[ANNOUNCE] Apache CXF 3.2.0 released!

[Daniel Kulp]

The Apache CXF community is proud to announce that CXF 3.2.0 has been released. 
  

CXF 3.2.0 contains several new features:
- JAX-RS support updated to latest 2.1 specification
- New java2swagger Maven plugin
- New WS-Transfer implementation
- Enhanced tracing support with Zipkin Brave
- Support for Spring Boot 2.x
- JAX-WS support for per-operation schema validation configuration
- New http-undertow transport

For a more complete list of changes required to migrate to CXF 3.2, see:
http://cxf.apache.org/docs/32-migration-guide.html

In addition to 3.2.0, the Apache CXF community has also released 3.1.13 and 
3.0.15.  Both patch releases contain several fixes for bugs and other issues 
that users have encountered.


Downloads are available from:
http://cxf.apache.org/download.html

For more information see:
* Website: http://cxf.apache.org/
* Mailing lists: http://cxf.apache.org/mailing-lists.html

If you have feedback, questions or would like to get involved in the CXF 
project please join the mailing lists and let us know your thoughts.

The Apache CXF Team
http://cxf.apache.org/

[ANNOUNCE] Apache Jackrabbit 2.1 released

[Julian Reschke]

The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit 2.14.3. The release is available for download at:

https://jackrabbit.apache.org/jcr/downloads.html#v2.14

See the full release notes below for details about this release:

Release Notes -- Apache Jackrabbit -- Version 2.14.3

Introduction


This is Apache Jackrabbit(TM) 2.14.3, a fully compliant implementation 
of the

Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).

Apache Jackrabbit 2.14.3 is a patch release that contains fixes and
improvements over Jackrabbit 2.14. Jackrabbit 2.14.x releases are
considered stable and targeted for production use.

Changes in Jackrabbit 2.14.3


Bug

[JCR-3901] - TCK LockManagerTest does not allow new JCR 2.0 
functionality for lock token transfers
[JCR-4173] - Unable to receive observation events when connecting 
via DavEx
[JCR-4179] - Test failures with Java 9 when using 
javax.imageio.spi.ServiceRegistry


Task

[JCR-4101] - add code coverage profile (jacoco)
[JCR-4139] - Update commons-fileupload dependency to 1.3.2
[JCR-4157] - jackrabbit-jcr-server: code cleanup
[JCR-4177] - move Mockito version to parent pom

Sub-task

[JCR-4164] - add test coverage for content codings
[JCR-4165] - WebDAV servlet: reject unknown/unsupported content 
codings with 4xx status code



For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at

https://issues.apache.org/jira/browse/JCR

Release Contents


This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.

About Apache Jackrabbit
---

Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more.

For more information, visit http://jackrabbit.apache.org/

About The Apache Software Foundation


Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.

For more information, visit http://www.apache.org/

Trademarks
--

Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the 
Apache

Jackrabbit project logo are trademarks of The Apache Software Foundation.

[ANNOUNCE] Apache Jackrabbit 2.14.3 released

[Julian Reschke]

The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit 2.14.3. The release is available for download at:

https://jackrabbit.apache.org/jcr/downloads.html#v2.14

See the full release notes below for details about this release:

Release Notes -- Apache Jackrabbit -- Version 2.14.3

Introduction


This is Apache Jackrabbit(TM) 2.14.3, a fully compliant implementation 
of the

Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).

Apache Jackrabbit 2.14.3 is a patch release that contains fixes and
improvements over Jackrabbit 2.14. Jackrabbit 2.14.x releases are
considered stable and targeted for production use.

Changes in Jackrabbit 2.14.3


Bug

[JCR-3901] - TCK LockManagerTest does not allow new JCR 2.0 
functionality for lock token transfers
[JCR-4173] - Unable to receive observation events when connecting 
via DavEx
[JCR-4179] - Test failures with Java 9 when using 
javax.imageio.spi.ServiceRegistry


Task

[JCR-4101] - add code coverage profile (jacoco)
[JCR-4139] - Update commons-fileupload dependency to 1.3.2
[JCR-4157] - jackrabbit-jcr-server: code cleanup
[JCR-4177] - move Mockito version to parent pom

Sub-task

[JCR-4164] - add test coverage for content codings
[JCR-4165] - WebDAV servlet: reject unknown/unsupported content 
codings with 4xx status code



For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at

https://issues.apache.org/jira/browse/JCR

Release Contents


This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.

About Apache Jackrabbit
---

Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more.

