This is an automated email from the ASF dual-hosted git repository.
cbrisson pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/velocity-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 385c249 Push security news update to prod
385c249 is described below
commit 385c249a0492e16af4f1e1b96b3841e5f798b493
Author: Claude Brisson <[email protected]>
AuthorDate: Wed Mar 10 13:22:33 2021 +0100
Push security news update to prod
---
index.html | 6 +-
news.html | 31 ++
news.xml | 954 -----------------------------------------------------------
rss/news.rss | 20 ++
4 files changed, 54 insertions(+), 957 deletions(-)
diff --git a/index.html b/index.html
index 2a3a9dc..50e16bd 100644
--- a/index.html
+++ b/index.html
@@ -233,13 +233,13 @@ h2:hover > .headerlink, h3:hover > .headerlink, h1:hover
> .headerlink, h6:hover
<h2 id="recent-news">Recent News<a class="headerlink" href="#recent-news"
title="Permanent link">¶</a></h2>
<p><ul>
<li>
- <a href="/news.html#tools31">2021-02-27 - Velocity Tools 3.1 released</a>
+ <a href="/news.html#CVE-2020-13936">2021-03-09 - Security Advisory for
Velocity Engine - Velocity Sandbox Bypass - CVE-2020-13936</a>
</li>
<li>
- <a href="/news.html#engine23">2021-02-27 - Velocity Engine 2.3 released</a>
+ <a href="/news.html#CVE-2020-13959">2021-03-09 - Security Advisory for
Velocity tools - XSS Vulnerability - CVE-2020-13959</a>
</li>
<li>
- <a href="/news.html#engine22">2020-02-02 - Velocity Engine 2.2 released</a>
+ <a href="/news.html#tools31">2021-02-27 - Velocity Tools 3.1 released</a>
</li>
</ul>
</p>
diff --git a/news.html b/news.html
index 98bc36e..4a800de 100644
--- a/news.html
+++ b/news.html
@@ -227,6 +227,37 @@ h2:hover > .headerlink, h3:hover > .headerlink, h1:hover >
.headerlink, h6:hover
<h2 id="project-news">Project News<a class="headerlink" href="#project-news"
title="Permanent link">¶</a></h2>
<p><div class="newsitem">
<h3>
+ <a name="CVE-2020-13936">Security Advisory for Velocity Engine - Velocity
Sandbox Bypass - CVE-2020-13936</a>
+ </h3>
+ <div>
+ <p>
+ <b>Tuesday, 9 March 2021</b>
+ </p>
+ <p>PROBLEM:</p>
+ <p>An attacker that is able to modify Velocity templates may execute
arbitrary Java code or run arbitrary system commands with the same privileges
as the account running the Servlet container. This applies to applications that
allow untrusted users to upload/modify velocity templates running Apache
Velocity Engine versions up to 2.2.</p>
+ <p>This issue has been assigned CVE-2020-13936.</p>
+ <p>WORKAROUND:</p>
+ <p>Applications using Apache Velocity that allow untrusted users to upload
templates should upgrade to version 2.3. This version adds additional default
restrictions on what methods/properties can be accessed in a template.</p>
+ <p>ACKNOWLEDGEMENTS: This issue was discovered by Alvaro Munoz
[email protected] of Github Security Labs and was originally reported as
GHSL-2020-048.</p>
+ </div>
+</div><div class="newsitem">
+ <h3>
+ <a name="CVE-2020-13959">Security Advisory for Velocity tools - XSS
Vulnerability - CVE-2020-13959</a>
+ </h3>
+ <div>
+ <p>
+ <b>Tuesday, 9 March 2021</b>
+ </p>
+ <p>PROBLEM:</p>
+ <p>The default error page for VelocityView reflects back the vm file that
was entered as part of the URL. An attacker can set an XSS payload file as this
vm file in the URL which results in this payload being executed.</p>
+ <p>XSS vulnerabilities allow attackers to execute arbitrary JavaScript in
the context of the attacked website and the attacked user. This can be abused
to steal session cookies, perform requests in the name of the victim or for
phishing attacks.</p>
+ <p>This issue has been assigned CVE-2020-13959.</p>
+ <p>WORKAROUND:</p>
+ <p>Applications based on Apache Velocity Tools should upgrade to version
3.1. This version escapes the reflected text on the default error page,
preventing potential javascript execution.</p>
+ <p>ACKNOWLEDGEMENTS: This issue was reported and a patch was submitted by
Jackson Henry, member of Sakura Samurai.</p>
+ </div>
+</div><div class="newsitem">
+ <h3>
<a name="tools31">Velocity Tools 3.1 released</a>
</h3>
<div>
diff --git a/news.xml b/news.xml
deleted file mode 100644
index a6b8960..0000000
--- a/news.xml
+++ /dev/null
@@ -1,954 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-
-<news xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://velocity.apache.org/NEWS/1.0.0";
xsi:schemaLocation="http://velocity.apache.org/NEWS/1.0.0
http://velocity.apache.org/site/tools/velocity-site-news/xsd/news-1.0.0.xsd";>
- <items>
- <item id="tools31">
- <date>2021-02-27</date>
- <headline>Velocity Tools 3.1 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to announce the release of
Velocity Tools 3.1.
