Looks good. [x] +1 Release this package as Apache Roller 6.1.4
Observations Blogroll page. Switch to blogroll dropdown dialog and Add blogroll dialog get a 500 when saving, but it still creates the entries OK. Cheers Greg On 06/10/2024 22:09, Dave Johnson wrote:
Dear Apache Roller Community, I am pleased to call for a vote on the release of Apache Roller 6.1.4 (RC2). This release includes several important updates and improvements, including enhanced security measures, dependency updates, and various code enhancements (change notes below). The release candidate files can be found at the following location: https://dist.apache.org/repos/dist/dev/roller/roller-6.1/v6.1.4/ Please review the release candidate and cast your vote: [ ] +1 Release this package as Apache Roller 6.1.4 [ ] 0 No opinion [ ] -1 Do not release this package because... The vote will be open for at least 72 hours. Please take the time to review the release candidate and provide your feedback. Thank you for your time and contributions to the Apache Roller project. Best regards, Dave Changes since RC1: * One-time salt values * Comprehensive tests for salt filters * Web analytics disabled when weblogAdminsUntrusted=true Key Changes in Apache Roller 6.1.4 Dependency Updates: * Upgraded several key libraries to their latest versions, ensuring improved security and stability. Code Enhancements: * Enhanced salt handling (user specific one-time-salts) and validation mechanisms. * Improved security settings and default configurations. * By default weblogAdminsUntrusted is not set to true. * Default settings now disable file uploads and custom themes. * Updated tests and documentation to ensure compatibility with new configurations. Detailed Change List for Apache Roller 6.1.4 Dependency Updates app/pom.xml: - asm.version: 9.6 -> 9.7 - commons-validator.version: 1.8.0 -> 1.9.0 - commons-codec.version: 1.16.0 -> 1.17.1 - commons-text.version: 1.11.0 -> 1.12.0 - commons-lang3.version: 3.14.0 -> 3.16.0 - eclipse-link.version: 4.0.2 -> 4.0.4 - log4j2.version: 2.22.1 -> 2.23.1 - lucene.version: 9.9.1 -> 9.11.1 - maven-surefire.version: 3.2.5 -> 3.5.0 - slf4j.version: 2.0.11 -> 2.0.16 - spring.version: 5.3.31 -> 5.3.39 - spring.security.version: 5.8.8 -> 5.8.14 - jquery-ui: 1.13.2 -> 1.13.3 - jquery-validation: 1.19.5 -> 1.20.0 - mockito-core: 5.9.0 -> 5.12.0 - instancio-junit: 4.0.0 -> 5.0.1 - selenium-java: 4.17.0 -> 4.23.1 - selenium-firefox-driver: 4.17.0 -> 4.23.1 - maven-failsafe-plugin: 3.2.5 -> 3.5.0 pom.xml: - jetty.plugin.version: 10.0.19 -> 10.0.23 - maven-compiler-plugin: 3.12.1 -> 3.13.0 - versions-maven-plugin: 2.16.2 -> 2.17.1 - junit-jupiter-engine: 5.10.1 -> 5.11.0 Code Changes - ValidateSaltFilter.java: Added RollerSession and modified salt validation to check against userId. - SaltCache.java: Changed get method return type to String and modified put method to accept String. - roller.properties: Added weblogAdminsUntrusted=true. - runtimeConfigDefs.xml: Changed default values of uploads.enabled and themes.customtheme.allowed to false. - MediaFileTest.java: Enabled media uploads for the test. - SQLScriptRunnerTest.java: Replaced assertTrue with assertEquals for command count check. - roller-install-guide.adoc: Updated security recommendations and safer defaults section. - roller-template-guide.adoc: Updated note about theme customization being disabled by default.theme customization being disabled by default.
