[jboss-cvs] JBossAS SVN: r90504 - projects/docs/enterprise/4.3.5/readme/en-US.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Jun 22 23:28:49 EDT 2009
Author: irooskov at redhat.com
Date: 2009-06-22 23:28:49 -0400 (Mon, 22 Jun 2009)
New Revision: 90504
Modified:
projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml
Log:
updated release notes with new JIRA
Modified: projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml
===================================================================
--- projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml 2009-06-22 17:15:13 UTC (rev 90503)
+++ projects/docs/enterprise/4.3.5/readme/en-US/Release_Notes_CP05.xml 2009-06-23 03:28:49 UTC (rev 90504)
@@ -74,21 +74,21 @@
Hibernate Validator 3.0.0.GA
</para>
</listitem>
- <!-- <listitem>
+ <listitem>
<para>
JAF 1.2_10
</para>
- </listitem> -->
+ </listitem>
<listitem>
<para>
JBoss Cache 1.4.1_SP13
</para>
</listitem>
- <!-- <listitem>
+ <listitem>
<para>
JBoss JAXR 1.2.0.SP2
</para>
- </listitem> -->
+ </listitem>
<listitem>
<para>
JBoss Messaging 1.4.0.SP3-CP08
@@ -119,7 +119,7 @@
JGroups 2.4.6
</para>
</listitem>
- <!-- <listitem>
+ <listitem>
<para>
JSF 1.2_10
</para>
@@ -133,7 +133,7 @@
<para>
Xalan 2.7.0.patch02
</para>
- </listitem> -->
+ </listitem>
</itemizedlist>
<note>
<para>
@@ -607,6 +607,39 @@
<itemizedlist>
<listitem>
<para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-2067">JBPAPP-2067</ulink>: The release of Tomcat 6.0.20 saw a set of security vulnerabilities fixed that have now been backported to JBoss Web. These vulnerabilities are:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">CVE-2009-0033</ulink>: For Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the <filename>Java AJP</filename> connector and <filename>mod_jk</filename> load balancing were used it would allow for remote attackers to cause a denial of service (application outage) attack via a crafted request with invalid headers. This would occur in relation to the temporary blocking of connectors that had encountered errors, as demonstrated by an error involving a malformed <filename>HTTP Host</filename> header. This update has been rated as having important security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515">CVE-2008-5515</ulink>: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalized the target pathname before filtering the query string when using the <methodname>RequestDispatcher</methodname> method, which allowed remote attackers to bypass intended access restrictions and conduct directory traversal attacks via <code>..</code> (dot dot) sequences and the <filename>WEB-INF</filename> directory in a <classname>Request</classname>. This update has been rated as having important security impact by the Red
+Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783">CVE-2009-0783</ulink>: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 would permit web applications to replace an XML parser used for other web applications. This would allow local users to read or modify the <filename>web.xml</filename>, <filename>context.xml</filename>, or <filename>tld</filename> files of arbitrary web applications via a crafted application that is loaded earlier than the target application. This update has been rated as having low security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">CVE-2009-0781</ulink>: A Cross-site scripting (XSS) vulnerability existed within the <filename>jsp/cal/cal2.jsp</filename> calendar examples web application for Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18. This vulnerability would allow remote attackers to inject arbitrary web script or HTML via the time parameter, related to <emphasis>invalid HTML</emphasis>. This update has been rated as having low security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">CVE-2009-0580</ulink>: For Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when <property>FORM</property> authentication was used, this would allow remote attackers to enumerate valid usernames via requests to <filename>/j_security_check</filename>. This would be achieved with malformed URL encoding of passwords, related to improper error checking in the <classname>MemoryRealm</classname>, <classname>DataSourceRealm</classname>, and <classname>JDBCRealm</classname> authentication realms, as demonstrated by a <code>%</code> (percent) value for the <property>j_password</property> parameter. This update has been rated as having low security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-2050">JBPAPP-2050</ulink>: When attempting to view a <emphasis>mbean</emphasis> graph through the <emphasis>web-console</emphasis> an exception was being generated by the applet because the <filename>jcommon.jar</filename> library was not included within the ZIP version of the previous release. This library file is now included with this release and <emphasis>mbean</emphasis> graphs are now viewable through the <emphasis>web-console</emphasis>.