-
- VelocityTools is a collection of Velocity subprojects with a common
goal of providing tools and infrastructure
- for building both web and standalone applications using the Apache
Velocity template engine.
-
- Main changes:
-
- * Added an optional 'factory' attribute to tools with the classname of
a factory for creating new tools instances.
-
- * Added a new BreadcrumbTool meant to help displaying UI breadcrumb
trails.
-
- * Fix potential XSS vulterability in VelocityViewServlet error
handling.
-
- For a full list of changes, consult
{{{https://velocity.apache.org/tools/3.1/changes.html}Velocity Tools 3.1
Changes section}} and
{{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310130&version=12345408}JIRA
changelog}}.
-
- For notes on upgrading from earlier versions, see
{{{https://velocity.apache.org/tools/3.1/upgrading.html}Velocity Tools 3.1
Upgrading section}}.
-
- Downloads of Velocity Tools 3.1 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
-
- ]]></text>
- </item>
- <item id="engine23">
- <date>2021-02-27</date>
- <headline>Velocity Engine 2.3 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to announce the release of
Velocity Engine 2.3.
-
- Main changes in this release:
-
- + Fix a minor security issue in user-edited templates applications:
let SecureUberspector block methods on ClassLoader and subclasses.
-
- + New spring-velocity-support module for Velocity Engine integration
in Spring Framework.
-
- For a full list of changes, consult
{{{https://velocity.apache.org/engine/2.3/changes.html}Velocity Engine 2.3
Changes section}} and
{{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12348601}JIRA
changelog}}.
-
- For notes on upgrading, see
{{{http://velocity.apache.org/engine/2.3/upgrading.html}Velocity Engine 2.3
Upgrading section}}.
-
- Downloads of 2.3 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="engine22">
- <date>2020-02-02</date>
- <headline>Velocity Engine 2.2 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to announce the release of
Velocity Engine 2.2.
-
- Main changes in this release:
-
- + New runtime.log.track_locations debugging configuration flag which
displays the VTL stack trace in the logs in cases of errors, and populates
slf4j MDC tags about position in VTL templates.
-
- + New example of how to build a customized VTL parser where the '#',
'$', '*' and '@' characters can be replaced by alternate characters.
-
- + New backward compatibility flags to mimic 1.7.x event handlers and
velicomacros behaviors.
-
- For a full list of changes, consult
{{{http://velocity.apache.org/engine/2.2/changes.html}Velocity Engine 2.2
Changes section}} and
{{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12345391}JIRA
changelog}}.
-
- For notes on upgrading, see
{{{http://velocity.apache.org/engine/2.2/upgrading.html}Velocity Engine 2.2
Upgrading section}}.
-
- Downloads of 2.2 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="engine21">
- <date>2019-03-31</date>
- <headline>Velocity Engine 2.1 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to announce the release of
Velocity Engine 2.1.
-
- Main changes in this release:
-
- + New VTL syntax: alternate reference values: ${foo|'foo'} evaluates
to 'foo' whenever boolean evaluation of $foo is false.
-
- + New VTL syntax: Default block for empty loops: #foreach($i in
$collection) ... #else nothing to display #end
-
- + Two more Engine 1.7 backward compatibility flags,
parser.allow_hyphen_in_identifier and velocimacro.arguments.literal
-
- + Velocity Engine 2.1 now requires Java 1.8+.
-
- For a full list of changes, consult
{{{http://velocity.apache.org/engine/2.1/changes.html}Velocity Engine 2.1
Changes section}} and
{{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12344272}JIRA
changelog}}.
-
- For notes on upgrading, see
{{{http://velocity.apache.org/engine/2.1/upgrading.html}Velocity Engine 2.1
Upgrading section}}.
-
- Downloads of 2.1 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="tools30">
- <date>2018-10-09</date>
- <headline>Velocity Tools 3.0 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to announce the release of
Velocity Tools 3.0.
-
-
- VelocityTools is a collection of Velocity subprojects with a common
goal of providing tools and infrastructure
- for building both web and standalone applications using the Apache
Velocity template engine.
-
-
- Velocity Tools 3.0 brings a few new context tools (CollectionTool,
JsonTool) and bugfixes
- along with a complete rewrite for some other tools (BrowserTool,
ImportTool, XmlTool).
- It now uses Velocity Engine 2.0 and SLF4J.
-
-
- For a complete list of changes, please visit
{{{https://dist.apache.org/repos/dist/release/velocity/tools/3.0/release-notes.html}the
Velocity Tools 3.0 releases notes}}.
-
-
- For notes on upgrading from Velocity Engine 1.x and Velocity Tools
2.0, see {{{http://velocity.apache.org/engine/2.0/upgrading.html}Velocity
Engine 2.0 Upgrading section}}
- and {{{http://velocity.apache.org/tools/3.0/upgrading.html}Velocity
Tools 3.0 Upgrading section}}.
-
-
- Downloads of Velocity Tools 3.0 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
-
- ]]></text>
- </item>
- <item id="engine20">
- <date>2017-08-06</date>
- <headline>Velocity Engine 2.0 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to announce the release of
- Velocity Engine 2.0.
