This is an automated email from the ASF dual-hosted git repository. martin_s pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/archiva-site.git
commit 48154ceb1b9ecb5101232bae0d85582d95f96d01 Author: Martin Stockhammer <[email protected]> AuthorDate: Tue Apr 30 16:53:50 2019 +0200 Adding release info. --- src/site/apt/developers/releasing.apt | 10 ++++++---- src/site/apt/security.apt | 36 +++++++++++++++++++++++++++++++++++ src/site/xdoc/index.xml.vm | 3 +-- 3 files changed, 43 insertions(+), 6 deletions(-) diff --git a/src/site/apt/developers/releasing.apt b/src/site/apt/developers/releasing.apt index 528e677..d43e4dd 100644 --- a/src/site/apt/developers/releasing.apt +++ b/src/site/apt/developers/releasing.apt @@ -92,7 +92,9 @@ gpg -v archiva-jetty-${ARCHV}-bin.zip.asc +------------- git checkout archiva-${ARCHV} # Checkout the release version of archiva cd archiva-doc -mvn site-deploy +mvn site:site +mvn site:stage # Check the content in target/staging +cp -r target/staging/* <web-content-git>/docs/${ARCHV}/ # Copy to the git web content repository +------------- If the vote doesn't pass, the documentation will need to be removed from the server for redeployment. @@ -120,7 +122,7 @@ sh ./release-script-redback-svn.sh $REDBV ${RELEASE_URL}/ After the vote has passed, move the files from dist dev to dist release: +------------- -svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/relase/archiva/ +svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/release/archiva/ # Move also the POM and Redback and Redback Component releases, if there are new ones. +------------- @@ -130,7 +132,7 @@ svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apac Mark the appropriate release version in JIRA as complete. - Update the archiva site (https://svn.apache.org/repos/asf/archiva/site/) for the versions and release notes URL: + Update the archiva site (https://gitbox.apache.org/repos/asf/archiva-site.git) for the versions and release notes URL: Mostly these properties of the pom.xml should be edited: @@ -140,7 +142,7 @@ svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apac <archivaCurrentDevVersion>3.0.0-SNAPSHOT</archivaCurrentDevVersion> +------------- - Run <<<mvn site:run>>> and verify the changes. Commit your changes. Then run <<<mvn site-deploy>>>. + Run <<deploySite.sh>>. The script will give the information where to check the content locally and asks before pushing to the remote repository. Once mirroring done (can be 24H): remove previous versions from https://dist.apache.org/repos/dist/release/archiva/ diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt index cd2c6c9..aed31e0 100644 --- a/src/site/apt/security.apt +++ b/src/site/apt/security.apt @@ -37,6 +37,42 @@ Security Vulnerabilities %{toc|fromDepth=2|toDepth=2} +* {CVE-2019-0213}: Apache Archiva XSS may be stored in central UI configuration + + It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. + The vulnerability is considered as minor risk, as only users with admin role can change the configuration, + or the communication between the browser and the Archiva server must be compromised. + + Versions Affected: + + * All versions before 2.2.4 + + Mitigation: + + * Upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}} + + * Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users + are assigned to admin role. + + +* {CVE-2019-0214}: Apache Archiva arbitrary file write and delete on the server + + It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. + Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file. + + Versions Affected: + + * All versions before 2.2.4 + + Mitigation: + + * It is highly recommended to upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}}, where additional validations are implemented + to prevent such malicious parameter values. + + * As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user + may have only write permission to the directories needed. + + * {CVE-2017-5657}: Apache Archiva CSRF vulnerabilities for various REST endpoints Several REST service endpoints of Apache Archiva are not protected against CSRF attacks. diff --git a/src/site/xdoc/index.xml.vm b/src/site/xdoc/index.xml.vm index 4f0a552..96586e8 100644 --- a/src/site/xdoc/index.xml.vm +++ b/src/site/xdoc/index.xml.vm @@ -39,8 +39,7 @@ <div class="newsBox"> <div class="hero-unit"> <span class="bignumber badge badge-warning">NEW</span> - <p><strong>Our code source is now using git, so you can propose pull requests using <a href="https://github.com/apache/archiva";>github mirror</a></strong></p> - <p><strong>${archivaReleaseDate} release of ${archivaReleaseVersion} See <a href="http://archiva.apache.org/docs/${archivaReleaseVersion}/tour/index.html";>Quick Tour</a></strong></p> + <p><strong>${archivaReleaseDate} release of ${archivaReleaseVersion} is ready for download <href a="http://archiva.apache.org/download.html"/> </strong>. We recommend to update to the new version.</p> </div> </div> </div>