</para>
</listitem>
@@ -988,7 +1021,7 @@
</listitem>
<listitem>
<para>
- <ulink url="http://opensource.atlassian.com/projects/hibernate/browse/EJB-259">EJB-259</ulink>: <filename>ORM.xml</filename> files that appear in any referecend <filename>.jar</filename> files were not evaluated by Hibernate EntityManager. In order to be in line with the EJB3 specifications, the <Classname>Ejb3Configuration</classname> class has been updated to make sure all <filename>ORM.xml</filename> files are evaluated.
+ <ulink url="http://opensource.atlassian.com/projects/hibernate/browse/EJB-259">EJB-259</ulink>: <filename>ORM.xml</filename> files that appear in any referecend <filename>.jar</filename> files were not evaluated by Hibernate EntityManager. In order to be in line with the EJB3 specifications, the <classname>Ejb3Configuration</classname> class has been updated to make sure all <filename>ORM.xml</filename> files are evaluated.
</para>
</listitem>
<listitem>
@@ -1062,6 +1095,62 @@
</listitem>
<listitem>
<para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-2118">JBPAPP-2037</ulink>: The Hibernate Core component of the Enterprise Application Platform has been upgraded to version 3.2.4.SP1_CP08. A list of the included fixes is as follows:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1930">JBPAPP-1930</ulink>: A <exceptionname>NullPointerException</exceptionname> would occur when a native SQL query coupled eager fetching with a many-to-many relationship. Correcting this has beant that the <code>if ( collectionPersister.isOneToMany() ) {</code> line of code in the <filename>SQLQueryReturnProcessor</filename> file has been changed to <code>if ( collectionPersister.isOneToMany() || collectionPersister.isManyToMany()) {</code>, removing the generation of a <exceptionname>NullPointerException</exceptionname>. To note though is that the fix only works with the <filename>hbm.xml</filename> file SQL mapping feature and a named query.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1922">JBPAPP-1922</ulink>: A bottleneck existed within the <filename>EntityModeToTuplizerMapping.java</filename> file when a high number of threads attempted to initialize sets and had to wait for the same monitor. In correcting this issue, the <filename>EntityModeToTuplizerMapping.java</filename> file has been modified to removie the <code>private final Map tuplizers = Collections.synchronizedMap( new SequencedHashMap() ); </code> line of code and replace it with only <code>private final Map tuplizers;</code> and two new public methods to assist in the mapping.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1797">JBPAPP-1797</ulink>: Transient entities could be inserted twice when a merge was performed. To correct this bug the <filename>DefaultMergeEventListener.java</filename> file has been updated to use the new <classname>CopyCache</classname> class. Within the <filename>DefaultMergeEventListener.java</filename> file, logic has been added to retrieve transient entities and retry a merge once if an error is encountered. Following this, if the merge continues unsuccessfully a <exceptionname>TransientObjectException</exceptionname> will be generated. The <classname>CopyCache</classname> class has been created to be the <varname>Map</varname> implementation used by <classname>DefaultMergeEventListener</classname> in order to keep track of entities and the copies that are being merged into the session. This implementation also tracks whether a an entity in the <classname>CopyCache</classname> is included in the merge.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1748">JBPAPP-1748</ulink>: When merging read-only entities that had the <varname>@Immutable</varname> annotation included the following failure would occur:
+ </para>
+<screen>
+org.hibernate.AssertionFailure: Merged entity does not have status set to MANAGED; EntityEntry[com.tll.model.impl.AccountHistory#71794688](READ_ONLY) status=READ_ONLY
+</screen>
+ <para>
+ The <filename>DefaultMergeEventListener.java</filename> file has been updated by editing the following test statement:
+ </para>
+<programlisting>
+if ( entry.getStatus() != Status.MANAGED ) {
+ throw new AssertionFailure( "Merged entity does not have status set to MANAGED; "+entry+" status="+entry.getStatus() );
+}
+</programlisting>
+ <para>
+ modified to test against the possibility that the current <varname>Status</varname> could be <property>READ_ONLY</property>:
+ </para>
+<programlisting>
+if ( entry.getStatus() != Status.MANAGED && entry.getStatus() != Status.READ_ONLY ) {
+ throw new AssertionFailure( "Merged entity does not have status set to MANAGED or READ_ONLY; "+entry+" status="+entry.getStatus() );
+}
+</programlisting>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1564">JBPAPP-1564</ulink>: The SQL <methodname>trim</methodname> function and support for <property>mod</property> and <property>bit_length</property> were not present in the Sybase Dialect. This release sees these avaliable for use within the <filename>SybaseASE15Dialect</filename>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1563">JBPAPP-1563</ulink>: The SQL functions <function>mod</function>, <function>bit_length</function> and <function>trim</function> caused faulures in the <classname>ASTParserLoadingTest</classname> because they were not implemented in the Sybase Dialect. The Sybase Dialect has now been updated to import the <classname>org.hibernate.dialect.function.AnsiTrimEmulationFunction</classname> function and implement the <function>mod</function>, <function>bit_length</function> and <function>trim</function> functions.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-2002">JBPAPP-2002</ulink>: The Hibernate Annotations component of the Enterprise Application Platform has been upgraded to version 3.3.1. A list of the included fixes is as follows:
</para>
<itemizedlist>
@@ -1358,60 +1447,11 @@
</listitem> -->
<listitem>
<para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1930">JBPAPP-1930</ulink>: A <exceptionname>NullPointerException</exceptionname> would occur when a native SQL query coupled eager fetching with a many-to-many relationship. Correcting this has beant that the <code>if ( collectionPersister.isOneToMany() ) {</code> line of code in the <filename>SQLQueryReturnProcessor</filename> file has been changed to <code>if ( collectionPersister.isOneToMany() || collectionPersister.isManyToMany()) {</code>, removing the generation of a <exceptionname>NullPointerException</exceptionname>. To note though is that the fix only works with the <filename>hbm.xml</filename> file SQL mapping feature and a named query.
- </para>
- </listitem>
- <listitem>
- <para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1922">JBPAPP-1922</ulink>: A bottleneck existed within the <filename>EntityModeToTuplizerMapping.java</filename> file when a high number of threads attempted to initialize sets and had to wait for the same monitor. In correcting this issue, the <filename>EntityModeToTuplizerMapping.java</filename> file has been modified to removie the <code>private final Map tuplizers = Collections.synchronizedMap( new SequencedHashMap() ); </code> line of code and replace it with only <code>private final Map tuplizers;</code> and two new public methods to assist in the mapping.
- </para>
- </listitem>
- <listitem>
- <para>
<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1859">JBPAPP-1859</ulink>: The <classname>ManyToOneJoinTest</classname> distributed with Hibernate would fail because a primary key would be set on a <code>nullable</code> column. The <filename>OneToOneSecondPass.java</filename> file has been modified to use the <methodname>buildJoinFromMappedBySide</methodname> method instead of the <methodname>buildJoin</methodname> method. Inacting this change has meant that the calls to the <methodname>join.createPrimaryKey()</methodname> and <methodname>join.createForeignKey()</methodname> methods within this file have also been removed.
</para>
</listitem>
<listitem>
<para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1797">JBPAPP-1797</ulink>: Transient entities could be inserted twice when a merge was performed. To correct this bug the <filename>DefaultMergeEventListener.java</filename> file has been updated to use the new <classname>CopyCache</classname> class. Within the <filename>DefaultMergeEventListener.java</filename> file, logic has been added to retrieve transient entities and retry a merge once if an error is encountered. Following this, if the merge continues unsuccessfully a <exceptionname>TransientObjectException</exceptionname> will be generated. The <classname>CopyCache</classname> class has been created to be the <varname>Map</varname> implementation used by <classname>DefaultMergeEventListener</classname> in order to keep track of entities and the copies that are being merged into the session. This implementation also tracks whether a an entity in the <classname>CopyCache</classname> is included in the merge.
- </para>
- </listitem>
- <listitem>
- <para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1748">JBPAPP-1748</ulink>: When merging read-only entities that had the <varname>@Immutable</varname> annotation included the following failure would occur:
- </para>
-<screen>
-org.hibernate.AssertionFailure: Merged entity does not have status set to MANAGED; EntityEntry[com.tll.model.impl.AccountHistory#71794688](READ_ONLY) status=READ_ONLY
-</screen>
- <para>
- The <filename>DefaultMergeEventListener.java</filename> file has been updated by editing the following test statement:
- </para>
-<programlisting>
-if ( entry.getStatus() != Status.MANAGED ) {
- throw new AssertionFailure( "Merged entity does not have status set to MANAGED; "+entry+" status="+entry.getStatus() );
-}
-</programlisting>
- <para>
- modified to test against the possibility that the current <varname>Status</varname> could be <property>READ_ONLY</property>:
- </para>
-<programlisting>
-if ( entry.getStatus() != Status.MANAGED && entry.getStatus() != Status.READ_ONLY ) {
- throw new AssertionFailure( "Merged entity does not have status set to MANAGED or READ_ONLY; "+entry+" status="+entry.getStatus() );
-}
-</programlisting>
- </listitem>
- <listitem>
- <para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1564">JBPAPP-1564</ulink>: The SQL <methodname>trim</methodname> function and support for <property>mod</property> and <property>bit_length</property> were not present in the Sybase Dialect. This release sees these avaliable for use within the <filename>SybaseASE15Dialect</filename>.
