아파치 소프트웨어 재단은 아파치 오픈 소스 소프트웨어 프로젝트 커뮤니티 지원을 제공합니다.
아파치 프로젝트는 협업과 개발 프로세스를 기반으로 하는 상호간의 공감대와 개방되어 있는 실용적인 소프트웨어 라이센스, 그 분야에서 선두를 달릴 수 있는 고품질 소프트웨어 개발을 추구하고 있습니다.
우리는 심플한 서버 공유 프로젝트의 모임이라고도 하지만 오히려 개발자와 사용자간의 커뮤니티라고 생각합니다.
I'm pleased to announce the release of ODE 1.3.3, a security release of Apache ODE. It fixes a vulnerability in the process deployment that allowed, using a forged message, to create, overwrite or delete files on the server file system. See the full vulnerability announcement below.
Apache ODE is a WS-BPEL compliant web service orchestration engine. It organizes web services calls following a process description written in the BPEL XML grammar. Another way to describe it would be a web-service capable workflow engine.
This new release also includes new features, bug fixes and improvements See the release notes for an exhaustive list for details.
Apache ODE is an open source project released under a business-friendly license (Apache License v2.0), as such we welcome your help and contributions. To participate and get involved, our mailing lists are the best resources to start from: http://ode.apache.org/mailing-lists.html
Thank you,
The Apache ODE Team
CVE-2008-2370: Apache ODE information disclosure vulnerability
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE 2.0-beta1 and 2.0-beta2 are also affected.
Description: The process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations (like a new WAR under a webapp deployment directory), the overwriting of existing files or their deletion.
Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain the latest source from svn or apply the patch published under http://people.apache.org/~mriou/CVE-2008-2370-patch.txt.
Example: Deleting a file /tmp/blabla using undeploy by sending the following message to the deployment service:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:pmap="http://www.apache.org/ode/pmapi">
<soapenv:Header/>
<soapenv:Body>
<pmap:undeploy>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
</pmap:undeploy>
</soapenv:Body>
</soapenv:Envelope>
Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
The Apache Software Foundation and the Apache Portable Runtime Project are proud to announce the General Availability of version 1.3.8 of the APR Apache Portable Runtime library, and version 1.3.9 of the companion APR-util Apache Portable Utility library.
The corresponding version 1.2.1 of the companion APR-iconv library, an alternative portable implementation of the 'iconv' library, remains current.
This version of APR is a security and bug fix release, including fixes for specific platforms' configuration, feature detection, and run time behavior. Most developers and users are encourage to adopt the latest APR 1.x version to ensure the most comprehensive support and access to the latest features and enhancements.
Note that the APR library release 1.3.8 and APR-util library release 1.3.9 introduce security fixes, users of prior versions are strongly encouraged to upgrade to this release.
SECURITY: CVE-2009-2412 (cve.mitre.org)
Fixes overflow in pools and rmm, due to size alignment. The APR project thanks Matt Lewis for his diligent reporting, analysis, and submitted patch.
The mission of the Apache Portable Runtime Project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features.
APR and its companion libraries are implemented entirely in C and provide a common programming interface across a wide variety of operating system platforms without sacrificing performance.
Currently supported platforms include:
UNIX variants
Windows
Netware
Mac OS X
OS/2
To give a brief overview, the primary core subsystems of APR 1.3 include the following:
Atomic operations
Dynamic Shared Object loading
File I/O
Locks (mutexes, condition variables, etc)
Memory management (high performance allocators)
Memory-mapped files
Multicast Sockets
Network I/O
Shared memory
Thread and Process management
Various data structures (tables, hashes, priority queues, etc)
For a more complete list, please refer to the following URLs:
Users of APR 0.9 should be aware that migrating to the APR 1.x programming interfaces may require some adjustments; APR 1.x is neither source nor binary compatible with earlier APR 0.9 releases.
Users of APR 1.x can expect consistent interfaces and binary backwards compatibility throughout the entire APR 1.x release cycle, as defined in our versioning rules:
APR is already used extensively by the Apache HTTP Server version 2 and the Subversion revision control system, to name but a few. We list all known projects using APR at http://apr.apache.org/projects.html -- so please let us know if you find our libraries useful in your own projects!
The Apache Sling team is pleased to announce the release of Apache Sling OSGi LogService Implementation version 2.0.6
Implementation of the OSGi Compendium Log Service using SLF4J on top of a private implementation. In addition to providing the implemented SLF4J API, the Log4J and Jakarta Commons Logging APIs are provided with implementations on top of the SLF4J API.
Release Notes -- Apache Jackrabbit -- Version 1.5.7
Introduction
------------
Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). A content repository is a hierarchical content store with support for structured and unstructured content, full text search, versioning, transactions, observation, and more. See the Jackrabbit web site at http://jackrabbit.apache.org/ for more information.
Apache Jackrabbit 1.5.7 is a bug fix release that fixes issues reported against previous releases. This release is fully compatible with the earlier 1.5.x releases.
See below for a full listing of fixes included in this release.
Changes in this release
-----------------------
All the fixes in this release are listed below per affected component.
The modified components have had their version numbers upgraded to 1.5.7; other components are still at their previous 1.5.x versions.
jackrabbit-core
Bug fixes
[JCR-2082] Query does not work after logging into workspace with no indexes
[JCR-2129] Prevent data inconsistencies due to incorrect or missed ...
[JCR-2138] Prevent persistence of faulty back-references
[JCR-2168] Avoid premature publication of XAItemStateManager
[JCR-2169] BundleDbPersistenceManager consistencyFix doesn't fix missing ...
