Fwd: [ANNOUNCE] Apache Jackrabbit 2.10.1 released
16 views
Skip to first unread message
Lukas Kahwe Smith
May 21, 2015, 5:23:11 AM5/21/15
to symfony-...@googlegroups.com, symfony-...@googlegroups.com, jackal...@googlegroups.com
FYI .. there was a security issue in the webdav module that is fixed in 2.10.1
> Begin forwarded message:
>
> From: Marcel Reutegger <mreu...@apache.org>
> Subject: [ANNOUNCE] Apache Jackrabbit 2.10.1 released
> Date: 21 May 2015 11:22:04 CEST
> To: anno...@apache.org, anno...@jackrabbit.apache.org, Jackrabbit Developers <d...@jackrabbit.apache.org>, Jackrabbit Users <us...@jackrabbit.apache.org>, 0ang3el 0ang3el <0an...@gmail.com>, secu...@apache.org, oss-se...@lists.openwall.com, bug...@securityfocus.com
> Reply-To: us...@jackrabbit.apache.org
>
> The Apache Jackrabbit community is pleased to announce the release of
> Apache Jackrabbit 2.10.1. This release fixes an important security issue in
> the jackrabbit-webdav module reported by Mikhail Egorov.
>
> The release is available for download at:
>
> http://jackrabbit.apache.org/downloads.html
>
> See the full release notes below for details about this release.
>
> Release Notes -- Apache Jackrabbit -- Version 2.10.1
>
> Introduction
> ------------
>
> This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation of the
> Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
> specified in the Java Specification Request 283 (JSR 283).
>
> Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
> improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
> stable and targeted for production use.
>
> Security advisory (JCR-3883 / CVE-2015-1833)
> --------------------------------------------
>
> This release fixes an important security issue in the jackrabbit-webdav module
> reported by Mikhail Egorov.
>
> When processing a WebDAV request body containing XML, the XML parser can be
> instructed to read content from network resources accessible to the host,
> identified by URI schemes such as "http(s)" or "file". Depending on the
> WebDAV request, this can not only be used to trigger internal network
> requests, but might also be used to insert said content into the request,
> potentially exposing it to the attacker and others (for instance, by inserting
> said content in a WebDAV property value using a PROPPATCH request). See also
> IETF RFC 4918, Section 20.6.
>
> Users of the jackrabbit-webdav module are advised to immediately update the
> module to this release or disable WebDAV access to the repository. Users
> on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
> apply the fix to the corresponding 2.x branch or disable WebDAV access until
> official releases of those earlier versions are available. Patches for 2.x
> branches are attached to the JIRA issue.
>
> Changes since Jackrabbit 2.10.0
> -------------------------------
>
> Bug fixes
>
> [JCR-3853] JCR2SPI: Load ac provider resource
> [JCR-3871] POI Vulnerabilities
> [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
> [JCR-3873] CachingDataStore not safe against crashes, corrupted
> uploads file will prevent system startup
> [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped
> [JCR-3878] Fix test case failure in jackrabbit-data
> [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
>
> Improvements
>
> [JCR-3864] CachingDatastore -cache file sizes to save remote call to
> remote datastore( S3DS)
> [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
> [JCR-3869] CachingDataStore for SAN or NFS mounted storage
> [JCR-3879] Remove contention in AsyncUploadCache to improve performance
> [JCR-3881] Change CachingFDS configuration properties
>
> New Features
>
> [JCR-3836] Allow to get an Authorizable of a given type
>
> Sub-tasks
>
> [JCR-3837] Add AuthorizableTypeException in user security API package
>
> In addition to the above-mentioned changes, this release contains
> all the changes included up to the Apache Jackrabbit 2.10.0 release.
>
> For more detailed information about all the changes in this and other
> Jackrabbit releases, please see the Jackrabbit issue tracker at
>
> https://issues.apache.org/jira/browse/JCR
>
> Release Contents
> ----------------
>
> This release consists of a single source archive packaged as a zip file.
> The archive can be unpacked with the jar tool from your JDK installation.
> See the README.txt file for instructions on how to build this release.
>
> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
> signature that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at
> https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.
>
> About Apache Jackrabbit
> -----------------------
>
> Apache Jackrabbit is a fully conforming implementation of the Content
> Repository for Java Technology API (JCR). A content repository is a
> hierarchical content store with support for structured and unstructured
> content, full text search, versioning, transactions, observation, and
> more.
>
> For more information, visit http://jackrabbit.apache.org/
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides organizational,
> legal, and financial support for more than 140 freely-available,
> collaboratively-developed Open Source projects. The pragmatic Apache License
> enables individual and commercial users to easily deploy Apache software;
> the Foundation's intellectual property framework limits the legal exposure
> of its 3,800+ contributors.
