scalatra 2.3.1 and 2.4.0.M3 released

[Kazuhiro Sera]

Hi,

Scalatra 2.3.1 and 2.4.0.M3 are available on the Sonatype OSS repository. They'll appear on the Maven central repos within hours.

http://notes.implicit.ly/post/114410798604/scalatra-2-3-1

http://notes.implicit.ly/post/114410813609/scalatra-2-4-0-m3

First of all, we should inform you an important security issue. 

Yesterday, Lift framework team announced an XXE vulnerability related to scala.xml.XML library. 

http://blog.goodstuff.im/lift_xxe_vulnerability

The vulnerability also exists in Scalatra's json module which also works for XML data. 

If you have applications built with Scalatra 2.3.0 or 2.4.0.M2 in your production environment and they accepts XML request body as params, we highly recommend you to upgrade immediately. 

Unfortunately a patch release for 2.2.x series hasn't been done yet. If you're still using 2.2.2 and need to fix this issue, please let us know. We'll hurry on 2.2.3 release. 

Of course, upgrading to 2.3.1 is preferred. We believe that's not difficult.

Well, we have good news too. 2.4.0.M3 contains lots of improvements and new modules such as scalatra-cache and scalatra-metrics. Give it a try!

This will be the last milestone release. We'll publish RCs for the 2.4.0 final release soon. 

As always we welcome contributions, bug reports, blog posts or other random acts of kindness!

Best,

-Kaz