This is an automated email from the ASF dual-hosted git repository.
rzo1 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/opennlp-site.git
The following commit(s) were added to refs/heads/main by this push:
new 8aef5edd1 Adjusts website to include OpenNLP 3.0.0-M3 + 2.5.9
8aef5edd1 is described below
commit 8aef5edd1b9f2bb7bc7a673d2905b896a1277c92
Author: Richard Zowalla <[email protected]>
AuthorDate: Fri May 1 19:47:48 2026 +0200
Adjusts website to include OpenNLP 3.0.0-M3 + 2.5.9
---
.github/workflows/main.yml | 4 +-
pom.xml | 20 +++++++
src/main/jbake/assets/doap_opennlp.rdf | 4 +-
src/main/jbake/content/docs/legacy.ad | 25 ++++++++
src/main/jbake/content/news/index.html | 2 +-
src/main/jbake/content/news/release-259.ad | 76 ++++++++++++++++++++++++
src/main/jbake/content/news/release-300-M3.ad | 84 +++++++++++++++++++++++++++
src/main/jbake/jbake.properties | 4 +-
8 files changed, 213 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c35345a5d..9941956a3 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -76,5 +76,7 @@ jobs:
[ -d target/opennlp-site/docs/2.5.6.1 ] && echo 'docs for 2.5.6.1
exists'
[ -d target/opennlp-site/docs/2.5.7 ] && echo 'docs for 2.5.7 exists'
[ -d target/opennlp-site/docs/2.5.8 ] && echo 'docs for 2.5.8 exists'
+ [ -d target/opennlp-site/docs/2.5.9 ] && echo 'docs for 2.5.9 exists'
[ -d target/opennlp-site/docs/3.0.0-M1 ] && echo 'docs for 3.0.0-M1
exists'
- [ -d target/opennlp-site/docs/3.0.0-M2 ] && echo 'docs for 3.0.0-M2
exists'
\ No newline at end of file
+ [ -d target/opennlp-site/docs/3.0.0-M2 ] && echo 'docs for 3.0.0-M2
exists'
+ [ -d target/opennlp-site/docs/3.0.0-M3 ] && echo 'docs for 3.0.0-M3
exists'
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index e188021d0..4e42b2077 100644
--- a/pom.xml
+++ b/pom.xml
@@ -603,6 +603,16 @@
<outputDirectory>${project.build.directory}/distr/2.5.8</outputDirectory>
<excludes>**/lib/**/*</excludes>
</artifactItem>
+ <artifactItem>
+ <groupId>org.apache.opennlp</groupId>
+ <artifactId>opennlp-distr</artifactId>
+ <version>2.5.9</version>
+ <overWrite>false</overWrite>
+ <type>zip</type>
+ <classifier>bin</classifier>
+
<outputDirectory>${project.build.directory}/distr/2.5.9</outputDirectory>
+ <excludes>**/lib/**/*</excludes>
+ </artifactItem>
<artifactItem>
<groupId>org.apache.opennlp</groupId>
<artifactId>opennlp-distr</artifactId>
@@ -623,6 +633,16 @@
<outputDirectory>${project.build.directory}/distr/3.0.0-M2</outputDirectory>
<excludes>**/lib/**/*</excludes>
</artifactItem>
+ <artifactItem>
+ <groupId>org.apache.opennlp</groupId>
+ <artifactId>opennlp-distr</artifactId>
+ <version>3.0.0-M3</version>
+ <overWrite>false</overWrite>
+ <type>zip</type>
+ <classifier>bin</classifier>
+
<outputDirectory>${project.build.directory}/distr/3.0.0-M3</outputDirectory>
+ <excludes>**/lib/**/*</excludes>
+ </artifactItem>
</artifactItems>
</configuration>
</execution>
diff --git a/src/main/jbake/assets/doap_opennlp.rdf
b/src/main/jbake/assets/doap_opennlp.rdf
index bf573f60c..6399fe5e6 100644
--- a/src/main/jbake/assets/doap_opennlp.rdf
+++ b/src/main/jbake/assets/doap_opennlp.rdf
@@ -37,8 +37,8 @@
<release>
<Version>
<name>Apache OpenNLP</name>
- <created>2026-03-31</created>
- <revision>3.0.0-M2</revision>
+ <created>2026-05-01</created>
+ <revision>3.0.0-M3</revision>
</Version>
</release>
<repository>
diff --git a/src/main/jbake/content/docs/legacy.ad
b/src/main/jbake/content/docs/legacy.ad
index cc530205d..b8a4c4409 100755
--- a/src/main/jbake/content/docs/legacy.ad
+++ b/src/main/jbake/content/docs/legacy.ad
@@ -27,6 +27,23 @@ WARNING: This page contains the archived documentation.
