You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by ju...@apache.org on 2013/10/08 05:54:42 UTC
svn commit: r1530145 - /jackrabbit/branches/2.4/RELEASE-NOTES.txt
Author: jukka
Date: Tue Oct 8 03:54:42 2013
New Revision: 1530145
URL: http://svn.apache.org/r1530145
Log:
2.4: Update release notes.
Modified:
jackrabbit/branches/2.4/RELEASE-NOTES.txt
Modified: jackrabbit/branches/2.4/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.4/RELEASE-NOTES.txt?rev=1530145&r1=1530144&r2=1530145&view=diff
==============================================================================
--- jackrabbit/branches/2.4/RELEASE-NOTES.txt (original)
+++ jackrabbit/branches/2.4/RELEASE-NOTES.txt Tue Oct 8 03:54:42 2013
@@ -1,4 +1,4 @@
-Release Notes -- Apache Jackrabbit -- Version 2.4.4
+Release Notes -- Apache Jackrabbit -- Version 2.4.5
Introduction
------------
@@ -7,10 +7,43 @@ This is Apache Jackrabbit(TM) 2.4, a ful
Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).
+Apache Jackrabbit 2.4.5 is patch release that contains fixes and
+improvements over Jackrabbit 2.4.4. This release also contains a security fix.
+Jackrabbit 2.4.x releases are considered stable and targeted for production
+use.
+
+Security advisory (JCR-3630)
+----------------------------
+
+As reported by Noel Dunne and Lars Krapf, there was a cross-site scripting
+(XSS) vulnerability in the jackrabbit-jcr-server component, used for providing
+WebDAV access to the repository. This release fixes the issue.
-Apache Jackrabbit 2.4.4 is patch release that contains fixes and
-improvements over Jackrabbit 2.4.3. This release is fully compatible
-with earlier 2.x.x releases.
+Changes since Jackrabbit 2.4.4
+------------------------------
+
+Improvements
+
+ [JCR-2029] JCR Remoting: Use DAV:lockroot to expose the lock-holding node
+ [JCR-3209] lock token validity
+ [JCR-3495] Unregister from PrivilegeRegistry and NodeTypeRegistry on ...
+ [JCR-3625] make port number for webdav integration tests configurable
+ [JCR-3626] NodeTypeTest.getPrimaryItemName can get ssssslllllloooowwwww
+
+Bug fixes
+
+ [JCR-3228] WebDav/DavEx remoting throws workspace mismatch exceptions ...
+ [JCR-3552] Principal associated with Group does not update members
+ [JCR-3617] Inconsistent CachingHierarchyManager under concurrent access
+ [JCR-3630] XSS in DirListingExportHandler
+ [JCR-3633] If header field sent with PROPFIND (for lock discovery)
+ [JCR-3635] Manually specified jcr:frozenUuid overwriting the one ...
+ [JCR-3652] Bundle serialization broken
+ [JCR-3654] Error MembershipCache if a group node contains MV property
+ [JCR-3656] improve error handling when shared node support is missing
+ [JCR-3658] MembershipCache not consistently synchronized
+ [JCR-3671] Config DTD doesn't allow ProtectedItemImporter
+ [JCR-3678] MembershipCache max size is hard coded to 5000
Changes since Jackrabbit 2.4.3
------------------------------