-
- Among the main new features and enhancements:
-
- + Logging to the SLF4J logging facade.
-
- + Configurable whitespace gobbling.
-
- + Method arguments and array subscripts can now be arithmetic
expressions.
-
- + Configurable method arguments conversion handler with automatic
conversions between booleans, numbers, strings and enums.
-
- + Significant reduction of the memory consumption.
-
- + JSR-223 Scripting Engine implementation.
-
- For a full list of changes, consult
{{{http://velocity.apache.org/engine/2.0/changes.html}Velocity Engine 2.0
Changes section}} and
{{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12338243}JIRA
changelog}}.
-
- For notes on upgrading from Velocity 1.x, see
{{{http://velocity.apache.org/engine/2.0/upgrading.html}Velocity Engine 2.0
Upgrading section}}.
-
- Note for Velocity Tools users: Velocity Tools 3.0 shall soon be
released. Meanwhile, you are encouraged to use the
{{{https://repository.apache.org/content/repositories/snapshots/org/apache/velocity/velocity-tools-generic/3.0-SNAPSHOT/}Velocity
Tools 3.x last snapshot}} (see
{{{http://velocity.apache.org/tools/devel/upgrading.html}Velocity Tools 3.x
Upgrading notes}}).
-
- Downloads of 2.0 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="engine17">
- <date>2010-11-29</date>
- <headline>Velocity Engine 1.7 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to announce the release of
- Velocity Engine 1.7.
-
- Since 1.6, there has been a lot of work: #@body()content#end,
#[[literal content]]#,
- major namespacing changes, $newListSyntax[$i], and more. Please see
the change log
- for details!
-
- Since 1.7-beta1, we fixed,
{{{https://issues.apache.org/jira/browse/VELOCITY-785}VELOCITY-785}},
{{{https://issues.apache.org/jira/browse/VELOCITY-766}VELOCITY-766}},
{{{https://issues.apache.org/jira/browse/VELOCITY-760}VELOCITY-760}}, and
{{{https://issues.apache.org/jira/browse/VELOCITY-753}VELOCITY-753}}. We also
added
- access to current template and directive debugging info through
$<foo>.info
- (where <foo> is the namespace you are seeking info about).
-
- For more details on these, again, see the
- {{{http://velocity.apache.org/engine/devel/changes-report.html}change
log}}.
-
- Downloads of 1.7 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- This is a drop-in replacement for Velocity 1.6, however, it also begins
- the transition to 2.0 features. Users upgrading should expect
deprecation
- warnings in their logs.
- ]]></text>
- </item>
- <item id="tools20">
- <date>2010-05-10</date>
- <headline>VelocityTools 2.0 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are very pleased to make VelocityTools 2.0
available for download.
-
- This should be useable as a drop in replacement for Tools 1.4 or
- Tools 2.0-beta4, with a few minor exceptions.
- The 2.x series of VelocityTools requires Velocity 1.6 and JDK 1.5+.
-
- Since the last beta release, there have been a variety of
enhancements. Here's the notable ones:
-
- * Added a 'readOnly' config option to allow write operations on
ValueParser and ParameterTool when set to false
-
- * Added a beta-quality UiDependencyTool (included in
velocity-view, but not in default tools.xml)
-
- * Added an alpha-quality MarkupTool (included in generic tools,
but not in default tools.xml)
-
- * Fixed (as much as possible) some significant last-iteration
LoopTool problems, and added a getThis() method as a more reliable workaround
in nested loops. See
{{{https://issues.apache.org/jira/browse/VELTOOLS-124}VELTOOLS-124}}.
-
- * VelocityLayoutServlet now checks request attributes for
non-default layouts.
-
- * The velocity-view.tld is now valid.
-
- * VelocityView[Servlet] have improved exception and http
management (particularly for ResourceNotFoundExceptions).
-
- * Miscellaneous documentation and build.xml improvements
-
-
- The Velocity developers are very interested in all feedback regarding
- Tools 2.0, especially regarding backwards compatibility with apps
designed
- for Tools 1.4 or earlier. We aim to enable a smooth, incremental
transition
- for developers and their applications.
-
- Downloads of Tools 2.0 are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
- <item id="engine164">
- <date>2010-05-10</date>
- <headline>Velocity Engine 1.6.4 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers would like to announce the release of
- Velocity Engine 1.6.4.
-
- This release provides two small bugfixes and one critical fix. The
critical
- fix resolves a 100% CPU loop hang under simultaneous HashMap calls in
our
- ClassMap implementation due to a classic bug in Sun's implementation.
We now
- use ConcurrentHashMap when available and Hashtable otherwise. It's
also
- important to note that the auto-init feature is now only supported
with Java
- 1.5+.
-
- For more information, see
{{{https://issues.apache.org/jira/browse/VELOCITY-717}VELOCITY-717}},
{{{https://issues.apache.org/jira/browse/VELOCITY-750}VELOCITY-750}}, and
{{{https://issues.apache.org/jira/browse/VELOCITY-718}VELOCITY-718}},
- .
-
- Downloads of 1.6.4 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- This is a drop-in replacement for Velocity 1.6.3.
