Hi, The license is incorrect in some files. I ran
java -jar rat-0.4.1.jar . | grep -v ASL | grep ? | grep "\.java" and got: !????? ./jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/User.java !????? ./jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java !????? ./jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java !????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/api/jsr283/retention/AbstractRetentionTest.java !????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/TestAll.java !????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationTest.java !????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/TestAll.java !????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/principal/TestAll.java !????? ./jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AdministratorTest.java !????? ./jackrabbit-ocm/src/main/java/org/apache/jackrabbit/ocm/manager/objectconverter/impl/AbstractLazyLoader.java !????? ./jackrabbit-ocm/src/main/java/org/apache/jackrabbit/ocm/manager/objectconverter/impl/OcmProxy.java !????? ./jackrabbit-ocm/src/main/java/org/apache/jackrabbit/ocm/manager/objectconverter/impl/OcmProxyUtils.java !????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/MultiValueWithObjectCollection.java !????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/SimpleAnnotedAbstractClass.java !????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/SimpleAnnotedClass.java !????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/SimpleInterface.java !????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/UnmappedInterface.java !????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/version/Author.java !????? ./jackrabbit-ocm/src/test/java/org/apache/jackrabbit/ocm/testmodel/version/PressRelease.java Regards, Thomas On Tue, Jan 13, 2009 at 7:45 PM, Jukka Zitting <[email protected]> wrote: > Hi, > > I have posted a candidate for the Apache Jackrabbit 1.5.1 release at > > http://people.apache.org/~jukka/jackrabbit/1.5.1/ > > See the RELEASE-NOTES.txt file (also included at the end of this > message) for details on release contents and latest changes. The > release candidate is a jar archive of the sources in > http://svn.apache.org/repos/asf/jackrabbit/tags/1.5.1. The SHA1 > checksum of the jackrabbit-1.5.1-src.jar release package is > 0aad51971cc4e002033471a923630cb4c57d2b17. > > Please vote on releasing this package as Apache Jackrabbit 1.5.1. The > vote is open for the next 72 hours and passes if a majority of at > least three +1 Jackrabbit PMC votes are cast. > > [ ] +1 Release this package as Apache Jackrabbit 1.5.1 > [ ] -1 Do not release this package because... > > With the source release I have also included pre-compiled binaries for > the main deployment packages (webapp, jca, standalone) as well as a > staged Maven repository containing pre-compiled versions of all the > components that have been changed since 1.5.0. If this vote passes, I > will make the source release and the deployment packages available on > the Jackrabbit download page and publish the other binaries in the > central Maven repository. > > Here's my +1. > > BR, > > Jukka Zitting > > > > Release Notes -- Apache Jackrabbit -- Version 1.5.1 > > Introduction > ------------ > > Apache Jackrabbit is a fully conforming implementation of the Content > Repository for Java Technology API (JCR). A content repository is a > hierarchical content store with support for structured and unstructured > content, full text search, versioning, transactions, observation, and > more. See the Jackrabbit web site at http://jackrabbit.apache.org/ for > more information. > > Apache Jackrabbit 1.5.1 is a security and bug fix release that fixes > issues reported against previous releases. This release is fully > compatible with the earlier 1.5.0 release. > > Most notably, this release fixes the following security vulnerability. > Thanks to the Red Hat Security Response Team for reporting this issue. > > * CVE-2009-0026: Cross site scripting issues in webapp (JCR-1925) > > The search.jsp and swr.jsp pages in the Jackrabbit webapp are > vulnerable to script injection. This release fixes the issue > by properly escaping all user input. > > This issue affects both the Jackrabbit 1.4 and 1.5.0 releases. > If you are unable to upgrade to 1.5.1 at this point, you can > work around this issue by disabling the search.jsp and swr.jsp > pages in the Jackrabbit webapp. > > See below for a full listing of fixes included in this release. > > Changes in this release > ----------------------- > > All the fixes in this release are listed below per affected component. > The modified components have had their version numbers upgraded to 1.5.1; > other components are still at version 1.5.0. > > jackrabbit-core > > Bug fixes > [JCR-1823] Repository.login throws IllegalStateException > [JCR-1838] Garbage collection deletes temporary files in FileDataStore > [JCR-1920] Custom