For more information, visit http://jackrabbit.apache.org/

About The Apache Software Foundation


Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.

For more information, visit http://www.apache.org/

Trademarks
--

Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the 
Apache

Jackrabbit project logo are trademarks of The Apache Software Foundation.

[ANNOUNCE] Apache Jackrabbit Oak 1.7.7 released

[Davide Giannella]

The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit Oak. The release is available for download at:

http://jackrabbit.apache.org/downloads.html

See the full release notes below for details about this release:

Release Notes -- Apache Jackrabbit Oak -- Version 1.7.7

Introduction


Jackrabbit Oak is a scalable, high-performance hierarchical content
repository designed for use as the foundation of modern world-class
web sites and other demanding content applications.

Apache Jackrabbit Oak 1.7.7 is an unstable release cut directly from
Jackrabbit Oak trunk, with a focus on new features and other
improvements. For production use we recommend the latest stable 1.6.x
release.

The Oak effort is a part of the Apache Jackrabbit project.
Apache Jackrabbit is a project of the Apache Software Foundation.

Changes in Oak 1.7.7
-

Technical task

[OAK-6506] - Ensure unique property indexes are consistent when
mounting NodeStores
[OAK-6581] - Ensure mounts are consistent with the namespace
registry
[OAK-6591] - Refactor ValuePattern related logic to utility
methods
[OAK-6603] - [oak-blob-cloud] Remove the older S3 connector
relying on JR caching
[OAK-6612] - Refactor encoding logic in property index to utility
class
[OAK-6630] - Remove older cached FileDataStore relying on JR
caching

Bug

[OAK-6560] - Sidegrade uses too much memory
[OAK-6572] - IndexReaderClosed exception seen after some run
[OAK-6573] - The --src-external-ds option does not mandate
argument but reads it later
[OAK-6596] - Blob store consistency check can show bogus errors
about missing blobs
[OAK-6598] - LuceneIndexAggregationTest2 doesn't get executed by
mvn test
[OAK-6601] - SegmentWriteOperation.isOldGeneration() too eager
[OAK-6602] - Improve resource management in BulkTransferBenchmark
[OAK-6604] - Oak Blob Cloud is not used by oak-upgrade
[OAK-6611] - [upgrade][oak-blob-cloud] Many S3DataStore errors
during migration with oak-upgrade
[OAK-6620] - NodeStoreFixtureProvider should unregister services
registered with whiteboard
[OAK-6624] - InitialContentMigrator overwrites an existing
repository
[OAK-6640] - test failure in ResponseDecoderTest
[OAK-6645] - 1.7.7 release fails on javadoc

Improvement

[OAK-2710] - Remove Utils.unshareString
[OAK-4906] - Lucene: Support relative property based query by
transforming the path
[OAK-5192] - Reduce Lucene related growth of repository size
[OAK-6030] - Add tests for TarFiles
[OAK-6563] - Session.hasCapability(...) should reflect read-only
status of mounts
[OAK-6568] - TarFiles returns null instead of an empty list in the
graph
[OAK-6569] - TarFiles should uniformly use TAR file names instead
of paths
[OAK-6570] - TarFiles represents referenced segments in a graph as
a list instead of a set
[OAK-6574] - Lucene index: include/exclude key pattern list
[OAK-6578] - Enhance the UniqueEntryStoreStrategy to return list
of matching values and paths
[OAK-6585] - Allow to use patterns in the
Mount#pathSupportingFragments
[OAK-6587] - Provide a way to "force" Tika to treat binaries with
a different mime type than the jcr:mimeType property
[OAK-6588] - MongoDocumentStore should avoid logging warning when
connect in read only mode
[OAK-6589] - Close the fixture in oak run console
[OAK-6590] - Avoid logging import statements for :load command
execution
[OAK-6592] - Remove path and rootBuilder from the
CompositeNodeBuilder
[OAK-6595] - Pre-populate the default store when running composite
node store
[OAK-6605] - Provide job name for async index update
[OAK-6609] - Provide job name for JournalGC and RevisionGC job
[OAK-6613] - Provide list of all bundled nodes within a given
DocumentNodeState
[OAK-6614] - Add ability to add 'excludeFromAggregation' setting
while building index definition
[OAK-6617] - Mounts.DefaultMount.getName() should not be empty
[OAK-6621] - Initialize a default sensible stats provider in
UploadStagingCache
[OAK-6622] - Configure default core pool size for thread pool used
by oak-lucene
[OAK-6625] - Avoid oak-run compact inadvertently upgrading the
segment format
[OAK-6634] - Confusing log entries when memory requirements are
not met at start of OnRC
[OAK-6636] - Create a path cache for the CompositeNodeState
[OAK-6637] - Release IndexNode lock in finally clause

