1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
|
-----
Release Notes for Archiva ${project.version}
-----
~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements. See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership. The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License. You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied. See the License for the
~~ specific language governing permissions and limitations
~~ under the License.
Release Notes for Archiva ${project.version}
The Apache Archiva team is pleased to announce the release of Archiva
${project.version}. Archiva is {{{https://archiva.apache.org/download.html}
available for download from the web site}}.
Archiva is an application for managing one or more remote repositories,
including administration, artifact handling, browsing and searching.
This is a security fix release. Users are advised to update their systems to the new
version as soon as possible.
For further information see: {{https://archiva.apache.org/security.html}}
If you have any questions, please consult:
* the web site: {{https://archiva.apache.org/}}
* the archiva-user mailing list: {{https://archiva.apache.org/mailing-lists.html}}
* New in Archiva ${project.version}
Apache Archiva ${project.version} is a security fix release:
** Compatibility Changes
* [MRM-2021] There is a new flag 'literalVersion=true/false' for service archivaServices/searchService/artifact
which allows to change the behaviour for v=LATEST search.
** New Feature
* There are no new features in this release.
** Improvements
* There are no improvements
** Bug/Security Fix
* [MRM-2027] Update of the log4j2 version to 2.17.0
* [MRM-2020] Fixed the behaviour of the startup script, if ARCHIVA_BASE is set (separating installation and data directory)
* [MRM-2022] Fixed the handling of X-XSRF-TOKEN header in Javascript calls
Previous Release Notes
* Release Notes for Archiva 2.2.6
Apache Archiva 2.2.6 is a security fix release:
Released: 2021-12-15
** Compatibility Changes
* No API changes or known side effects.
** New Feature
* There are no new features in this release.
** Improvements
* There are no improvements
** Bug/Security Fix
* Update of the log4j2 version to mitigate the log4j2 vulnerability (CVE-2021-44228)
* Deactivated directory listings by the file servlet
* Release Notes for Archiva 2.2.5
Apache Archiva 2.2.5 is a bug fix release:
Released: 2020-06-19
** Compatibility Changes
* No API changes or known side effects.
** New Feature
* There are no new features in this release.
** Improvements
* There are no improvements
** Bug Fix
* [MRM-2008] Fix for group names with slashes
* Better handling of LDAP filter
* Release Notes for Archiva 2.2.4
Apache Archiva 2.2.4 is a bug fix release:
* Fixes for handling of artifacts
* Improved validation of REST calls
** Compatibility Changes
No API changes or known side effects.
Released: 2019-04-30
** New Feature
* There are no new features in this release.
** Improvements
* Adding additional validation to REST service calls for artifact upload
** Bug Fix
* [MRM-1972] Stored XSS in Web UI Organization Name
* [MRM-1966] Repository-purge not working
* [MRM-1958] Purge by retention count deletes files but leaves history on website.
* [MRM-1929] Repository purge is not reflected in index
* Release Notes for Archiva 2.2.3
** New in Archiva 2.2.3
Apache Archiva 2.2.3 is a bug fix release:
* Some fixes for the REST API were added to detect requests from unknown origin
* Some bugfixes were added
** Compatibility Changes
* The REST services are now checking for the origin of the requests by analysing Origin
and Referer header of the HTTP requests and adding an validation token to the Header.
This prevents requests from malicious sites if they are open in the same browser. If you use
the REST services from other clients you may change the behaviour with the new
configuration properties for the redback security (<<<rest.csrffilter.*>>>, <<<rest.baseUrl>>>).
For more information see {{{./adminguide/customising-security.html}Archiva Security Configuration}} and
the {{{/redback/integration/rest.html}Redback REST documentation }}.
<<Note:>> If your archiva installation is behind a reverse proxy or load balancer, it may be possible
that the Archiva Web UI does not load after the upgrade. If this is the case you may access the WebUI
via localhost or edit archiva.xml manually. In the "Redback Runtime Configuration" properties you have to
enter the base URLs of your archiva installation to the <<<rest.baseUrl>>> field.
* Archiva uses redback for authentication and authorization in version 2.6
** Change List
Released: <<2017-05-13>>
*** New Feature
*** Improvement
* [MRM-1925] - Make User-Agent header configurable for HTTP requests
* [MRM-1861], [MRM-1924] - Increasing timeouts for repository check
* [MRM-1937] - Prevent creating initial admin user with wrong name.
* Adding origin header validation checks for REST requests
*** Bug Fix
* [MRM-1859] - Error upon viewing 'Artifacts' tab when browsing an artifact
* [MRM-1874] - Login Dialog triggers multiple events (+messages)
* [MRM-1908] - Logged on users can write any repository
* [MRM-1909] - Remote repository check fails for https://repo.maven.apache.org/maven2
* [MRM-1923] - Fixing bind issue with certain ldap servers, when user not found
* [MRM-1926] - Invalid checksum files in Archiva repository after download from remote repository
* [MRM-1928] - Bad redirect URL when using Archiva through HTTP reverse proxy
* [MRM-1933] - No message body writer has been found for class org.apache.archiva.rest.services.ArchivaRestError
* [MRM-1940] - Slashes appended to remote repo url
* Release Notes for Archiva 2.2.1
** New in Archiva 2.2.1
Apache Archiva 2.2.1 is a bugs fix release:
NOTE: jdk 1.7 is now prerequisite with Apache Archiva 2.2.1
** Compatibility Changes
If using the Cassandra backend, the metadatafacet column 'key' has been renamed to 'facetKey' in 2.2.0 so you should copy the data to the new column manually.