- ]]></text>
- </item>
- <item id="engine17beta1">
- <date>2010-04-16</date>
- <headline>Velocity Engine 1.7-beta1 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers would like to announce the release of
- Velocity Engine 1.7-beta1.
-
- Since 1.6, there has been a lot of work. Here's an overview:
-
- * Support macro bodies. Just call them like this: #@foo() body
content #end
-
- * Can now escape single and double quotes in strings by doubling
them
-
- * Added #[[this is included in the output but not parsed]]# syntax
to replace #literal
-
- * All #set calls are now global by default; no more implicit local
namespaces (not that there were well functioning ones before). To #set a local
variable, use the new provided namespaces: $foreach, $macro, $template,
$evaluate, $define and $foo (would exist inside the body of #@foo() #end).
These must now be used to #set any variable "locally" like this: #set(
$macro.mylocal = 'foo' ). When nested, access to parent namespaces is
similarly explicit (e.g. $macro.parent). Pl [...]
-
- * Enhanced #break to function anywhere and optionally accept a
namespace argument when you want to break beyond the nearest scope. (e.g.
#break( $macro ))
-
- * Added bracketed index syntax: $foo[0] or #set( $foo[0] = 1 )
-
- * #stop now ends rendering/execution of a template, not parsing of
a template
-
- * OSGI-ready manifests are now provided in the jars
-
- * A variety of small bugfixes, performance boosts and better
exceptions/logging.
-
- * Removed very obsolete Veltag and WebMacro conversion code.
-
- For more details on these, see the
- {{{http://velocity.apache.org/engine/devel/changes-report.html}change
log}}.
-
- Downloads of 1.7-beta1 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- This should work as a drop-in replacement for Velocity 1.6.3 in most
cases.
- Users of $velocityCount, $velocityHasNext and #literal should take
note of their deprecations. Users of #stop and #break should be aware of
significant changes
- to those features.
- ]]></text>
- </item>
- <item id="engine163">
- <date>2009-12-16</date>
- <headline>Velocity Engine 1.6.3 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers would like to announce the release of
- Velocity Engine 1.6.3.
-
- This release provides users the ability to revert to the previous
- #if behavior, which did not call toString() in order to check its
status.
- This results in inconsistent reference treatment, but offers much
superior performance in cases where toString() is an expensive operation.
- To enable this reversion, set the "directive.if.tostring.nullcheck"
- property to false in your velocity.properties. This should restore
- performance of the #if directive to previous levels.
-
- For more information, see
{{{https://issues.apache.org/jira/browse/VELOCITY-731}VELOCITY-731}}.
-
- Downloads of 1.6.3 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- This is a drop-in replacement for Velocity 1.6.2.
- ]]></text>
- </item>
- <item id="engine162">
- <date>2009-03-19</date>
- <headline>Velocity Engine 1.6.2 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers would like to announce the release of
- Velocity Engine 1.6.2.
-
- This release fixes the behaviour of $velocityHasNext
({{{https://issues.apache.org/jira/browse/VELOCITY-651}VELOCITY-651}}
- and
{{{https://issues.apache.org/jira/browse/VELOCITY-658}VELOCITY-658}}), resolves
some regression bugs
- ({{{https://issues.apache.org/jira/browse/VELOCITY-667}VELOCITY-667}},
{{{https://issues.apache.org/jira/browse/VELOCITY-681}VELOCITY-681}},
- {{{https://issues.apache.org/jira/browse/VELOCITY-701}VELOCITY-701}}),
and fixes two problems with resource loaders
- ({{{https://issues.apache.org/jira/browse/VELOCITY-693}VELOCITY-693}},
{{{https://issues.apache.org/jira/browse/VELOCITY-702}VELOCITY-702}}).
- It is a drop-in replacement for Velocity 1.6.1.
-
- Downloads of 1.6.2 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="tools20beta4">
- <date>2009-05-27</date>
- <headline>VelocityTools 2.0-beta4 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to make a fourth beta release of
- VelocityTools 2.0 available for download.
-
- This should be useable as a drop in replacement for Tools 1.4 or
- Tools 2.0-beta3, with a few minor exceptions.
- The 2.x series of VelocityTools requires Velocity 1.6 and JDK 1.5+.
-
- Since the last beta release, there have been a number of significant
fixes
- and enhancements. Here's the key ones:
-
- * Tools references are no longer read-only by default
-
- * LinkTool double-encoding problem is fixed
-
- * Upgraded to depend on Engine 1.6.2
-
- * Deprecated ListTools due to irrelevance in Engine 1.6.x
-
- * ResourceTool now gives access to bundle keys
-
- * MultiViewsTool was changed into new, better IncludeTool
-
- * Added syntactical sugar to CookieTool
-
- * Multiple new methods contributed for DisplayTool
-
- * Added the WebappUberspector for natural #set of attributes in
webapp scopes (e.g. #set( $request.foo = 'bar' ))
-
- * Refactored JeeConfig to be an interface
-
- The Velocity developers are very interested in all feedback regarding
- Tools 2.0, especially regarding backwards compatibility with apps
designed
- for Tools 1.4 or earlier. We aim to enable a smooth, incremental
transition
- for developers and their applications.
