You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by da...@apache.org on 2015/08/04 15:29:48 UTC

svn commit: r1694063 - /jackrabbit/trunk/RELEASE-NOTES.txt

Author: davide
Date: Tue Aug  4 13:29:48 2015
New Revision: 1694063

URL: http://svn.apache.org/r1694063
Log:
JCR-3896 - Release Jackrabbit 2.10.2

- release notes


Modified:
    jackrabbit/trunk/RELEASE-NOTES.txt

Modified: jackrabbit/trunk/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/RELEASE-NOTES.txt?rev=1694063&r1=1694062&r2=1694063&view=diff
==============================================================================
--- jackrabbit/trunk/RELEASE-NOTES.txt (original)
+++ jackrabbit/trunk/RELEASE-NOTES.txt Tue Aug  4 13:29:48 2015
@@ -1,69 +1,32 @@
-Release Notes -- Apache Jackrabbit -- Version 2.10.1
+Release Notes -- Apache Jackrabbit -- Version 2.10.2
 
 Introduction
 ------------
 
-This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation of the
+This is Apache Jackrabbit(TM) 2.10.2, a fully compliant implementation of the
 Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
 specified in the Java Specification Request 283 (JSR 283).
 
-Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
+Apache Jackrabbit 2.10.2 is a patch release that contains fixes and
 improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
 stable and targeted for production use.
 
-Security advisory (JCR-3883 / CVE-2015-1833)
---------------------------------------------
-
-This release fixes an important security issue in the jackrabbit-webdav module
-reported by Mikhail Egorov.
-
-When processing a WebDAV request body containing XML, the XML parser can be 
-instructed to read content from network resources accessible to the host, 
-identified by URI schemes such as "http(s)" or  "file". Depending on the 
-WebDAV request, this can not only be used to trigger internal network 
-requests, but might also be used to insert said content into the request, 
-potentially exposing it to the attacker and others (for instance, by inserting
-said content in a WebDAV property value using a PROPPATCH request). See also
-IETF RFC 4918, Section 20.6.
-
-Users of the jackrabbit-webdav module are advised to immediately update the
-module to this release or disable WebDAV access to the repository. Users
-on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
-apply the fix to the corresponding 2.x branch or disable WebDAV access until
-official releases of those earlier versions are available. Patches for 2.x
-branches are attached to the JIRA issue.
-
-Changes since Jackrabbit 2.10.0
+Changes since Jackrabbit 2.10.1
 -------------------------------
 
-Bug fixes
-
-  [JCR-3853] JCR2SPI: Load ac provider resource
-  [JCR-3871] POI Vulnerabilities
-  [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
-  [JCR-3873] CachingDataStore not safe against crashes, corrupted uploads file will prevent system startup
-  [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped 
-  [JCR-3878] Fix test case failure in jackrabbit-data
-  [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
-
-Improvements
-
-  [JCR-3864] CachingDatastore -cache file sizes to save remote call to remote datastore( S3DS) 
-  [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
-  [JCR-3869] CachingDataStore for SAN or NFS mounted storage 
-  [JCR-3879] Remove contention in AsyncUploadCache to improve performance
-  [JCR-3881] Change CachingFDS configuration properties 
-
-New Features
-
-  [JCR-3836] Allow to get an Authorizable of a given type 
-
-Sub-tasks
+Improvement
 
-  [JCR-3837] Add AuthorizableTypeException in user security API package
+    [JCR-3880] - Allow to add/remove group members by ID
+    [JCR-3884] - Add handler to handle webdav based DELETE requests
+    [JCR-3885] - Extend set of Actions in JackrabbitSession to reflect
+    other operations than regular read/write
+    [JCR-3886] - [jackrabbit-aws-ext] Support IAM role to connect to
+    S3 bucket
+    [JCR-3894] - Add PrincipalSetPolicy interface to Jackrabbit
+    Security API
 
 In addition to the above-mentioned changes, this release contains
-all the changes included up to the Apache Jackrabbit 2.10.0 release.
+all the changes included up to the Apache Jackrabbit 2.10.1 release.
 
 For more detailed information about all the changes in this and other
 Jackrabbit releases, please see the Jackrabbit issue tracker at