+1 (binding)
checked:
- sigs match, dependencies in war look good
- tested fresh weblog installation on JDK 17, tomcat 9, postgresql,
debian + podman (new defaults seem to work)
- deployed update to personal blog and everything looks fine (Jetty,
JDK 21, hsqldb)
thanks for rollin' a release ;)
michael (mbien)
On 28.09.24 00:00, Dave wrote:
Dear Apache Roller Community,
I am pleased to call for a vote on the release of Apache Roller 6.1.4
(RC1). This release includes several important updates and improvements,
including enhanced security measures, dependency updates, and various code
enhancements (change notes below). The release candidate files can be found
at the following location:
https://dist.apache.org/repos/dist/dev/roller/roller-6.1/v6.1.4/
Please review the release candidate and cast your vote:
[ ] +1 Release this package as Apache Roller 6.1.4
[ ] 0 No opinion
[ ] -1 Do not release this package because...
The vote will be open for at least 72 hours. Please take the time to review
the release candidate and provide your feedback.
Thank you for your time and contributions to the Apache Roller project.
Best regards,
Dave
Key Changes in Apache Roller 6.1.4
Dependency Updates:
* Upgraded several key libraries to their latest versions, ensuring
improved security and stability.
Code Enhancements:
* Enhanced salt handling and validation mechanisms.
* Improved security settings and default configurations.
* Introduced weblogAdminsUntrusted=true property.
* Adjusted default settings to disable file uploads and custom themes by
default.
* Updated tests and documentation to ensure compatibility with new
configurations.
## Detailed change List for Apache Roller 6.1.4
### Dependency Updates
#### app/pom.xml
- asm.version: 9.6 -> 9.7
- commons-validator.version: 1.8.0 -> 1.9.0
- commons-codec.version: 1.16.0 -> 1.17.1
- commons-text.version: 1.11.0 -> 1.12.0
- commons-lang3.version: 3.14.0 -> 3.16.0
- eclipse-link.version: 4.0.2 -> 4.0.4
- log4j2.version: 2.22.1 -> 2.23.1
- lucene.version: 9.9.1 -> 9.11.1
- maven-surefire.version: 3.2.5 -> 3.5.0
- slf4j.version: 2.0.11 -> 2.0.16
- spring.version: 5.3.31 -> 5.3.39
- spring.security.version: 5.8.8 -> 5.8.14
- jquery-ui: 1.13.2 -> 1.13.3
- jquery-validation: 1.19.5 -> 1.20.0
- mockito-core: 5.9.0 -> 5.12.0
- instancio-junit: 4.0.0 -> 5.0.1
- selenium-java: 4.17.0 -> 4.23.1
- selenium-firefox-driver: 4.17.0 -> 4.23.1
- maven-failsafe-plugin: 3.2.5 -> 3.5.0
#### pom.xml
- jetty.plugin.version: 10.0.19 -> 10.0.23
- maven-compiler-plugin: 3.12.1 -> 3.13.0
- versions-maven-plugin: 2.16.2 -> 2.17.1
- junit-jupiter-engine: 5.10.1 -> 5.11.0
### Code Changes
- **LoadSaltFilter.java**: Added RollerSession to retrieve userId and pass
to SaltCache.
- **ValidateSaltFilter.java**: Added RollerSession and modified salt
validation to check against userId.
- **SaltCache.java**: Changed get method return type to String and modified
put method to accept String.
- **roller.properties**: Added weblogAdminsUntrusted=true.
- **runtimeConfigDefs.xml**: Changed default values of uploads.enabled and
themes.customtheme.allowed to false.
- **MediaFileTest.java**: Enabled media uploads for the test.
- **SQLScriptRunnerTest.java**: Replaced assertTrue with assertEquals for
command count check.
- **roller-install-guide.adoc**: Updated security recommendations and safer
defaults section.
- **roller-template-guide.adoc**: Updated note about theme customization
being disabled by default.roller-template-guide.adoc: Updated note about
theme customization being disabled by default.