-
- Downloads of Tools 2.0-beta4 are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
- <item id="engine161">
- <date>2008-12-15</date>
- <headline>Velocity Engine 1.6.1 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers would like to announce the release of
- Velocity Engine 1.6.1.
-
- This release fixes the method reflection problems discovered in
- {{{https://issues.apache.org/jira/browse/VELOCITY-651}VELOCITY-651}}
- and an macro argument bug identified in
- ({{{https://issues.apache.org/jira/browse/VELOCITY-615}VELOCITY-615}}).
- It is a drop-in replacement for Velocity 1.6.
-
- Downloads of 1.6.1 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="engine16">
- <date>2008-12-01</date>
- <headline>Velocity Engine 1.6 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are very pleased to announce the release of
- Velocity Engine 1.6.
-
- This release contains numerous fixes, features and improvements.
- Please see the
-
{{{http://velocity.apache.org/engine/releases/velocity-1.6/changes-report.html}change
log}}
- for a full listing. This should be a drop-in replacement for Velocity
1.5.
-
- Highlights in this release include:
-
- * Dramatically improved performance
-
- * New core directives: #evaluate, #define, and #break
-
- * Support for vararg method calls
-
- * Long requested ability to #parse( 'mymacros.vm' )
-
- * Ability to call methods like size() and get(int) on arrays
-
-
- Downloads of Engine 1.6 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="tools20beta3">
- <date>2008-12-01</date>
- <headline>VelocityTools 2.0-beta3 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to make the third beta release of
- VelocityTools 2.0 available for download.
-
- This should be useable as a drop in replacement for Tools 1.4 or
- Tools 2.0-beta2, with a few minor exceptions.
- The 2.x series of VelocityTools also requires both Velocity 1.5+ and
JDK 1.5+.
-
- Since the last beta release, there have been a number of small fixes,
- additional features (like caching for VelocityViewTag), and especially,
- improvements in the extensibility of VelocityView.
-
- The Velocity developers are very interested in all feedback regarding
- Tools 2.0, especially regarding backwards compatibility with apps
designed
- for Tools 1.4 or earlier. We aim to enable a smooth, incremental
transition
- for developers and their applications.
-
- Downloads of Tools 2.0-beta3 are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
- <item id="engine16beta2">
- <date>2008-10-27</date>
- <headline>Velocity Engine 1.6-beta2 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are very pleased to make the seconde beta
release of
- Velocity Engine 1.6 available for download.
-
- This release contains many bugfixes and a new "strict reference mode"
- feature. Please see the
- {{{http://velocity.apache.org/engine/devel/changes-report.html}change
log}}
- for a full listing. This should be a drop-in replacement for Velocity
1.5
- or Velocity 1.6-beta1.
-
- Downloads of Tools 1.6-beta2 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="engine16beta1">
- <date>2008-09-22</date>
- <headline>Velocity Engine 1.6-beta1 released</headline>
- <categories>
- <category>velocity</category>
- <category>engine</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are very pleased to make the first beta
release of
- Velocity Engine 1.6-beta1 available for download.
-
- This release contains many bugfixes, new features and drastic
- performance improvements. Please see the
- {{{http://velocity.apache.org/engine/devel/changes-report.html}change
log}}
- for a full listing. This should be a drop-in replacement for Velocity
1.5.
-
- Downloads of Tools 1.6-beta1 are available
- {{{http://velocity.apache.org/download.cgi#engine}here}}.
- ]]></text>
- </item>
- <item id="tools20beta2">
- <date>2008-07-11</date>
- <headline>VelocityTools 2.0 Beta2 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to make the second beta release of
- VelocityTools 2.0 available for download.
-
- Major development in VelocityTools 2.0 has completed, and the focus
- has been on fixing the remaining bugs and providing a clear migration
path
- for users of VelocityTools 1.x. Significant new features in 2.0
- include very flexible, composable toolbox configuration (via either
java, xml,
- and/or properties), lazy-loading/initialization of tools, the
- VelocityViewTag for embedding Velocity within JSP, simplified embedding
- of VelocityTools in other frameworks, an assortment
- of new and improved tools, and much more.
-
- This should be useable as a drop in replacement for Tools 1.4,
- with a few minor exceptions where things already deprecated earlier
- in 1.x have been removed. The 2.x series of VelocityTools also
requires
- both Velocity 1.5+ and JDK 1.5+.
-
- At this point, the new tool management and configuration
- facilities are extremely stable and useable. Documentation has
- continued to improve dramatically and is nearing completion.
- There are no open or known bugs in this release nor significant
- changes anticipated before 2.0 final is released.
- We are also more than happy to answer questions on the mailing lists.
- More information on the changes between Tools 1.x and 2.x may be found
- {{{http://wiki.apache.org/velocity/VelocityTools2/Planning}here}}.
-
- The Velocity developers are very interested in all feedback regarding
- Tools 2.0, especially regarding backwards compatibility with apps
designed
- for Tools 1.4 or earlier. We aim to enable a smooth, incremental
transition
- for developers and their applications.
-
- Downloads of Tools 2.0-beta2 are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
- <item id="tools20beta1">
- <date>2007-12-26</date>
- <headline>VelocityTools 2.0 Beta1 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to make the first beta release of
- VelocityTools 2.0 available for download and testing.
