This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch 4.0.0-M1
in repository https://gitbox.apache.org/repos/asf/causeway.git
The following commit(s) were added to refs/heads/4.0.0-M1 by this push:
new 5f32ecbc76e CAUSEWAY-3941 : cherry pick relnotes etc for 3.5.0
5f32ecbc76e is described below
commit 5f32ecbc76ee857fab0db898b08da549264f3be7
Author: Dan Haywood <[email protected]>
AuthorDate: Mon Nov 17 23:30:09 2025 +0000
CAUSEWAY-3941 : cherry pick relnotes etc for 3.5.0
---
STATUS | 2 ++
antora/components/relnotes/modules/ROOT/nav.adoc | 1 +
.../modules/ROOT/pages/2025/3.5.0/mignotes.adoc | 25 ++++++++++++++
.../modules/ROOT/pages/2025/3.5.0/relnotes.adoc | 38 ++++++++++++++++++++++
antora/supplemental-ui/doap_causeway.rdf | 8 +++++
5 files changed, 74 insertions(+)
diff --git a/STATUS b/STATUS
index 46df6e18193..e51314da3d5 100644
--- a/STATUS
+++ b/STATUS
@@ -25,6 +25,8 @@ Description
TLP releases:
+ * causeway-3.5.0 : 17 Nov 2025
+
* causeway-4.0.0-M1 : 13 Oct 2025
* causeway-3.4.0 : 8 Jul 2025
diff --git a/antora/components/relnotes/modules/ROOT/nav.adoc
b/antora/components/relnotes/modules/ROOT/nav.adoc
index a3d57f39449..b885c406a1b 100644
--- a/antora/components/relnotes/modules/ROOT/nav.adoc
+++ b/antora/components/relnotes/modules/ROOT/nav.adoc
@@ -3,6 +3,7 @@
* 2025
+** xref:relnotes:ROOT:2025/3.5.0/relnotes.adoc[3.5.0]
** xref:relnotes:ROOT:2025/4.0.0-M1/relnotes.adoc[4.0.0-M1]
** xref:relnotes:ROOT:2025/3.4.0/relnotes.adoc[3.4.0]
** xref:relnotes:ROOT:2025/3.3.0/relnotes.adoc[3.3.0]
diff --git
a/antora/components/relnotes/modules/ROOT/pages/2025/3.5.0/mignotes.adoc
b/antora/components/relnotes/modules/ROOT/pages/2025/3.5.0/mignotes.adoc
new file mode 100644
index 00000000000..4d053896c05
--- /dev/null
+++ b/antora/components/relnotes/modules/ROOT/pages/2025/3.5.0/mignotes.adoc
@@ -0,0 +1,25 @@
+= Migrating from 3.4.0 to 3.5.0
+
+:Notice: Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership. The ASF licenses this
file to you under the Apache License, Version 2.0 (the "License"); you may not
use this file except in compliance with the License. You may obtain a copy of
the License at. http://www.apache.org/licenses/LICENSE-2.0 . Unless required by
applicable law or ag [...]
+:page-partial:
+
+== Encrypted Bookmarks for view models
+
+This release automatically encrypts the bookmarks for view models so that they
are not susceptible to forgery or serialization attacks.
+
+The encyrption is performed using an instance of `HmacAuthority`.
+By default, the framework creates a random instance each time it is started,
meaning that any bookmarks (for view models, not entities) become invalid if
the application is restarted, using the following code:
+
+[source,java]
+----
+@Configuration
+class EnableHmacAuthority {
+ @Bean
+ public HmacAuthority hmacAuthority() {
+ return HmacAuthority.HmacSHA256.randomInstance();
+ }
+}
+----
+
+To override this behaviour (so that bookmarks are not invalidated), provide
your own instance of this bean.
+It's up to you how you choose to keep the seed value secret.
diff --git
a/antora/components/relnotes/modules/ROOT/pages/2025/3.5.0/relnotes.adoc
b/antora/components/relnotes/modules/ROOT/pages/2025/3.5.0/relnotes.adoc
new file mode 100644
index 00000000000..32f4206153a
--- /dev/null
+++ b/antora/components/relnotes/modules/ROOT/pages/2025/3.5.0/relnotes.adoc
@@ -0,0 +1,38 @@
+[[r3.5.0]]
+= 3.5.0
+
+:Notice: Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership. The ASF licenses this
file to you under the Apache License, Version 2.0 (the "License"); you may not
use this file except in compliance with the License. You may obtain a copy of
the License at. http://www.apache.org/licenses/LICENSE-2.0 . Unless required by
applicable law or ag [...]
+:page-partial:
+
+
+This is primarily a security release to address CVE-2025-64408, which was a
Java deserialization vulnerability to authenticated attackers.
+
+The vulnerability applied to view models, not entities.
+The fix involves encrypting the view model memento using HMAC 256 encryption
key.
+By default, a new key is created each time the application is restarted, which
means that any bookmark of a view model will become invalid in subsequent runs.
+
+If you require stable (but still secure) bookmarks across runs, then this can
be done by providing a custom implementation of the `HmacAuthority` bean (to
override the default provided by the framework).
+
+See the xref:2025/3.5.0/mignotes.adoc[Migration notes] for further details.
+
+
+== New Feature
+
+* link:https://issues.apache.org/jira/browse/CAUSEWAY-3942[CAUSEWAY-3942] -
Support EclipseLink static weaving automatically.
+
+
+== Improvement
+
+* link:https://issues.apache.org/jira/browse/CAUSEWAY-3939[CAUSEWAY-3939] -
Viewmodel Bookmark Overhaul (CVE-2025-64408).
+
+
+== Bug
+
+* link:https://issues.apache.org/jira/browse/CAUSEWAY-3938[CAUSEWAY-3938] -
[Wicket Viewer] Editing uninitialized mandatory property causes exception
+* link:https://issues.apache.org/jira/browse/CAUSEWAY-3899[CAUSEWAY-3899] -
NPE guard for DomainChangeRecord
+
+
+== Task
+
+* link:https://issues.apache.org/jira/browse/CAUSEWAY-3941[CAUSEWAY-3941] -
Release activities, r3.5.0
+
diff --git a/antora/supplemental-ui/doap_causeway.rdf
b/antora/supplemental-ui/doap_causeway.rdf
index 70f72c922aa..29efdded998 100644
--- a/antora/supplemental-ui/doap_causeway.rdf
+++ b/antora/supplemental-ui/doap_causeway.rdf
@@ -36,6 +36,14 @@
<category rdf:resource="http://projects.apache.org/category/web-framework";
/>
+ <release>
+ <Version>
+ <name>causeway</name>
+ <created>2025-11-17</created>
+ <revision>3.5.0</revision>
+ </Version>
+ </release>
+
<release>
<Version>
<name>causeway</name>