New Feature

[OAK-4348] - Cross language search via SMT
[OAK-6514] - Make Lucene merge policy configurable
[OAK-6593] - CacheStats metrics

Task

[OAK-6576] - Refactor OakDirectory to be more manageable
[OAK-6599] - Review testcases which do not confirm to Maven test
pattern
[OAK-6629] - Remove unused datastore code relying on JR2 data

[ANNOUNCEMENT] HttpComponents Core 4.4.7 Released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 4.4.7 GA
release of HttpComponents Core.

This is a maintenance release that fixes a number of issues discovered
since 4.4.6.

Please note that as of 4.4 HttpCore requires Java 1.6 or newer.

IMPORTANT: Users of HttpCore 4.x GA releases are strongly encouraged to
evaluate new HttpCore 5.0 APIs and give the project developers
feedback, share critique or propose changes.

Download -

Release notes -

HttpComponents site -


About HttpComponents Core

HttpCore is a set of low level HTTP transport components that can be
used to build custom client and server side HTTP services with a
minimal footprint. HttpCore supports two I/O models: a blocking I/O
model based on the classic Java I/O and a non-blocking, event driven
I/O model based on Java NIO.

MEDIA ALERT: The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit

[Sally Khudairi]

[this announcement is available online at https://s.apache.org/7bip ]

Who: Apache® Struts™ is a popular Open Source framework for creating
enterprise-grade Java Web applications. Apache Struts powers front- and
back-end applications and Internet of Things (IoT) devices for many of
the world's most visible financial institutions, government
organizations, technology service providers, telecommunications
agencies, and Fortune 100 companies.

Apache Struts is an Apache Software Foundation Top-Level Project (since
2004) and is overseen by a self-selected team of active contributors to
the project. A Project Management Committee (PMC) guides the Project's
day-to-day operations, including community development and product
releases.

What: On 7 September 2017, credit reporting agency Equifax announced a
data breach affecting 143 million consumers.
https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628

Following this announcement, additional claims stated that the breach
was caused by CVE-2017-9805, an exploit in Apache Struts that was
disclosed on 4 September 2017.
https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/

On 9 September 2017, the Apache Struts PMC issued a statement on the
Equifax data breach that included details on its response process to
reported vulnerabilities and also provided recommended security
guidelines. https://s.apache.org/8thB

On 13 September 2017, Equifax issued a statement confirming that "The
vulnerability was Apache Struts CVE-2017-5638".
https://www.equifaxsecurity2017.com/

This vulnerability was patched on 7 March 2017, the same day it was
announced. https://cwiki.apache.org/confluence/display/WW/S2-045

In conclusion, the Equifax data compromise was due to their failure to
install the security updates provided in a timely manner.

When: Apache Struts CVE-2017-5638 was originally reported on 7 March
2017.

Where: For downloads, documentation (including security guide and
bulletins), and how to become involved with Apache Struts, visit
http://struts.apache.org/ and https://twitter.com/TheApacheStruts

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350
leading Open Source projects, including Apache HTTP Server --the world's
most popular Web server software. Through the ASF's meritocratic process
known as "The Apache Way," more than 650 individual Members and 6,200
Committers across six continents successfully collaborate to develop
freely available enterprise-grade software, benefiting millions of users
worldwide: thousands of software solutions are distributed under the
Apache License; and the community actively participates in ASF mailing
lists, mentoring initiatives, and ApacheCon, the Foundation's official
user conference, trainings, and expo. The ASF is a US 501(c)(3)
charitable organization, funded by individual donations and corporate
sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget
Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook,
Google, Hortonworks, HP, Huawei, IBM, Inspur, iSigma, LeaseWeb,
Microsoft, ODPi, PhoenixNAP, Pivotal, Private Internet Access, Red Hat,
Serenata Flowers, Target, WANdisco, and Yahoo. For more information,
visit http://apache.org/ and https://twitter.com/TheASF

# # #

NOTE: you are receiving this message because you are subscribed to the
announce@apache.org distribution list. To unsubscribe, send email from
the recipient account to announce-unsubscr...@apache.org with the word
"Unsubscribe" in the subject line.