Please refer to link:/do
There exists a manual and Javadoc API documentation for Apache OpenNLP. The
manual
explains how the various OpenNLP components can be used and trained.
+== Apache OpenNLP 3.0.0-M2 documentation
+* link:/docs/3.0.0-M2/manual/opennlp.html[Apache OpenNLP Manual]
+* link:/docs/3.0.0-M2/opennlp.pdf[Apache OpenNLP PDF Manual]
+* link:/docs/3.0.0-M2/apidocs/opennlp-api/index.html[Apache OpenNLP API
Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-cli/index.html[Apache OpenNLP CLI
Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-dl/index.html[Apache OpenNLP DL Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-formats/index.html[Apache OpenNLP
Formats Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-ml-bayes/index.html[Apache OpenNLP ML
Bayes Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-ml-commons/index.html[Apache OpenNLP ML
Commons Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-ml-maxent/index.html[Apache OpenNLP ML
Maxent Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-ml-perceptron/index.html[Apache OpenNLP
ML Perceptron Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-model-resolver/index.html[Apache OpenNLP
Model resolver Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-morfologik/index.html[Apache OpenNLP
Morfologik Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-runtime/index.html[Apache OpenNLP
Runtime Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-tools/index.html[Apache OpenNLP Tools
Javadoc]
+* link:/docs/3.0.0-M2/apidocs/opennlp-uima/index.html[Apache OpenNLP UIMA
Javadoc]
+
== Apache OpenNLP 3.0.0-M1 documentation
* link:/docs/3.0.0-M1/manual/opennlp.html[Apache OpenNLP Manual]
* link:/docs/3.0.0-M1/opennlp.pdf[Apache OpenNLP PDF Manual]
@@ -36,6 +53,14 @@ explains how the various OpenNLP components can be used and
trained.
* link:/docs/3.0.0-M1/apidocs/opennlp-tools/index.html[Apache OpenNLP Tools
Javadoc]
* link:/docs/3.0.0-M1/apidocs/opennlp-uima/index.html[Apache OpenNLP UIMA
Javadoc]
+== Apache OpenNLP 2.5.8 documentation
+* link:/docs/2.5.8/manual/opennlp.html[Apache OpenNLP Manual]
+* link:/docs/2.5.8/opennlp.pdf[Apache OpenNLP PDF Manual]
+* link:/docs/2.5.8/apidocs/opennlp-tools/index.html[Apache OpenNLP Tools
Javadoc]
+* link:/docs/2.5.8/apidocs/opennlp-tools-models/index.html[Apache OpenNLP
Tools Models Javadoc]
+* link:/docs/2.5.8/apidocs/opennlp-uima/index.html[Apache OpenNLP UIMA Javadoc]
+* link:/docs/2.5.8/apidocs/opennlp-morfologik-addon/index.html[Apache OpenNLP
Morfologik Addon Javadoc]
+
== Apache OpenNLP 2.5.7 documentation
* link:/docs/2.5.7/manual/opennlp.html[Apache OpenNLP Manual]
* link:/docs/2.5.7/apidocs/opennlp-tools/index.html[Apache OpenNLP Tools
Javadoc]
diff --git a/src/main/jbake/content/news/index.html
b/src/main/jbake/content/news/index.html
index dd5112387..ce451b060 100644
--- a/src/main/jbake/content/news/index.html
+++ b/src/main/jbake/content/news/index.html
@@ -1,5 +1,5 @@
title=News
-date=2026-03-31
+date=2026-05-01
type=news
status=published
~~~~~~
diff --git a/src/main/jbake/content/news/release-259.ad
b/src/main/jbake/content/news/release-259.ad
new file mode 100644
index 000000000..1d342a419
--- /dev/null
+++ b/src/main/jbake/content/news/release-259.ad
@@ -0,0 +1,76 @@
+////
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+////
+= Apache OpenNLP 2.5.9 released
+Apache OpenNLP
+2026-05-01
+:jbake-type: post
+:jbake-tags: community
+:jbake-status: published
+:category: news
+:idprefix:
+
+The Apache OpenNLP team is pleased to announce the release of Apache OpenNLP
2.5.9.