>
> For more information, visit http://www.apache.org/
>
> Trademarks
> ----------
>
> Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the Apache
> Jackrabbit project logo are trademarks of The Apache Software Foundation.
regards,
Lukas Kahwe Smith
sm...@pooteeweet.org
> Begin forwarded message:
>
> From: Marcel Reutegger <mreu...@apache.org>
> Subject: [ANNOUNCE] Apache Jackrabbit 2.10.1 released
> Date: 21 May 2015 11:22:04 CEST
> To: anno...@apache.org, anno...@jackrabbit.apache.org, Jackrabbit Developers <d...@jackrabbit.apache.org>, Jackrabbit Users <us...@jackrabbit.apache.org>, 0ang3el 0ang3el <0an...@gmail.com>, secu...@apache.org, oss-se...@lists.openwall.com, bug...@securityfocus.com
> Reply-To: us...@jackrabbit.apache.org
>
> The Apache Jackrabbit community is pleased to announce the release of
> Apache Jackrabbit 2.10.1. This release fixes an important security issue in
> the jackrabbit-webdav module reported by Mikhail Egorov.
>
> The release is available for download at:
>
> http://jackrabbit.apache.org/downloads.html
>
> See the full release notes below for details about this release.
>
> Release Notes -- Apache Jackrabbit -- Version 2.10.1
>
> Introduction
> ------------
>
> This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation of the
> Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
> specified in the Java Specification Request 283 (JSR 283).
>
> Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
> improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
> stable and targeted for production use.
>
> Security advisory (JCR-3883 / CVE-2015-1833)
> --------------------------------------------
>
> This release fixes an important security issue in the jackrabbit-webdav module
> reported by Mikhail Egorov.
>
> When processing a WebDAV request body containing XML, the XML parser can be
> instructed to read content from network resources accessible to the host,
> identified by URI schemes such as "http(s)" or "file". Depending on the
> WebDAV request, this can not only be used to trigger internal network
> requests, but might also be used to insert said content into the request,
> potentially exposing it to the attacker and others (for instance, by inserting
> said content in a WebDAV property value using a PROPPATCH request). See also
> IETF RFC 4918, Section 20.6.
>
> Users of the jackrabbit-webdav module are advised to immediately update the
> module to this release or disable WebDAV access to the repository. Users
> on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
> apply the fix to the corresponding 2.x branch or disable WebDAV access until
> official releases of those earlier versions are available. Patches for 2.x
> branches are attached to the JIRA issue.
>
> Changes since Jackrabbit 2.10.0
> -------------------------------
>
> Bug fixes
>
> [JCR-3853] JCR2SPI: Load ac provider resource
> [JCR-3871] POI Vulnerabilities
> [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
> [JCR-3873] CachingDataStore not safe against crashes, corrupted
> uploads file will prevent system startup
> [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped
> [JCR-3878] Fix test case failure in jackrabbit-data
> [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
>
> Improvements
>
> [JCR-3864] CachingDatastore -cache file sizes to save remote call to
> remote datastore( S3DS)
> [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
> [JCR-3869] CachingDataStore for SAN or NFS mounted storage
> [JCR-3879] Remove contention in AsyncUploadCache to improve performance
> [JCR-3881] Change CachingFDS configuration properties
>
> New Features
>
> [JCR-3836] Allow to get an Authorizable of a given type
>
> Sub-tasks
>
> [JCR-3837] Add AuthorizableTypeException in user security API package
>
> In addition to the above-mentioned changes, this release contains
> all the changes included up to the Apache Jackrabbit 2.10.0 release.
>
> For more detailed information about all the changes in this and other
> Jackrabbit releases, please see the Jackrabbit issue tracker at
>
> https://issues.apache.org/jira/browse/JCR
>
> Release Contents
> ----------------
>
> This release consists of a single source archive packaged as a zip file.
> The archive can be unpacked with the jar tool from your JDK installation.
> See the README.txt file for instructions on how to build this release.
>
> The source archive is accompanied by SHA1 and MD5 checksums and a PGP
> signature that you can use to verify the authenticity of your download.
> The public key used for the PGP signature can be found at
> https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.
>
> About Apache Jackrabbit
> -----------------------
>
> Apache Jackrabbit is a fully conforming implementation of the Content
> Repository for Java Technology API (JCR). A content repository is a
> hierarchical content store with support for structured and unstructured
> content, full text search, versioning, transactions, observation, and
> more.
>
> For more information, visit http://jackrabbit.apache.org/
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides organizational,
> legal, and financial support for more than 140 freely-available,
> collaboratively-developed Open Source projects. The pragmatic Apache License
> enables individual and commercial users to easily deploy Apache software;
> the Foundation's intellectual property framework limits the legal exposure
> of its 3,800+ contributors.
>
> For more information, visit http://www.apache.org/
>
> Trademarks
> ----------
>
> Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the Apache
> Jackrabbit project logo are trademarks of The Apache Software Foundation.
regards,
Lukas Kahwe Smith
sm...@pooteeweet.org
Reply all
Reply to author
Forward
0 new messages