You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by ju...@apache.org on 2013/10/08 05:54:42 UTC

svn commit: r1530145 - /jackrabbit/branches/2.4/RELEASE-NOTES.txt

Author: jukka
Date: Tue Oct  8 03:54:42 2013
New Revision: 1530145

URL: http://svn.apache.org/r1530145
Log:
2.4: Update release notes.

Modified:
    jackrabbit/branches/2.4/RELEASE-NOTES.txt

Modified: jackrabbit/branches/2.4/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.4/RELEASE-NOTES.txt?rev=1530145&r1=1530144&r2=1530145&view=diff
==============================================================================
--- jackrabbit/branches/2.4/RELEASE-NOTES.txt (original)
+++ jackrabbit/branches/2.4/RELEASE-NOTES.txt Tue Oct  8 03:54:42 2013
@@ -1,4 +1,4 @@
-Release Notes -- Apache Jackrabbit -- Version 2.4.4
+Release Notes -- Apache Jackrabbit -- Version 2.4.5
 
 Introduction
 ------------
@@ -7,10 +7,43 @@ This is Apache Jackrabbit(TM) 2.4, a ful
 Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
 specified in the Java Specification Request 283 (JSR 283).
 
+Apache Jackrabbit 2.4.5 is patch release that contains fixes and
+improvements over Jackrabbit 2.4.4. This release also contains a security fix.
+Jackrabbit 2.4.x releases are considered stable and targeted for production
+use.
+
+Security advisory (JCR-3630)
+----------------------------
+
+As reported by Noel Dunne and Lars Krapf, there was a cross-site scripting 
+(XSS) vulnerability in the jackrabbit-jcr-server component, used for providing
+WebDAV access to the repository. This release fixes the issue.
 
-Apache Jackrabbit 2.4.4 is patch release that contains fixes and
-improvements over Jackrabbit 2.4.3. This release is fully compatible
-with earlier 2.x.x releases.
+Changes since Jackrabbit 2.4.4
+------------------------------
+
+Improvements
+
+  [JCR-2029] JCR Remoting: Use DAV:lockroot to expose the lock-holding node
+  [JCR-3209] lock token validity
+  [JCR-3495] Unregister from PrivilegeRegistry and NodeTypeRegistry on ...
+  [JCR-3625] make port number for webdav integration tests configurable
+  [JCR-3626] NodeTypeTest.getPrimaryItemName can get ssssslllllloooowwwww
+
+Bug fixes
+
+  [JCR-3228] WebDav/DavEx remoting throws workspace mismatch exceptions ...
+  [JCR-3552] Principal associated with Group does not update members
+  [JCR-3617] Inconsistent CachingHierarchyManager under concurrent access
+  [JCR-3630] XSS in DirListingExportHandler
+  [JCR-3633] If header field sent with PROPFIND (for lock discovery)
+  [JCR-3635] Manually specified jcr:frozenUuid overwriting the one ...
+  [JCR-3652] Bundle serialization broken
+  [JCR-3654] Error MembershipCache if a group node contains MV property
+  [JCR-3656] improve error handling when shared node support is missing
+  [JCR-3658] MembershipCache not consistently synchronized
+  [JCR-3671] Config DTD doesn't allow ProtectedItemImporter
+  [JCR-3678] MembershipCache max size is hard coded to 5000
 
 Changes since Jackrabbit 2.4.3
 ------------------------------