+
+The Apache OpenNLP library is a machine learning based toolkit for the
processing of natural language text.
+
+It supports the most common NLP tasks, such as tokenization, sentence
segmentation, part-of-speech tagging, named entity extraction, chunking,
parsing, and coreference resolution.
+
+Apache OpenNLP 2.5.9 binary and source distributions are available for
download from our link:/download.html[download page].
+
+The OpenNLP library is distributed by Maven Central as well. See the
link:/maven-dependency.html[Maven dependency] page for more details.
+
+== What's new in Apache OpenNLP 2.5.9
+
+This is a *maintenance and security release* on the 2.x line. It backports the
security fixes shipped in 3.0.0-M3 and refreshes several dependencies.
+
+=== Security Fixes
+
+Three security issues are addressed in this release (also fixed in *3.0.0-M3*
on the 3.x line).
+
+==== XXE in `DictionaryEntryPersistor` (OPENNLP-1819, CVE-2026-40682)
+
+The `DictionaryEntryPersistor` previously used a `SAXParserFactory` that did
not enable secure processing or disable DTD handling, leaving external entity
resolution active. A malicious dictionary file could exploit this for *local
file disclosure* or *SSRF* before any dictionary entry was processed.
+
+The parsing path is now aligned with the project's existing `XmlUtil` helper,
which properly sets `FEATURE_SECURE_PROCESSING` and `disallow-doctype-decl`.
+
+==== Arbitrary Class Instantiation in `ExtensionLoader` (OPENNLP-1820,
CVE-2026-42027)
+
+`ExtensionLoader.instantiateExtension()` performed its `isAssignableFrom` type
check *after* `Class.forName()` had already executed the target class's static
initializer, allowing a crafted model archive to trigger the static initializer
of any class on the classpath.
+
+The fix introduces a *package-prefix allowlist* consulted before
`Class.forName()` is invoked:
+
+* Classes under `opennlp.*` remain permitted by default.
+* Other packages must be opted in via
`ExtensionLoader.registerAllowedPackage(String)` or the
`OPENNLP_EXT_ALLOWED_PACKAGES` system property (comma-separated list).
+
+==== OOM via Unbounded Array Allocation in `AbstractModelReader`
(OPENNLP-1821, CVE-2026-42440)
+
+`getOutcomes()`, `getOutcomePatterns()`, and `getPredicates()` read
attacker-controlled 32-bit count fields from binary model streams and passed
them directly to array allocations. A crafted `.bin` file could trigger an
immediate `OutOfMemoryError` and crash the JVM.
+
+Each count is now bounded (default *10,000,000*, configurable via
`-DOPENNLP_MAX_ENTRIES=<n>`), with negative or oversized values failing fast
via `IllegalArgumentException`.
+
+WARNING: For all three issues, users who cannot upgrade immediately should
restrict input (dictionary and model files) to *trusted sources only*.
+
+=== Dependency Updates
+
+* Update log4j2 to 2.25.4 (OPENNLP-1817)
+* Update ONNX runtime to 1.25.0 (OPENNLP-1822)
+
+For further details, check the full list of
link:https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12356814[changes,role=external,window=_blank]
via the project's issue tracker.
+
+--The Apache OpenNLP Team
diff --git a/src/main/jbake/content/news/release-300-M3.ad
b/src/main/jbake/content/news/release-300-M3.ad
new file mode 100644
index 000000000..2dd8d6424
--- /dev/null
+++ b/src/main/jbake/content/news/release-300-M3.ad
@@ -0,0 +1,84 @@
+////
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+////
+= Apache OpenNLP 3.0.0-M3 released
+Apache OpenNLP
+2026-05-01
+:jbake-type: post
+:jbake-tags: community
+:jbake-status: published
+:category: news
+:idprefix:
+
+The Apache OpenNLP team is pleased to announce the release of Apache OpenNLP
3.0.0-M3.
+
+The Apache OpenNLP library is a machine learning based toolkit for the
processing of natural language text.
