Looks good to me. Diffs with 2.3 tar.gz's show very few things changed, and ones you'd expect to be changed.
Has there already been a vote to release 2.3.1? Hen On 11/20/06, Dave <[EMAIL PROTECTED]> wrote:
Henri, I've created and signed a new release of Roller 3.2 with 1) fixes for the comment XSS problem and 2) no BCL jars. I updated the change list and install docs accordingly. Please give it a quick test so we can replace the existing 2.3 release with this new one. Here are the release files: http://people.apache.org/~snoopdave/apache-roller-2.3.1/ And ere's what I added the CHANGES.txt doc: Roller 2.3.1: minor release to fix security risk form and licensing issue *** Security risk in comment form Allowing commenters to leave HTML in comments is a potential security risk because it allows commenters can add malicious Javascipt code. You can disable HTML in comments via the Roller admin interface, but in Roller 2.3 and earlier versions of Roller, attackers could still add malicious HTML to the name, email and URL fields. We fixed the problem in Roller 2.3.1 and all subsequent versions of Roller by stripping all HTML from name, email and comment fields at comment post time. *** Licensing issue with JavaMail and Activation jars The JavaMail and Activation jars (mail.jar and activation.jar) included in Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible with Apache licensing policy. So these jars have been removed from the release and instructions have been added to the Installation Guide that explain how to get them and add them to Roller. - Dave On 11/11/06, Henri Yandell <[EMAIL PROTECTED]> wrote: > On 11/10/06, Dave <[EMAIL PROTECTED]> wrote: > > On 11/10/06, Henri Yandell <[EMAIL PROTECTED]> wrote: > > > Sorry for not bringing this up earlier. > > > > > > We need to remove the javamail and activation jars from the 2.3 > > > release as well (and re-pgp/md5 it). > > > > Yes and we have a security fix in 2.3.1 that we never formally released. > > > > > Dave, is this something you have time for as 2.3 RM, or do you need > > > someone to volunteer? > > > > I'll have time for some RM work next week for 3.1 and I can easily add 2.3.1. > > Either 2.3.1 with a vote to release it - and removing 2.3 from the > mirrors/archives, or just modifying 2.3 to not contain the jars is > fine by me. > > Hen >
