www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Reschke <resc...@apache.org>
Subject [ANNOUNCE] Apache Jackrabbit 2.6.6 released
Date Sat, 17 Sep 2016 09:30:43 GMT
The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit 2.6.6. The release is available for download at:


See the full release notes below for details about this release:

Release Notes -- Apache Jackrabbit -- Version 2.6.6


This is Apache Jackrabbit(TM) 2.6, a fully compliant implementation of the
Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).

Apache Jackrabbit 2.6.6 is a patch release that contains fixes and
improvements over Jackrabbit 2.6. This release also contains a security fix
for Jackrabbit 2.6.5 and earlier. Jackrabbit 2.6.x releases are considered
stable and targeted for production use.

Security advisory (JCR-3883 / CVE-2015-1833)

This release fixes an important security issue in the jackrabbit-webdav 
reported by Mikhail Egorov.

When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or  "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by 
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.

Users of the jackrabbit-webdav module are advised to immediately update the
module to this release or disable WebDAV access to the repository.

Changes since Jackrabbit 2.6.5


     [JCR-3235] - ArrayIndexOfOufBounds in 
     [JCR-3693] - Lucene configuration - aggregation definition : 
problem with include-property tag
     [JCR-3709] - DBDataStore updates 2 times the lastModified Date on 
touch when GC is running
     [JCR-3710] - occasional test failures in TokenBasedAuthenticationTest
     [JCR-3711] - RepositoryChecker versioning cleanup may leave 
repaired node in invalid type state
     [JCR-3721] - Slow and actively called NodeId.toString()
     [JCR-3761] - TokenInfo#resetExpiration always fails with 
     [JCR-3770] - refine validateHierarchy check in order to avoid 
     [JCR-3773] - Lucene ConsistencyCheck reports nodes under 
jcr:nodeTypes as deleted
     [JCR-3783] - Deadlock due to IOException in 
     [JCR-3784] - ReplacePropertyWhileOthersReadTest fails when run with 
     [JCR-3796] - TokenProvider.createToken is case sensitive
     [JCR-3798] - NPE while building path in lucene index consistency 
     [JCR-3809] - ConnectionHelper swallows exception when it fails to 
reset binary streams after a failed SQL statement execution
     [JCR-3811] - AppendRecord should allow reattempting database 
insertions of journal records should the initial attempt fail
     [JCR-3814] - IllegalStateException in LockManager#unlock
     [JCR-3821] - SeededSecureRandom thread can prevent Jackrabbit from 
shutting down
     [JCR-3840] - NodeTypeDefDiff does not take same-name child type 
definitions into account
     [JCR-3883] - Jackrabbit WebDAV bundle susceptible to XXE/XEE attack 
     [JCR-3909] - CSRF bug in Jackrabbit-Webdav
     [JCR-3949] - occasional test failure in 
     [JCR-3950] - XSS in DirListingExportHandler
     [JCR-4009] - CSRF in Jackrabbit-Webdav


     [JCR-3573] - Improve token based login concurrency
     [JCR-3628] - Embed cause in 
org.apache.jackrabbit.core.SessionImpl#getNodeByIdentifier while 
rethrowing IllegalArgumentException
     [JCR-3687] - Backport improvements made to token based auth in OAK
     [JCR-3810] - StreamWrapper can attempt to reset other types of 
     [JCR-3826] - AbstractPrincipalProvider cachesize is not configurable

In addition to the above-mentioned changes, this release contains
all the changes included up to the Apache Jackrabbit 2.10.x release.

For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at


Release Contents

This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at

About Apache Jackrabbit

Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and

For more information, visit http://jackrabbit.apache.org/

About The Apache Software Foundation

Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 140 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 3,800+ contributors.

For more information, visit http://www.apache.org/


Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the 
Jackrabbit project logo are trademarks of The Apache Software Foundation.

View raw message