-
- This release marks the completion of major
- development in VelocityTools 2.0, which is now the main development
- trunk. Significant new features in 2.0
- include very flexible, composable toolbox configuration (via either
java, xml,
- and/or properties), lazy-loading/initialization of tools, the
- VelocityViewTag for embedding Velocity within JSP, an assortment
- of new and improved tools, and much more.
-
- This should be useable as a drop in replacement for Tools 1.4,
- with a few minor exceptions where things already deprecated earlier
- in 1.x have been removed. This also is the first Tools release to
require both
- Velocity 1.5+ and JDK 1.5+.
-
- At this point, the new tool management and configuration
- facilities are extremely stable and useable. Documentation has
- been radically improved since the alpha release, though more work
- remains there before 2.0 final is released. There are no open or known
- bugs in this release and encourage further testing (especially of
- the library's backwards compatibility) as we progress rapidly toward
- the 2.0 release.
- We are also more than happy to answer questions on the mailing lists.
- More information on the changes between Tools 1.x and 2.x may be found
- {{{http://wiki.apache.org/velocity/VelocityTools2Planning}here}}.
-
- The Velocity developers are very interested in all feedback regarding
- Tools 2.0, especially regarding backwards compatibility with apps
designed
- for Tools 1.4 or earlier. We aim to enable a smooth, incremental
transition
- for developers and their applications.
-
- Downloads of Tools 2.0-beta1 are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
-
- <item id="tools14">
- <date>2007-11-26</date>
- <headline>VelocityTools 1.4 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The VelocityTools developers are pleased to announce the release
- of VelocityTools 1.4.
-
- There have been many important bug fixes since the 1.3 release
- and a handful of new features. While important, the overall slate
- of changes is small compared to previous releases due to the rapid
- progress of the upcoming 2.0 version. This is expected to be the
- last release of the 1.x series, as 2.0 is both superior and backwards
- compatible.
-
-
- New features in VelocityTools 1.4 include more configurability for
- NumberTool and DateTool, the new ComparisonDateTool, and new abilities
- for EscapeTool and LinkTool. For a full listing of new features and bug
- fixes please see the
- {{{http://velocity.apache.org/tools/releases/1.4/changes.html}change
log}}.
-
- Downloads are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
-
- <item id="dvsl10">
- <date>2007-08-13</date>
- <headline>DVSL 1.0 released</headline>
- <categories>
- <category>velocity</category>
- <category>dvsl</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to make the release of
- DVSL 1.0 available for download and testing.
-
- This release fixes an incompatibility between DVSL 0.x and Velocity
1.5 or newser,
- along with some minor cleanup and refactoring. It is not a drop in
replacement
- of DVSL 0.45 since the main package has changed from
org.apache.tools.dvsl to
- org.apache.dvsl.
-
- Files can be downloaded
{{{http://velocity.apache.org/download.cgi#dvsl}here}}.
- ]]></text>
- </item>
-
- <item id="tools20alpha1">
- <date>2007-07-02</date>
- <headline>VelocityTools 2.0 Alpha1 released</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity developers are pleased to make the first alpha release of
- VelocityTools 2.0 available for download and testing.
-
- This is a milestone release marking the completion of most major
- development in the Tools 2.x branch. Significant new features include
- very flexible, composable toolbox configuration (via either java, xml,
- and/or properties), lazy-loading/initialization of tools, the
- VelocityViewTag for embedding Velocity within JSP, an assortment
- of new and improved tools, and more.
-
- This should be useable as a drop in replacement for Tools 1.3,
- with a few exceptions where things already deprecated in 1.x have been
- removed. This also is the first Tools release to require both
- Velocity 1.5+ and JDK 1.5+.
-
- Early adopters may consider the new tool management and configuration
- facilities to be quite stable. At this point, documentation is
- limited to javadoc and the example apps, which have been updated
- to demonstrate the new tools, the VelocityViewTag, and configuration.
- We are also more than happy to answer questions on the mailing lists.
- More information on the changes between Tools 1.x and 2.x may be found
- {{{http://wiki.apache.org/velocity/VelocityTools2Planning}here}}.
-
- The Velocity developers are very interested in all feedback regarding
- Tools 2.0, especially regarding backwards compatibility with apps
designed
- for Tools 1.3 or earlier. We aim to enable a smooth, incremental
transition
- for developers and their applications.
-
- Downloads of Tools 2.0-alpha1 are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
- <item id="anakia10texen10">
- <date>2007-05-06</date>
- <headline>Anakia 1.0 and Texen 1.0 released</headline>
- <categories>
- <category>anakia</category>
- <category>texen</category>
- <category>velocity</category>
- </categories>
- <text><![CDATA[
-
- The Velocity developers are pleased to issue two new releases:
- Anakia 1.0 and Texen 1.0.