Improvements
[JCR-2106] SystemSessions created for GarbageCollector are not logged out of jackrabbit-jcr2spi
Improvements
[JCR-1797] SPI: RepositoryService.getItemInfos should be allowed to ...
The following people have contributed to this release by submitting bug reports or by participating in the issue resolution process.
Angela Schreiber Martijn Hendriks Peter Dettman
Jukka Zitting Mateusz Juszkiewicz Thomas Mueller
Marcel Reutegger Michael Dürig
Thank you to everyone involved!
Release Contents
----------------
This release consists of a single source archive (jackrabbit-1.5.7-src.jar) that contains all the Apache Jackrabbit components. Use the following commands (or the equivalent in your system) to build the release with Maven 2 and Java 1.4 or higher:
jar xf jackrabbit-1.5.7-src.jar
cd jackrabbit-1.5.7
mvn install
Note that the OCM components require Java 5 or higher, and are not included in the build when using Java 1.4.
The source archive is accompanied by SHA1 and MD5 checksums and a PGP signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.
The build will result in the following components (with artifactIds in parenthesis) being built and installed in your local Maven repository.
Pre-built binary artifacts of these components are also available on the on the central Maven repository.
Jackrabbit Parent POM (jackrabbit-parent)
The Maven parent POM for all Jackrabbit components.
Jackrabbit API (jackrabbit-api)
Interface extensions that Apache Jackrabbit supports in addition to the standard JCR API.
Jackrabbit JCR Commons (jackrabbit-jcr-commons)
General-purpose classes for use with the JCR API.
Jackrabbit JCR Tests (jackrabbit-jcr-tests)
Set of JCR API test cases designed for testing the compliance of an implementation. Note that this is not the official JCR TCK!
Jackrabbit JCR Benchmarks (jackrabbit-jcr-benchmark)
Framework for JCR performance tests.
Jackrabbit Core (jackrabbit-core)
Core of the Apache Jackrabbit content repository implementation.
Jackrabbit Text Extractors (jackrabbit-text-extractors)
Text extractor classes that allow Jackrabbit to extract text content from binary properties for full text indexing.
Jackrabbit JCR-RMI (jackrabbit-jcr-rmi)
RMI remoting layer for the JCR API.
Jackrabbit WebDAV Library (jackrabbit-webdav)
Interfaces and common utility classes used for building a WebDAV server or client.
Jackrabbit JCR Server (jackrabbit-jcr-server)
WebDAV servlet implementations based on JCR.
Jackrabbit JCR Servlets (jackrabbit-jcr-servlet)
Set of servlets and other classes designed to make it easier to use Jackrabbit and other JCR content repositories in web applications.
Jackrabbit Repository Classloader (jackrabbit-classloader)
Java classloader for loading classes from JCR content repositories.
Jackrabbit Web Application (jackrabbit-webapp)
Deployable Jackrabbit installation with WebDAV support for JCR.
Jackrabbit SPI (jackrabbit-spi)
The SPI defines a layer within a JSR-170 implementation that separates the transient space from the persistent layer.
Jackrabbit SPI Commons (jackrabbit-spi-commons)
This component contains generic utility classes that might be used to build an SPI implementation.
Jackrabbit SPI2JCR (jackrabbit-spi2jcr)
This component contains a SPI implementation wrapping around an implementation of JSR-170.
Jackrabbit JCR2SPI (jackrabbit-jcr2spi)
This component contains an implementation of the JSR-170 API and covers the functionality that is not delegated to the SPI implementation.
Jackrabbit Standalone (jackrabbit-standalone)
Jackrabbit server in a self-contained runnable jar.
Jackrabbit OCM (jackrabbit-ocm)
Object-Content mapping tool for persisting and accessing Java objects in a JCR content repository.
Jackrabbit OCM Node Management (jackrabbit-ocm-nodemanagement)
This component simplifies registration of node types and namespaces referenced in OCM mapping descriptors.
About Apache Jackrabbit
-----------------------
Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). A content repository is a hierarchical content store with support for structured and unstructured content, full text search, versioning, transactions, observation, and more. Typical applications that use content repositories include content management, document management, and records management systems.
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 100 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 2,500+ contributors.
The Apache Wicket project is proud to announce the release of Apache Wicket 1.4. Apache Wicket is an open source, component oriented Java web application framework. With overwhelming support from the user community, this release marks a departure from the past where we leave Java 1.4 behind and we require Java 5 as the minimum JDK version. By moving to Java 5 as the required minimum platform, we were able to utilize Java 5 idioms and increase the type safety of our APIs. Using Java generics you can now write typesafe web applications and create typesafe, self documenting, reusable custom components.
You will need to upgrade all modules (i.e. wicket, wicket-extensions) to their 1.4 counterparts. It is not possible to mix Wicket 1.3 libraries with 1.4 libraries due to API changes.
Most notable changes
From all the changes that went into this release, the following are the most important ones:
Generified IModel interface and implementations increases type safety in your Wicket applications
Component#getModel() and Component#setModel() have been renamed to getDefaultModel() and setDefaultModel() to better support generified models
The Spring modules have been merged (wicket-spring-annot is now obsolete, all you need is wicket-spring)
Many API’s have been altered to better work with Java 5’s idioms
Wicket jars are now packaged with metadata that makes them OSGI bundles
Apart from these changes, the release is mostly compatible with Wicket 1.3 and upgrading shouldn’t take too long. Early adopters report about a days work to upgrade medium to large applications to Wicket 1.4.
Read the migration guide to learn more about the changes in our APIs. To learn more about all the improvements and new features that went into this release, check the solved issue list in our JIRA instance.
The Apache Software Foundation
