+1 (binding)
- sigs ok, archive contents look good
- tested fresh blog setup in a debian container (JDK 17, postgresql
14, tomcat 9)
- checked the new defaults and also that they can be toggled on again
- checked a few things regarding authentication
looks like a good release!
best regards and thanks for rolling a release,
michael (mbien)
On 06.10.24 23:09, Dave Johnson wrote:
Dear Apache Roller Community,
I am pleased to call for a vote on the release of Apache Roller 6.1.4 (RC2).
This release includes several important updates and improvements, including
enhanced security measures, dependency updates, and various code enhancements
(change notes below). The release candidate files can be found at the following
location:
https://dist.apache.org/repos/dist/dev/roller/roller-6.1/v6.1.4/
Please review the release candidate and cast your vote:
[ ] +1 Release this package as Apache Roller 6.1.4
[ ] 0 No opinion
[ ] -1 Do not release this package because...
The vote will be open for at least 72 hours. Please take the time to review the
release candidate and provide your feedback.
Thank you for your time and contributions to the Apache Roller project.
Best regards,
Dave
Changes since RC1:
* One-time salt values
* Comprehensive tests for salt filters
* Web analytics disabled when weblogAdminsUntrusted=true
Key Changes in Apache Roller 6.1.4
Dependency Updates:
* Upgraded several key libraries to their latest versions, ensuring improved
security and stability.
Code Enhancements:
* Enhanced salt handling (user specific one-time-salts) and validation
mechanisms.
* Improved security settings and default configurations.
* By default weblogAdminsUntrusted is not set to true.
* Default settings now disable file uploads and custom themes.
* Updated tests and documentation to ensure compatibility with new
configurations.
Detailed Change List for Apache Roller 6.1.4
Dependency Updates
app/pom.xml:
- asm.version: 9.6 -> 9.7
- commons-validator.version: 1.8.0 -> 1.9.0
- commons-codec.version: 1.16.0 -> 1.17.1
- commons-text.version: 1.11.0 -> 1.12.0
- commons-lang3.version: 3.14.0 -> 3.16.0
- eclipse-link.version: 4.0.2 -> 4.0.4
- log4j2.version: 2.22.1 -> 2.23.1
- lucene.version: 9.9.1 -> 9.11.1
- maven-surefire.version: 3.2.5 -> 3.5.0
- slf4j.version: 2.0.11 -> 2.0.16
- spring.version: 5.3.31 -> 5.3.39
- spring.security.version: 5.8.8 -> 5.8.14
- jquery-ui: 1.13.2 -> 1.13.3
- jquery-validation: 1.19.5 -> 1.20.0
- mockito-core: 5.9.0 -> 5.12.0
- instancio-junit: 4.0.0 -> 5.0.1
- selenium-java: 4.17.0 -> 4.23.1
- selenium-firefox-driver: 4.17.0 -> 4.23.1
- maven-failsafe-plugin: 3.2.5 -> 3.5.0
pom.xml:
- jetty.plugin.version: 10.0.19 -> 10.0.23
- maven-compiler-plugin: 3.12.1 -> 3.13.0
- versions-maven-plugin: 2.16.2 -> 2.17.1
- junit-jupiter-engine: 5.10.1 -> 5.11.0
Code Changes
- ValidateSaltFilter.java: Added RollerSession and modified salt validation to
check against userId.
- SaltCache.java: Changed get method return type to String and modified put
method to accept String.
- roller.properties: Added weblogAdminsUntrusted=true.
- runtimeConfigDefs.xml: Changed default values of uploads.enabled and
themes.customtheme.allowed to false.
- MediaFileTest.java: Enabled media uploads for the test.
- SQLScriptRunnerTest.java: Replaced assertTrue with assertEquals for command
count check.
- roller-install-guide.adoc: Updated security recommendations and safer
defaults section.
- roller-template-guide.adoc: Updated note about theme customization being
disabled by default.theme customization being disabled by default.