-
- Anakia is an XML text transformation tool based on Apache
- Velocity and Apache Ant. It provides an alternative to using Ant
- 's <style> task and XSL to process XML files. A common use of
- Anakia is to process xdoc files and create site/project
- documentation. More information on Anakia can be found here:
-
- {{http://velocity.apache.org/anakia/releases/anakia-1.0/}}
-
- Texen is a general-purpose text generation utility, also based on
- Apache Velocity and Apache Ant. More information is here:
-
- {{http://velocity.apache.org/texen/releases/texen-1.0/}}
-
- Both Anakia and Texen were previously part of the core Velocity
- engine distribution but have been split off into their own
- packages to simplify maintenance and facilitate different release
- cycles. To avoid namespace conflict, org.apache.velocity.anakia
- has been moved to org.apache.anakia and org.apache.velocity.texen
- has been changed to org.apache.texen.
- ]]></text>
- </item>
-
- <item id="velocity-docbook-framework-10">
- <date>2007-04-09</date>
- <headline>Velocity DocBook Framework 1.0 released</headline>
- <categories>
- <category>docbook</category>
- <category>velocity</category>
- </categories>
- <text><![CDATA[
-
- The Velocity developers are very pleased to announce the first
- release of the Velocity Docbook framework. It is intended to
- help creating high-quality documentation in the DocBook format
- which can be used online or as PDF for print out.
-
- The downloads and documentation are available from
{{http://velocity.apache.org/docbook/}}.
-
- ]]></text>
- </item>
-
- <item id="velocity-15">
- <date>2007-03-06</date>
- <headline>Velocity 1.5 Released!</headline>
- <categories>
- <category>engine</category>
- <category>velocity</category>
- </categories>
- <text><![CDATA[
-
- The Velocity developers are very pleased to announce the final
- release of Velocity 1.5. Downloads are available
- {{{http://velocity.apache.org/download.cgi}here}}.
-
- After a little more tweaking on Beta 2, the 1.5 final release
- is finally here! Since Beta 2 we have fixed a major problem
- with the new SecureUberspector as well as several bugs and
- broken links in our documentation.
-
- Some of the other new features since Velocity 1.4 include:
-
- * floating point number arithmetic
-
- * new event handlers for altering #include/#parse behavior
-
- * literal map syntax
-
- A complete list of changes is available at our
-
{{{http://issues.apache.org/jira/browse/VELOCITY?report=com.atlassian.jira.plugin.system.project:roadmap-panel}issue
- tracker}}. You should also check out the
- {{{http://wiki.apache.org/velocity/Velocity15ReleaseNotes}release
- notes}} on the Wiki. Please report any additional bugs in the
- issue tracker and we will try to address them before the next
- release.
- ]]></text>
- </item>
-
- <item id="velocity-tools-13">
- <date>2007-02-08</date>
- <headline>VelocityTools 1.3 is available</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The VelocityTools developers are pleased to announce the release
- of VelocityTools 1.3.
-
- There have been many improvements made since the 1.2 release. A
- key focus in this version has been ease of use. We've simplifyied
- developing your own tools by eliminating the ViewTool and Configurable
- interfaces, and we've simplifyied the syntax for using many of
- our existing tools within Velocity templates to both save keystrokes
- and reduce visual clutter.
-
- The distribution also comes with a new "showcase" example webapp
- that demonstrates many of the uses of the various tools as well
- as allowing you to interactively play with them. Just download the
- binary distribution, and deploy the "showcase.war" example to your
- servlet container to try it out.
-
- Also included are the usual slate of bug fixes, dependency
- upgrades, entirely new tools, and new functions for existing tools.
- For a full listing of changes, see the
- {{{http://velocity.apache.org/tools/devel/changes.html}change log}}.
-
- Downloads are available
- {{{http://velocity.apache.org/download.cgi#tools}here}}.
- ]]></text>
- </item>
-
- <item id="velocity-tools-13rc1">
- <date>2007-01-25</date>
- <headline>VelocityTools 1.3 Release Candidate 1 available</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The VelocityTools developers are pleased to announce the first release
- candidate for VelocityTools 1.3. Downloads are available
- {{{http://velocity.apache.org/download.cgi}here}}.
- ]]></text>
- </item>
-
- <item id="velocity-tools-13beta1">
- <date>2007-01-13</date>
- <headline>Velocity Tools 1.3 Beta 1 available</headline>
- <categories>
- <category>velocity</category>
- <category>tools</category>
- </categories>
- <text><![CDATA[
- The Velocity Tools developers are pleased to announce the first beta
- release of Velocity Tools 1.3. Downloads are available
- {{{http://velocity.apache.org/download.cgi}here}}.
- ]]></text>
- </item>
-
- <item id="new-website">
- <date>2007-01-07</date>
- <headline>New Velocity Web Site has been deployed</headline>
- <categories>
- <category>general</category>
- <category>velocity</category>
- </categories>
- <text><![CDATA[
- The new {{{http://velocity.apache.org/}Apache Velocity Web
- Site}} is online. Subscribe to the
- {{{http://velocity.apache.org/rss/news.rss}RSS feed}} to keep
- up to date.
- ]]></text>
- </item>
-
- <item id="velocity-tlp">
- <date>2006-10-26</date>
- <headline>Velocity Approved as Top Level Project</headline>
- <categories>
- <category>general</category>
- <category>velocity</category>
- </categories>
- <text><![CDATA[
- The Board of the Apache Software Foundation has passed a
- resolution to upgrade Jakarta Velocity into an Apache Top Level
- Project (TLP), to be renamed Apache Velocity. We are excited of
- the new prominence of the Velocity project.
