[MRM-1480]/[REDBACK-274] (CVE-2011-1026)

o upgrade to redback 1.2.8-SNAPSHOT
o configured struts2's token interceptor + use of <s:token> in affected actions to prevent CSRF issue
[MRM-1460] added selenium tests for CSRF fixes in affected pages
Merged: r1066067:1091313


git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1091315 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 30 insertions, 0 deletions

diff --git a/archiva-docs/src/site/apt/release-notes.apt b/archiva-docs/src/site/apt/release-notes.apt
index 03784f274..e0fe6d570 100644
--- a/archiva-docs/src/site/apt/release-notes.apt
+++ b/archiva-docs/src/site/apt/release-notes.apt
@@ -19,6 +19,26 @@ Release Notes for Archiva 1.4
 
 ~~TODO
 
+* Compatibility Changes
+
+  * If upgrading from versions of Archiva earlier than 1.2.2, the list of libraries
+    in <<<wrapper.conf>>> has changed. If you have customized your copy of
+    <<<wrapper.conf>>>, please update it for compatibility with the version distributed
+    with the current release.
+
+* Security Vulnerabilities
+
+    * A CSRF security vulnerability (CVE-2010-3449) is present in 1.3.2 and earlier.
+  
+    * An XSS security vulnerability (CVE-2011-0533) is present in 1.3.3 and earlier.
+
+    * Additional CSRF (CVE-2011-1026) and XSS security (CVE-2011-1077) vulnerabilities have been reported against 1.3.4
+      and earlier versions.
+
+  It is important that users using lower versions of Archiva upgrade to this version (or higher).
+
+  See {{{http://archiva.apache.org/security.html} Archiva Security}} for more details.
+
 * Release Notes
 
   The Archiva 1.4 feature set can be seen in the {{{tour/index.html} feature tour}}.
@@ -29,6 +49,16 @@ Release Notes for Archiva 1.4
 
   ~~TODO
 
+Previous Releases
+
+* Changes in Archiva 1.3.5
+
+  Released: <<14 March 2011>>
+
+** Task
+
+    * [MRM-1460] - Upgrade Archiva to Redback 1.2.7
+
 * Changes in Archiva 1.3.4
 
   Released: <<9 February 2011>>