If upgrading from earlier versions of Archiva, the list of libraries in wrapper.conf has changed. If you have customized your copy of wrapper.conf, please update it for compatibility with the version distributed with the current release.
As the database storage has been removed, you can remove the JNDI entry for jdbc/archiva.
Refer to the Upgrading Archiva guide for more information.
** List of Changes
*** Improvement
* [MRM-1201] - Artifact upload success message should mention the classifier
* [MRM-1906] - Allowing filtering of LDAP groups
*** Bug Fix
* [MRM-1873] - archiva doesn't recognise ldap-group to ldap-users mapping
* [MRM-1877] - Checksum files always recreated
* [MRM-1879] - Bug in create-missing-checksum consumer
* [MRM-1886] - View Artifact Content Action does not Work
* [MRM-1887] - Syntax error in DOAP file release section; wrong bug- database URL
* [MRM-1892] - Only One Page of Proxy Connector Rules Shown
* [MRM-1893] - Please delete old releases from mirroring system
* [MRM-1896] - Invalid link to license
* [MRM-1914] - Maven cannot find dependency
* Release Notes for Archiva 2.2.0
** New in Archiva 2.2.0
Apache Archiva 2.2.0 is a bugs fix release:
NOTE: jdk 1.7 is now prerequisite with Apache Archiva 2.2.0
** Compatibility Changes
If using the Cassandra backend, the metadatafacet column 'key' has been renamed to 'facetKey' in 2.2.0 so you should
copy the data to the new column manually.
If upgrading from earlier versions of Archiva, the list of libraries in wrapper.conf has changed. If you have customized
your copy of wrapper.conf, please update it for compatibility with the version distributed with the current release.
As the database storage has been removed, you can remove the JNDI entry for jdbc/archiva. After upgrading from a previous
version, you will have to run a full scan to populate the new JCR Repository. This will be done on first start of Archiva.
Refer to the Upgrading Archiva guide for more information.
** List of Changes in Archiva 2.2.0
*** New Feature
* [MRM-1867] - Adding a find jar by checksum functionality to the REST api
*** Improvement
* [MRM-1390] - Generic metadata should be searcheable in Archiva search
* [MRM-1844] - Allow LDAP groupOfNames
*** Bug Fix
* [MRM-770] - Archiva web client does not recognize classifier
* [MRM-813] - Audit log is reporting "Modify File (proxied)" when no proxy connectors exist and the file has not changed
* [MRM-837] - Cannot download SNAPSHOT version
* [MRM-935] - Archiva doesn't supports artifact with <version>SNAPSHOT</version>
* [MRM-1145] - RSS tests do not correctly check responses
* [MRM-1311] - Logging in ArtifactMissingChecksumsConsumer does not appear in the logs even if configured properly
* [MRM-1486] - ldap.config.mapper.attribute.user.filter using ldap not working correctly with commas.
* [MRM-1767] - When selecting a specific repository to browse, I get an error that I don't have sufficient privileges.
* [MRM-1807] - Archiva wrapper fail to start
* [MRM-1810] - LDAP - groups config not available in Users Runtime Configuration - Properties
* [MRM-1811] - Users - Manage section: pagination needs to change
* [MRM-1846] - Regression in 2.0.1 : uniqueVersion false not supported
* [MRM-1848] - download links for files mult-dot extensions incorrect in Browse view
* [MRM-1851] - generic metadata GUI broken
* [MRM-1860] - ClassNotFound exception with JBoss
* [MRM-1863] - RepositoryGroup URL is not build using the Application URL
* [MRM-1864] - Default configuration for central should now use SSL
* [MRM-1871] - ConcurrentModificationException in DefaultRepositoryProxyConnectors
* [MRM-1873] - archiva doesn't recognise ldap-group to ldap-users mapping
*** Task
* [MRM-1359] - Remove Maven 1.x functionality
* [MRM-1865] - remove isPermanent from Consumer API
History
Archiva was started in November 2005, building a simple framework on top of some existing repository conversion
tools within the Maven project. Initial development focused on repository conversion, error reporting, and indexing.
From January 2006 a web application was started to visualise the information and to start incorporating
functionality from the unmaintained maven-proxy project.
Development continued through many stops and starts. Initial versions of Archiva were built from source by contributors,
and the first alpha version was not released until April 2007. Some significant changes were made to improve
performance and functionality in June 2007 and over the next 6 months and a series of alpha and beta releases, a concerted effort
was made to release the 1.0 version.
Archiva became an Apache "top level project" in March 2008.
|