-
- Please stay tuned for our new website at
- {{http://velocity.apache.org/}}. In the meantime, note that our
- new mailing lists are <[email protected]> (subscribe at
- <[email protected]>) for general questions, and
- <[email protected]> (subscribe at
- <[email protected]>) for development-related
- activity.
- ]]></text>
- </item>
-
- <item id="velocity-1.5-beta-2">
- <date>2006-11-24</date>
- <headline>Velocity 1.5 Beta 2 Released</headline>
- <categories>
- <category>engine</category>
- <category>velocity</category>
- </categories>
- <text><![CDATA[
-
- The Velocity developers are pleased to announce the second beta
- release of Velocity 1.5. Downloads are available
- {{{http://velocity.apache.org/download.cgi}here}}.
-
- This beta version is one of the final steps before the
- long-awaited version 1.5. Since Beta 1 we have added a new
- InvalidReferenceEventHandler (to catch invalid references), the
- SecureUberspector (to prevent introspection on "dangerous
- objects"), and a StringResourceLoader. We've also fixed some
- critical bugs, including a subtle synchronization problem
- causing page generation to fail under heavy loads.
-
- Some of the other new features since Velocity 1.4 include:
-
- * floating point number arithmetic
-
- * new event handlers for altering #include/#parse behavior
-
- * literal map syntax
-
- A complete list of changes is available at our
-
{{{http://issues.apache.org/jira/browse/VELOCITY?report=com.atlassian.jira.plugin.system.project:roadmap-panel}issue
- tracker}}. You may also want to check out the draft
- {{{http://wiki.apache.org/velocity/Velocity15ReleaseNotes}release
- notes}} on the Wiki. Please report any additional bugs in the
- issue tracker, especially those that need to be fixed before our
- final release. (use 1.5 beta 2 as the version).
- ]]></text>
- </item>
-
- <item id="velocity-repo-moved">
- <date>2006-12-01</date>
- <headline>The Velocity SVN Repository moved!</headline>
- <categories>
- <category>general</category>
- <category>velocity</category>
- </categories>
- <text><![CDATA[
- As part of our move to top-level status, we moved the Subversion
- repository. It is now available from
{{http://svn.apache.org/repos/asf/velocity}}.
- Please update your references. If you have already checked out
- the source code, you can use the <<<svn switch>>> command to update
your local copy.
- ]]></text>
- </item>
- </items>
-</news>
diff --git a/rss/news.rss b/rss/news.rss
index 39110f1..8235c9b 100644
--- a/rss/news.rss
+++ b/rss/news.rss
@@ -5,6 +5,26 @@
<link>http://velocity.apache.org</link>
<description>Recent news from Apache Velocity Site</description>
<item>
+ <title>Security Advisory for Velocity Engine - Velocity Sandbox Bypass -
CVE-2020-13936</title>
+ <link>http://velocity.apache.org/news.html#CVE-2020-13936</link>
+ <description><p>PROBLEM:</p><p>An attacker that is
able to modify Velocity templates may execute arbitrary Java code or run
arbitrary system commands with the same privileges as the account running the
Servlet container. This applies to applications that allow untrusted users to
upload/modify velocity templates running Apache Velocity Engine versions up to
2.2.</p><p>This issue has been assigned
CVE-2020-13936.</p><p>WORKAROUND:</p>&l [...]
+ <category>velocity</category>
+ <category>engine</category>
+ <pubDate>Tue, 9 Mar 2021 08:00:00 GMT</pubDate>
+ <guid>http://velocity.apache.org/news.html#CVE-2020-13936</guid>
+ <dc:date>2021-03-09T08:00:00Z</dc:date>
+ </item>
+ <item>
+ <title>Security Advisory for Velocity tools - XSS Vulnerability -
CVE-2020-13959</title>
+ <link>http://velocity.apache.org/news.html#CVE-2020-13959</link>
+ <description><p>PROBLEM:</p><p>The default error page
for VelocityView reflects back the vm file that was entered as part of the URL.
An attacker can set an XSS payload file as this vm file in the URL which
results in this payload being executed.</p><p>XSS vulnerabilities
allow attackers to execute arbitrary JavaScript in the context of the attacked
website and the attacked user. This can be abused to steal session cookies,
perform requests in the name [...]
+ <category>velocity</category>
+ <category>tools</category>
+ <pubDate>Tue, 9 Mar 2021 08:00:00 GMT</pubDate>
+ <guid>http://velocity.apache.org/news.html#CVE-2020-13959</guid>
+ <dc:date>2021-03-09T08:00:00Z</dc:date>
+ </item>
+ <item>
<title>Velocity Tools 3.1 released</title>
<link>http://velocity.apache.org/news.html#tools31</link>
<description><p>The Velocity developers are pleased to announce
the release of Velocity Tools 3.1.</p><p>VelocityTools is a
collection of Velocity subprojects with a common goal of providing tools and
infrastructure for building both web and standalone applications using the
Apache Velocity template engine.</p><p>Main
changes:</p><p>* Added an optional 'factory' attribute to tools
with the classname of a factory for creating new tools insta [...]
