This is an automated email from the ASF dual-hosted git repository. martin_s pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/archiva-site.git
commit 0e3bb9cb1cf0d04b1effec6dcfc6d76b7d617c0d Author: Martin Stockhammer <[email protected]> AuthorDate: Mon Jun 15 08:39:22 2020 +0200 New release 2.2.5 --- pom.xml | 4 ++-- src/site/apt/developers/releasing.apt | 18 +++++++++++++++--- src/site/apt/security.apt | 16 ++++++++++++++++ src/site/xdoc/index.xml.vm | 2 +- 4 files changed, 34 insertions(+), 6 deletions(-) diff --git a/pom.xml b/pom.xml index 2b67f7d..73242f9 100644 --- a/pom.xml +++ b/pom.xml @@ -38,8 +38,8 @@ <archivaLastSerieVersion>1.3.9</archivaLastSerieVersion> <archivaLastSerieVersionDate>1 July 2014</archivaLastSerieVersionDate> --> - <archivaReleaseVersion>2.2.4</archivaReleaseVersion> - <archivaReleaseDate>30th April 2019</archivaReleaseDate> + <archivaReleaseVersion>2.2.5</archivaReleaseVersion> + <archivaReleaseDate>17th June 2020</archivaReleaseDate> <archivaCurrentDevVersion>3.0.0-SNAPSHOT</archivaCurrentDevVersion> <redbackCurrentDevVersion>3.0.0-SNAPSHOT</redbackCurrentDevVersion> <supportedVersions></supportedVersions> diff --git a/src/site/apt/developers/releasing.apt b/src/site/apt/developers/releasing.apt index 9dceb26..e0d6f14 100644 --- a/src/site/apt/developers/releasing.apt +++ b/src/site/apt/developers/releasing.apt @@ -74,7 +74,8 @@ Archiva release process your settings.xml for {{archiva-repository.releases}}. Prepare your environment: - For Archiva 2.x you have to use JDK 7 and set memory settings. + For Archiva 2.x you have to use two different JDKs for the process. JDK 7 is used for the prepare release (compile) + and JDK 8 for uploading (supported SSL versions) +------------- export JAVA_HOME=<PATH_TO_JDK7> @@ -90,8 +91,14 @@ mvn release:prepare +------------- Check that it has been properly tagged. The tag name must be.. archiva-[VERSION]. - If all works fine, execute + You can rollback with `mvn release:rollback`. + If all works fine, set JDK 8 and execute the release:perform task + ++------------- +export JAVA_HOME=<PATH_TO_JDK8> +export PATH=$JAVA_HOME/bin:$PATH ++------------- +------------- mvn release:perform +------------- @@ -105,8 +112,12 @@ mvn release:perform ARCHV="2.2.4" # Enter the new archiva version RELEASE_URL="http://archiva-repository.apache.org/archiva/repository/archiva-releases-stage"; wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.tar.gz +wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.tar.gz.asc +wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.zip +wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.zip.asc # Verify the signatures: gpg -v archiva-jetty-${ARCHV}-bin.zip.asc +gpg -v archiva-jetty-${ARCHV}-bin.tar.gz.asc +------------- The documentation is deployed as part of the process to the final location for review in the vote: @@ -149,11 +160,12 @@ svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apac # Move also the POM and Redback and Redback Component releases, if there are new ones. +------------- + Merge the archiva-releases-stage to archiva-releases on archiva-repository.apache.org + To sync the jars to Maven Central, you need to merge the repository archiva-releases-stage to "Central Rsync Repository" Mark the appropriate release version in JIRA as complete. - Update the archiva site ({{https://gitbox.apache.org/repos/asf/archiva-site.git}}) for the versions and release notes URL: Mostly these properties of the pom.xml should be edited: diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt index aed31e0..d99b63f 100644 --- a/src/site/apt/security.apt +++ b/src/site/apt/security.apt @@ -36,6 +36,22 @@ Security Vulnerabilities %{toc|fromDepth=2|toDepth=2} +* {CVE-2020-9495}: Apache Archiva login service is vulnerable to LDAP injection + + By providing special values to the archiva login form a attacker is able to retrieve user attribute data from the connected LDAP server. + With certain characters it is possible to modify the LDAP filter used to query the users on the connected LDAP server. + By measuring the response time, arbitrary attribute data can be retrieved from LDAP user objects. + + Versions Affected: + + * All versions before 2.2.5 + + Mitigation: + + * Upgrade to {{{./download.cgi} Archiva 2.2.5 or higher}} + + * Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users + are assigned to admin role. * {CVE-2019-0213}: Apache Archiva XSS may be stored in central UI configuration diff --git a/src/site/xdoc/index.xml.vm b/src/site/xdoc/index.xml.vm index bd9ffcf..6992b17 100644 --- a/src/site/xdoc/index.xml.vm +++ b/src/site/xdoc/index.xml.vm @@ -40,7 +40,7 @@ <div class="hero-unit"> <span class="bignumber badge badge-warning">NEW</span> <p><strong>${archivaReleaseDate}: The new Apache Archiva release version ${archivaReleaseVersion} is ready for download <a href="http://archiva.apache.org/download.html"/> </strong>. - This is a bugfix release. Please have a look at the <a href="http://archiva.apache.org/docs/2.2.4/release-notes.html";>release notes</a> for further information. + This is a bugfix release. Please have a look at the <a href="http://archiva.apache.org/docs/2.2.5/release-notes.html";>release notes</a> for further information. As this release contains <strong>security fixes</strong>, we recommend to update to the new version immediately. </p> </div> </div>
