to 4.5.11
In addition to the above-mentioned changes, this release contains all
changes up to the previous release.
For more detailed information about all the changes in this and other
Oak releases, please see the Oak issue tracker at
https://issues.apache.org/jira/browse/OAK
Release Contents
----------------
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.md file for instructions on how to build this release.
The source archive is accompanied by SHA512 checksums and a
PGP signature that you can use to verify the authenticity of your
download. The public key used for the PGP signature can be found at
https://www.apache.org/dist/jackrabbit/KEYS.
About Apache Jackrabbit Oak
---------------------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
For more information, visit http://jackrabbit.apache.org/oak
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.
For more information, visit http://www.apache.org/
CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure
vulnerability
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Dear Readers
We just fixed a recently reported vulnerability in Apache Jackrabbit Oak.
CVE-2020-1940:
Apache Jackrabbit Oak sensitive information disclosure vulnerability
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Jackrabbit Oak (org.apache.jackrabbit.oak-core) 1.2.0 to 1.22.0
Description:
The optional initial password change and password expiration features [1] are prone to a
sensitive information disclosure vulnerability. The code mandates the changed password to
be passed as an additional attribute to the credentials object but does not remove it upon
processing during the first phase of the authentication. In combination with additional,
independent authentication mechanisms, this may lead to the new password being disclosed.
Mitigation:
1.12.0 - 1.22.0 should be upgraded to 1.24.0
1.10.x should be upgraded to 1.10.8
For older maintained and affected branches (1.2.x, 1.4.x, 1.6.x, 1.8.x) please find patches attached.
Credits:
The issue was reported by Andrew Khoury and Russ Wright of Adobe.
References:
[1] http://jackrabbit.apache.org/oak/docs/security/user/expiry.html
Kind regards
Angela
________________________________________
From: Julian Reschke <re...@apache.org>
Sent: Tuesday, January 28, 2020 2:18 PM
To: announce@apache.org; announce@jackrabbit.apache.org; users@jackrabbit.apache.org; dev@jackrabbit.apache.org; oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
From: ${username}@apache.org
To: announce@apache.org, announce@jackrabbit.apache.org,
users@jackrabbit.apache.org, dev@jackrabbit.apache.org,
oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit Oak 1.24.0. The release is available for download at:
http://jackrabbit.apache.org/downloads.html
See the full release notes below for details about this release:
Release Notes -- Apache Jackrabbit Oak -- Version 1.24.0
Introduction
------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
Apache Jackrabbit Oak 1.24.0 is an incremental feature release based
on and compatible with earlier stable Jackrabbit Oak 1.x
releases. This release is considered stable and targeted for
production use.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
Changes in Oak 1.24.0
---------------------
Bug
[OAK-8780] - Remove the synchronized block on the FSBackend
[OAK-8845] - Function-based indexing don't support ordering
[OAK-8863] - Oak-doc should cover BinaryUploadOptions usage
[OAK-8870] - UserAuthentication.authenticate should remove pw attribute
Improvement
[OAK-6632] - [upgrade] oak-upgrade should support azure blobstorage
Task
[OAK-8856] - Update httpcore dependency to 4.4.13
[OAK-8867] - Update httpclient/mime dependencies to 4.5.11
In addition to the above-mentioned changes, this release contains all
changes up to the previous release.
For more detailed information about all the changes in this and other
Oak releases, please see the Oak issue tracker at
https://issues.apache.org/jira/browse/OAK
Release Contents
----------------
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.md file for instructions on how to build this release.
The source archive is accompanied by SHA512 checksums and a
PGP signature that you can use to verify the authenticity of your
download. The public key used for the PGP signature can be found at
https://www.apache.org/dist/jackrabbit/KEYS.
About Apache Jackrabbit Oak
---------------------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
For more information, visit http://jackrabbit.apache.org/oak
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.
For more information, visit http://www.apache.org/
CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure
vulnerability
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Dear Readers
We just fixed a recently reported vulnerability in Apache Jackrabbit Oak.
CVE-2020-1940:
Apache Jackrabbit Oak sensitive information disclosure vulnerability
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Jackrabbit Oak (org.apache.jackrabbit.oak-core) 1.2.0 to 1.22.0
Description:
The optional initial password change and password expiration features [1] are prone to a
sensitive information disclosure vulnerability. The code mandates the changed password to
be passed as an additional attribute to the credentials object but does not remove it upon
processing during the first phase of the authentication. In combination with additional,
independent authentication mechanisms, this may lead to the new password being disclosed.
Mitigation:
1.12.0 - 1.22.0 should be upgraded to 1.24.0
1.10.x should be upgraded to 1.10.8
For older maintained and affected branches (1.2.x, 1.4.x, 1.6.x, 1.8.x) please find patches attached.
Credits:
The issue was reported by Andrew Khoury and Russ Wright of Adobe.
References:
[1] http://jackrabbit.apache.org/oak/docs/security/user/expiry.html
Kind regards
Angela
________________________________________
From: Julian Reschke <re...@apache.org>
Sent: Tuesday, January 28, 2020 2:18 PM
To: announce@apache.org; announce@jackrabbit.apache.org; users@jackrabbit.apache.org; dev@jackrabbit.apache.org; oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
From: ${username}@apache.org
To: announce@apache.org, announce@jackrabbit.apache.org,
users@jackrabbit.apache.org, dev@jackrabbit.apache.org,
oak-dev@jackrabbit.apache.org
Subject: [ANNOUNCE] Apache Jackrabbit Oak 1.24.0 released
The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit Oak 1.24.0. The release is available for download at:
http://jackrabbit.apache.org/downloads.html
See the full release notes below for details about this release:
Release Notes -- Apache Jackrabbit Oak -- Version 1.24.0
Introduction
------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
Apache Jackrabbit Oak 1.24.0 is an incremental feature release based
on and compatible with earlier stable Jackrabbit Oak 1.x
releases. This release is considered stable and targeted for
production use.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
Changes in Oak 1.24.0
---------------------
Bug
[OAK-8780] - Remove the synchronized block on the FSBackend
[OAK-8845] - Function-based indexing don't support ordering
[OAK-8863] - Oak-doc should cover BinaryUploadOptions usage
[OAK-8870] - UserAuthentication.authenticate should remove pw attribute
Improvement
[OAK-6632] - [upgrade] oak-upgrade should support azure blobstorage
Task
[OAK-8856] - Update httpcore dependency to 4.4.13
[OAK-8867] - Update httpclient/mime dependencies to 4.5.11
In addition to the above-mentioned changes, this release contains all
changes up to the previous release.
For more detailed information about all the changes in this and other
Oak releases, please see the Oak issue tracker at
https://issues.apache.org/jira/browse/OAK
Release Contents
----------------
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.md file for instructions on how to build this release.
The source archive is accompanied by SHA512 checksums and a
PGP signature that you can use to verify the authenticity of your
download. The public key used for the PGP signature can be found at
https://www.apache.org/dist/jackrabbit/KEYS.
About Apache Jackrabbit Oak
---------------------------
Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.
The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.
For more information, visit http://jackrabbit.apache.org/oak
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.
For more information, visit http://www.apache.org/