- </para>
- </listitem>
- <listitem>
- <para>
- <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1563">JBPAPP-1563</ulink>: The SQL functions <function>mod</function>, <function>bit_length</function> and <function>trim</function> caused faulures in the <classname>ASTParserLoadingTest</classname> because they were not implemented in the Sybase Dialect. The Sybase Dialect has now been updated to import the <classname>org.hibernate.dialect.function.AnsiTrimEmulationFunction</classname> function and implement the <function>mod</function>, <function>bit_length</function> and <function>trim</function> functions.
- </para>
- </listitem>
- <listitem>
- <para>
<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1081">JBPAPP-1081</ulink>: In the Entity Manager documentation it is stated that table aliases are supported in <code>update</code> clauses, however using table alias' in an update query causes a program failure. In order to correct this the <filename>QueryTest.java</filename> file has been updated with the removal for the allowance of table alias'.
</para>
</listitem>
@@ -1468,6 +1508,42 @@
<itemizedlist>
<listitem>
<para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-2067">JBPAPP-2067</ulink>: The release of Tomcat 6.0.20 saw a set of security vulnerabilities fixed that have now been backported to JBoss Web. These vulnerabilities are:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">CVE-2009-0033</ulink>: For Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the <filename>Java AJP</filename> connector and <filename>mod_jk</filename> load balancing were used it would allow for remote attackers to cause a denial of service (application outage) attack via a crafted request with invalid headers. This would occur in relation to the temporary blocking of connectors that had encountered errors, as demonstrated by an error involving a malformed <filename>HTTP Host</filename> header. This update has been rated as having important security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515">CVE-2008-5515</ulink>: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalized the target pathname before filtering the query string when using the <methodname>RequestDispatcher</methodname> method, which allowed remote attackers to bypass intended access restrictions and conduct directory traversal attacks via <code>..</code> (dot dot) sequences and the <filename>WEB-INF</filename> directory in a <classname>Request</classname>. This update has been rated as having important security impact by the Red
+ Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783">CVE-2009-0783</ulink>: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 would permit web applications to replace an XML parser used for other web applications. This would allow local users to read or modify the <filename>web.xml</filename>, <filename>context.xml</filename>, or <filename>tld</filename> files of arbitrary web applications via a crafted application that is loaded earlier than the target application. This update has been rated as having low security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">CVE-2009-0781</ulink>: A Cross-site scripting (XSS) vulnerability existed within the <filename>jsp/cal/cal2.jsp</filename> calendar examples web application for Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18. This vulnerability would allow remote attackers to inject arbitrary web script or HTML via the time parameter, related to <emphasis>invalid HTML</emphasis>. This update has been rated as having low security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">CVE-2009-0580</ulink>: For Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when <property>FORM</property> authentication was used, this would allow remote attackers to enumerate valid usernames via requests to <filename>/j_security_check</filename>. This would be achieved with malformed URL encoding of passwords, related to improper error checking in the <classname>MemoryRealm</classname>, <classname>DataSourceRealm</classname>, and <classname>JDBCRealm</classname> authentication realms, as demonstrated by a <code>%</code> (percent) value for the <property>j_password</property> parameter. This update has been rated as having low security impact by the Red Hat Security Response Team.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ These bug fixes are part of the JBoss Web 2.0.0.CP10 upgrade.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1992">JBPAPP-1992</ulink>: Apache Tomcat 5 and 6 did not properly handle double quote (<emphasis>"</emphasis>) characters and the encoded backslash (%5C) sequences in cookie values. These bugs may have allowed for sensitive information such as session IDs to be leaked to remote attackers and permit session hijack attacks. This has been rectified by the modification of <filename>ApplicationContext.java</filename> to generate a <exceptionname>MalformedURLException</exceptionname> if a path starts with an encoded backslash and the modification of <filename>ServerCookie.java</filename> to escape double quote characters. (CVE-2007-5333)
</para>
<para>
More information about the jboss-cvs-commits
mailing list