The Apache Software Foundation

The Apache HttpComponents project is pleased to announce the release of HttpComponents HttpClient 4.1-alpha2. This release fixes a number of non-severe bugs discovered since the last release and introduces support for several frequently requested features:

* HTTP/1.1 response caching

* transparent support for host multihoming

* a mechanism to bypass the standard certificate trust verification (useful when dealing with self-signed certificates)
-------------------

Download -
<http://hc.apache.org/downloads.cgi>
Release notes -
<http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES.txt>
HttpComponents site -
<http://hc.apache.org/>

-------------------
About Apache HttpClient

Although the java.net package provides basic functionality for accessing resources via HTTP, it doesn't provide the full flexibility or functionality needed by many applications. HttpClient seeks to fill this
void by providing an efficient, up-to-date, and feature-rich package implementing the client side of the most recent HTTP standards and recommendations.

Designed for extension while providing robust support for the base HTTP protocol, HttpClient may be of interest to anyone building HTTP-aware client applications such as web browsers, web service clients, or systems that leverage or extend the HTTP protocol for distributed communication.

The Apache Derby project is pleased to announce release 10.6.1.0. In addition to introducing many new features, this release fixes a security flaw. Please see below for more details.

Apache Derby is a subproject of the Apache DB project. Derby is a pure Java relational database engine which conforms to the ISO/ANSI SQL and JDBC standards. Derby aims to be easy for developers and end-users to work with.

Derby 10.6.1.0 can be obtained from the Derby download site:

  http://db.apache.org/derby/derby_downloads.html.

Derby 10.6.1.0 contains the following new features:

   * Sequence Generators - Named generators for allocating successive, evenly spaced numbers. See feature T176 of the SQL Standard.
   * User-defined types - Named types bound to serializable Java objects.
   * Restricted table functions - Limits on the columns and rows returned by table functions.
   * XPLAIN statistics collection - Query plan statistics stored in tables for later analysis.
   * GROUP BY ROLLUP - A subset of the SQL Standard ROLLUP functionality on the GROUP BY clause. See feature T431 of the SQL Standard.
   * CROSS JOIN - CROSS JOIN syntax. See feature F401-04 of the SQL Standard.
   * Named columns join - USING clauses in joins.
   * SHOW FUNCTIONS - IJ command that lists stored functions.
   * In-memory back end enhancements - Numerous improvements, including the ability to delete in-memory databases.
   * ORDER BY in subqueries - Syntax for explicitly ordering rows returned by subqueries. See features F851, F852, and F855 of the SQL Standard.
   * OFFSET, FETCH FIRST/NEXT in subqueries - Generalized syntax for retrieving row subsets. See features F856, F857, F858, F859, F861, F862, F863, and F864 of the SQL Standard.
   * NATURAL JOIN - Support for NATURAL JOIN. See feature T431 of the SQL Standard.
   * Qualified identifers in ij - Ability to reference cursors and prepared statements in other connections.
   * Configurable hash algorithm - Ability to customize the hash algorithm used by BUILTIN authentication.
   * Context-sniffing scripts - Ability of shipped scripts to locate Derby jars when DERBY_HOME isn't set.
   * Case-insensitive strings - Ability to ignore case in string comparisons and sorts.

In addition, Derby 10.6.1.0 contains many bug and documentation fixes.

Please try out this new release.

Derby 10.6.1.0 also fixes a security flaw tracked by the Apache Common Vulnerabilities and Exposures id "CVE-2009-4269". This flaw made it easy to crack passwords managed by Derby's BUILTIN authentication logic. Originally, the BUILTIN logic was intended only for testing purposes. However, Derby's user documentation suggested that this scheme was production-ready and it appears that many users rely on BUILTIN authentication in production. Tracked by DERBY-4483, the flaw is addressed as follows:

1) The bug itself is corrected for newly created 10.6 databases.

2) Password substitution is not allowed when logging into a database where the bug is corrected and BUILTIN passwords are stored in the database. See the release note for DERBY-4483.

3) Derby's default password-hashing scheme is changed from SHA-1 to SHA-256, which is harder to crack.

4) The user guides are glossed with warnings against production use of the BUILTIN authentication mechanism.

Users are urged to

i) Migrate production systems off the BUILTIN mechanism onto Derby's LDAP and user-customized authentication schemes.

ii) Or hard-upgrade to 10.6.1.0 immediately and perform the following additional steps:

a) Set derby.authentication.builtin.algorithm to a stronger authentication scheme like SHA-256 or SHA-512.

b) Reset all passwords stored in the database.

c) Stop using strong password substitution. Instead, encrypt all network traffic using SSL/TLS.

The Apache Velocity project is pleased to announce the release of VelocityTools 2.0.

Downloads are available here:
 http://velocity.apache.org/download.cgi

This should be useable as a drop in replacement for Tools 2.0-beta4 or Tools 1.4, with a few minor exceptions.  The 2.x series of VelocityTools requires Velocity 1.5+ and JDK 1.5+.

For those new to Tools 2, here's an overview of the work done since 1.4:
   * More convention over configuration and smart defaults
   * New configuration formats (more concise/flexible/powerful xml, properties, java)
   * Provision of default and auto-loaded configurations
   * Entirely new core infrastructure (lazy-loading tools, easier access, standalone support etc)
   * Added VelocityViewTag for JSP integration
   * Added DisplayTool, ConversionTool, ClassTool, LoopTool, FieldTool, a generic version of LinkTool and more
   * Refactored and enhanced a number of existing tools
   * Improved documentation
   * Deprecated many outdated things
   * Legacy support for almost all Tools 1.4 configurations and extensions
   * Better integration of $application, $session and $request scope control objects
   * and lots more...

For those following the betas, here's the notable changes since 2.0-beta4:
   * Added a 'readOnly' config option to allow write operations on ValueParser and ParameterTool (when set to false)
   * Added a beta-quality UiDependencyTool (included in velocity-view, but not in default tools.xml)
   * Added an alpha-quality MarkupTool (included in generic tools, but not in default tools.xml)
   * Fixed (as much as possible) some significant last-iteration LoopTool problems, and added a loop.this property to serve as a more reliable workaround in nested loops. See
https://issues.apache.org/jira/browse/VELTOOLS-124
   * VelocityLayoutServlet now checks request attributes for non-default layouts.
   * The velocity-view.tld is now valid.
   * VelocityView[Servlet] has improved exception and http management (particularly for ResourceNotFoundExceptions).
   * Miscellaneous documentation and build.xml improvements

The Velocity developers are very interested in all feedback regarding Tools 2.0, especially regarding backwards compatibility with apps designed for Tools 1.4 or earlier. We aim to enable a smooth,
incremental transition for developers and their applications.