From 58d905941b9522e830c6e13b3a850b5cc637679e Mon Sep 17 00:00:00 2001 From: Brett Porter Date: Tue, 12 Apr 2011 07:16:34 +0000 Subject: [MRM-1480]/[REDBACK-274] (CVE-2011-1026) o upgrade to redback 1.2.8-SNAPSHOT o configured struts2's token interceptor + use of in affected actions to prevent CSRF issue [MRM-1460] added selenium tests for CSRF fixes in affected pages Merged: r1066067:1091313 git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1091315 13f79535-47bb-0310-9956-ffa450edef68 --- archiva-docs/src/site/apt/release-notes.apt | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'archiva-docs') diff --git a/archiva-docs/src/site/apt/release-notes.apt b/archiva-docs/src/site/apt/release-notes.apt index 03784f274..e0fe6d570 100644 --- a/archiva-docs/src/site/apt/release-notes.apt +++ b/archiva-docs/src/site/apt/release-notes.apt @@ -19,6 +19,26 @@ Release Notes for Archiva 1.4 ~~TODO +* Compatibility Changes + + * If upgrading from versions of Archiva earlier than 1.2.2, the list of libraries + in <<>> has changed. If you have customized your copy of + <<>>, please update it for compatibility with the version distributed + with the current release. + +* Security Vulnerabilities + + * A CSRF security vulnerability (CVE-2010-3449) is present in 1.3.2 and earlier. + + * An XSS security vulnerability (CVE-2011-0533) is present in 1.3.3 and earlier. + + * Additional CSRF (CVE-2011-1026) and XSS security (CVE-2011-1077) vulnerabilities have been reported against 1.3.4 + and earlier versions. + + It is important that users using lower versions of Archiva upgrade to this version (or higher). + + See {{{http://archiva.apache.org/security.html} Archiva Security}} for more details. + * Release Notes The Archiva 1.4 feature set can be seen in the {{{tour/index.html} feature tour}}. @@ -29,6 +49,16 @@ Release Notes for Archiva 1.4 ~~TODO +Previous Releases + +* Changes in Archiva 1.3.5 + + Released: <<14 March 2011>> + +** Task + + * [MRM-1460] - Upgrade Archiva to Redback 1.2.7 + * Changes in Archiva 1.3.4 Released: <<9 February 2011>> -- cgit v1.2.3