+
+It supports the most common NLP tasks, such as tokenization, sentence
segmentation, part-of-speech tagging, named entity extraction, chunking,
parsing, and coreference resolution.
+
+Apache OpenNLP 3.0.0-M3 binary and source distributions are available for
download from our link:/download.html[download page].
+
+The OpenNLP library is distributed by Maven Central as well. See the
link:/maven-dependency.html[Maven dependency] page for more details.
+
+== What's new in Apache OpenNLP 3.0.0-M3
+
+This release focuses on *security hardening*, *new NLP capabilities*, and
*dependency maintenance*.
+
+=== Security Fixes
+
+Three security issues are addressed in this release (also backported to
*2.5.9*).
+
+==== XXE in `DictionaryEntryPersistor` (OPENNLP-1819, CVE-2026-40682)
+
+The `DictionaryEntryPersistor` previously used a `SAXParserFactory` that did
not enable secure processing or disable DTD handling, leaving external entity
resolution active. A malicious dictionary file could exploit this for *local
file disclosure* or *SSRF* before any dictionary entry was processed.
+
+The parsing path is now aligned with the project's existing `XmlUtil` helper,
which properly sets `FEATURE_SECURE_PROCESSING` and `disallow-doctype-decl`.
+
+==== Arbitrary Class Instantiation in `ExtensionLoader` (OPENNLP-1820,
CVE-2026-42027)
+
+`ExtensionLoader.instantiateExtension()` performed its `isAssignableFrom` type
check *after* `Class.forName()` had already executed the target class's static
initializer, allowing a crafted model archive to trigger the static initializer
of any class on the classpath.
+
+The fix introduces a *package-prefix allowlist* consulted before
`Class.forName()` is invoked:
+
+* Classes under `opennlp.*` remain permitted by default.
+* Other packages must be opted in via
`ExtensionLoader.registerAllowedPackage(String)` or the
`OPENNLP_EXT_ALLOWED_PACKAGES` system property (comma-separated list).
+
+==== OOM via Unbounded Array Allocation in `AbstractModelReader`
(OPENNLP-1821, CVE-2026-42440)
+
+`getOutcomes()`, `getOutcomePatterns()`, and `getPredicates()` read
attacker-controlled 32-bit count fields from binary model streams and passed
them directly to array allocations. A crafted `.bin` file could trigger an
immediate `OutOfMemoryError` and crash the JVM.
+
+Each count is now bounded (default *10,000,000*, configurable via
`-DOPENNLP_MAX_ENTRIES=<n>`), with negative or oversized values failing fast
via `IllegalArgumentException`.
+
+WARNING: For all three issues, users who cannot upgrade immediately should
restrict input (dictionary and model files) to *trusted sources only*.
+
+=== New Features and Improvements
+
+* Roberta-based model support via ONNX (OPENNLP-1518)
+* Byte Pair Encoding (BPE) tokenization (OPENNLP-1220)
+* `Parse.createFromTokens()` convenience method for tokenized input
(OPENNLP-53)
+* Thread-safe ME classes by eliminating shared mutable instance state
(OPENNLP-1816)
+
+=== Dependency Updates
+
+* Update log4j2 to 2.25.4 (OPENNLP-1817)
+* Update zlibsvm-core to 3.0.0 (OPENNLP-1818)
+* Update ONNX runtime to 1.25.0 (OPENNLP-1822)
+
+For further details, check the full list of
link:https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12356813[changes,role=external,window=_blank]
via the project's issue tracker.
+
+--The Apache OpenNLP Team
diff --git a/src/main/jbake/jbake.properties b/src/main/jbake/jbake.properties
index 721a1e659..78585340d 100755
--- a/src/main/jbake/jbake.properties
+++ b/src/main/jbake/jbake.properties
@@ -32,8 +32,8 @@ template.news.file=news.ftl
#db.store=local
asciidoctor.attributes.export=true
asciidoctor.attributes.export.prefix=
-opennlp.version=2.5.8
-opennlp.3x.version=3.0.0-M2
+opennlp.version=2.5.9
+opennlp.3x.version=3.0.0-M3
opennlp.next.version=3.0.0-SNAPSHOT
opennlp.models=ud-models-1.3
opennlp.downloads=https://downloads.apache.org/opennlp/models