LoginModule configurations broken in 1.5.0 > [JCR-1931] SharedFieldCache$StringIndex memory leak causing OOM's > > jackrabbit-jcr-commons > > Bug fixes > [JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException > > jackrabbit-jcr-server > > Bug fixes > [JCR-1902] Warning while building DAV:parent-set for root-node resource > > jackrabbit-jcr-servlet > > Bug fixes > [JCR-1910] RMIRemoteBindingServlet fails to initialize if the RMI ... > > jackrabbit-standalone > > Bug fixes > [JCR-1912] RMI reference not automatically bound by the standalone server > > jackrabbit-webapp > > Security fixes > [JCR-1925] CVE-2009-0026: Cross site scripting issues in webapp > > Bug fixes > [JCR-1920] The 1.5.0 webapp points to 1.4 javadocs > [JCR-1930] Extra </div> in populate.jsp > > jackrabbit-webdav > > Bug fixes > [JCR-1926] Text.unescape("%") throws a StringIndexOutOfBoundsException > > You can look up individual issues for more details in the Jackrabbit > issue tracker at > > https://issues.apache.org/jira/browse/JCR > > Release Contents > ---------------- > > This release consists of a single source archive (jackrabbit-1.5.1-src.jar) > that contains all the Apache Jackrabbit components. Use the following > commands (or the equivalent in your system) to build the release with > Maven 2 and Java 1.4 or higher: > > jar xf jackrabbit-1.5.1-src.jar > cd jackrabbit-1.5.1-src > mvn install > > Note that the OCM components require Java 5 or higher, and are not included > in the build when using Java 1.4. > > The source archive is accompanied by SHA1 and MD5 checksums and a PGP > signature that you can use to verify the authenticity of your download. > The public key used for the PGP signature can be found at > https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS. > > The build will result in the following components (with artifactIds in > parenthesis) being built and installed in your local Maven repository. > Pre-built binary artifacts of these components are also available on > the on the central Maven repository. > > * Jackrabbit Parent POM (jackrabbit-parent) > The Maven parent POM for all Jackrabbit components. > > * Jackrabbit API (jackrabbit-api) > Interface extensions that Apache Jackrabbit supports in > addition to the standard JCR API. > > * Jackrabbit JCR Commons (jackrabbit-jcr-commons) > General-purpose classes for use with the JCR API. > > * Jackrabbit JCR Tests (jackrabbit-jcr-tests) > Set of JCR API test cases designed for testing the compliance > of an implementation. Note that this is not the official JCR TCK! > > * Jackrabbit JCR Benchmarks (jackrabbit-jcr-benchmark) > Framework for JCR performance tests. > > * Jackrabbit Core (jackrabbit-core) > Core of the Apache Jackrabbit content repository implementation. > > * Jackrabbit Text Extractors (jackrabbit-text-extractors) > Text extractor classes that allow Jackrabbit to extract text content > from binary properties for full text indexing. > > * Jackrabbit JCR-RMI (jackrabbit-jcr-rmi) > RMI remoting layer for the JCR API. > > * Jackrabbit WebDAV Library (jackrabbit-webdav) > Interfaces and common utility classes used for building a > WebDAV server or client. > > * Jackrabbit JCR Server (jackrabbit-jcr-server) > WebDAV servlet implementations based on JCR. > > * Jackrabbit JCR Servlets (jackrabbit-jcr-servlet) > Set of servlets and other classes designed to make it easier to use > Jackrabbit and other JCR content repositories in web applications. > > * Jackrabbit Repository Classloader (jackrabbit-classloader) > Java classloader for loading classes from JCR content repositories. > > * Jackrabbit Web Application (jackrabbit-webapp) > Deployable Jackrabbit installation with WebDAV support for JCR. > > * Jackrabbit JCA Resource Adapter (jackrabbit-jca) > J2EE Connector Architecture (JCA) resource adapter for Jackrabbit. > > * Jackrabbit SPI (jackrabbit-spi) > The SPI defines a layer within a JSR-170 implementation that separates > the transient space from the persistent layer. > > * Jackrabbit SPI Commons (jackrabbit-spi-commons) > This component contains generic utility classes that might be used > to build an SPI implementation. > > * Jackrabbit SPI2JCR (jackrabbit-spi2jcr) > This component contains a SPI implementation wrapping around an > implementation of JSR-170. > > * Jackrabbit JCR2SPI (jackrabbit-jcr2spi) > This component contains an implementation of the JSR-170 API and > covers the functionality that is not delegated to the SPI > implementation. > > * Jackrabbit Standalone (jackrabbit-standalone) > Jackrabbit server in a self-contained runnable jar. > > * Jackrabbit OCM (jackrabbit-ocm) > Object-Content mapping tool for persisting and accessing Java objects > in a JCR content repository. > > * Jackrabbit OCM Node Management (jackrabbit-ocm-nodemanagement) > This component simplifies registration of node types and namespaces > referenced in OCM mapping descriptors. >
