BCL in 2.3 needs fixing

Sorry for not bringing this up earlier.

We need to remove the javamail and activation jars from the
2.3
release as well (and re-pgp/md5 it).

Dave, is this something you have time for as 2.3 RM, or do
you need
someone to volunteer?

Hen

On 11/10/06, Henri Yandell <flamefewgmail.com> wrote:
> Sorry for not bringing this up earlier.
>
> We need to remove the javamail and activation jars from
the 2.3
> release as well (and re-pgp/md5 it).

Yes and we have a security fix in 2.3.1 that we never
formally released.

> Dave, is this something you have time for as 2.3 RM, or
do you need
> someone to volunteer?

I'll have time for some RM work next week for 3.1 and I can
easily add 2.3.1.

- Dave

On 11/10/06, Dave <snoopdavegmail.com> wrote:
> On 11/10/06, Henri Yandell <flamefewgmail.com> wrote:
> > Sorry for not bringing this up earlier.
> >
> > We need to remove the javamail and activation jars
from the 2.3
> > release as well (and re-pgp/md5 it).
>
> Yes and we have a security fix in 2.3.1 that we never
formally released.
>
> > Dave, is this something you have time for as 2.3
RM, or do you need
> > someone to volunteer?
>
> I'll have time for some RM work next week for 3.1 and I
can easily add 2.3.1.

Either 2.3.1 with a vote to release it - and removing 2.3
from the
mirrors/archives, or just modifying 2.3 to not contain the
jars is
fine by me.

Hen

Henri,

I've created and signed a new release of Roller 3.2 with 1)
fixes for
the comment XSS problem and 2) no BCL jars. I updated the
change list
and install docs accordingly. Please give it a quick test so
we can
replace the existing 2.3  release with this new one.

Here are the release files:
http://people.apache.org/~snoopdave/apache-roller-2.3.1/


And ere's what I added the CHANGES.txt doc:

Roller 2.3.1: minor release to fix security risk form and
licensing issue

*** Security risk in comment form

Allowing commenters to leave HTML in comments is a potential
security
risk because it allows commenters can add malicious
Javascipt code.
You can disable HTML in comments via the Roller admin
interface, but
in Roller 2.3 and earlier versions of Roller, attackers
could still
add malicious HTML to the name, email and URL fields.

We fixed the problem in Roller 2.3.1 and all subsequent
versions of
Roller by stripping all HTML from name, email and comment
fields at
comment post time.

*** Licensing issue with JavaMail and Activation jars

The JavaMail and Activation jars (mail.jar and
activation.jar)
included in Roller 2.3 were licensed under Sun's Binary Code
License,
which is incompatible with Apache licensing policy. So these
jars have
been removed from the release and instructions have been
added to the
Installation Guide that explain how to get them and add them
to
Roller.


- Dave



On 11/11/06, Henri Yandell <flamefewgmail.com> wrote:
> On 11/10/06, Dave <snoopdavegmail.com> wrote:
> > On 11/10/06, Henri Yandell <flamefewgmail.com> wrote:
> > > Sorry for not bringing this up earlier.
> > >
> > > We need to remove the javamail and activation
jars from the 2.3
> > > release as well (and re-pgp/md5 it).
> >
> > Yes and we have a security fix in 2.3.1 that we
never formally released.
> >
> > > Dave, is this something you have time for as
2.3 RM, or do you need
> > > someone to volunteer?
> >
> > I'll have time for some RM work next week for 3.1
and I can easily add 2.3.1.
>
> Either 2.3.1 with a vote to release it - and removing
2.3 from the
> mirrors/archives, or just modifying 2.3 to not contain
the jars is
> fine by me.
>
> Hen
>

Looks good to me. Diffs with 2.3 tar.gz's show very few
things
changed, and ones you'd expect to be changed.

Has there already been a vote to release 2.3.1?

Hen

On 11/20/06, Dave <snoopdavegmail.com> wrote:
> Henri,
>
> I've created and signed a new release of Roller 3.2
with 1) fixes for
> the comment XSS problem and 2) no BCL jars. I updated
the change list
> and install docs accordingly. Please give it a quick
test so we can
> replace the existing 2.3  release with this new one.
>
> Here are the release files:
> http://people.apache.org/~snoopdave/apache-roller-2.3.1/

>
> And ere's what I added the CHANGES.txt doc:
>
> Roller 2.3.1: minor release to fix security risk form
and licensing issue
>
> *** Security risk in comment form
>
> Allowing commenters to leave HTML in comments is a
potential security
> risk because it allows commenters can add malicious
Javascipt code.
> You can disable HTML in comments via the Roller admin
interface, but
> in Roller 2.3 and earlier versions of Roller, attackers
could still
> add malicious HTML to the name, email and URL fields.
>
> We fixed the problem in Roller 2.3.1 and all subsequent
versions of
> Roller by stripping all HTML from name, email and
comment fields at
> comment post time.
>
> *** Licensing issue with JavaMail and Activation jars
>
> The JavaMail and Activation jars (mail.jar and
activation.jar)
> included in Roller 2.3 were licensed under Sun's Binary
Code License,
> which is incompatible with Apache licensing policy. So
these jars have
> been removed from the release and instructions have
been added to the
> Installation Guide that explain how to get them and add
them to
> Roller.
>
>
> - Dave
>
>
>
> On 11/11/06, Henri Yandell <flamefewgmail.com> wrote:
> > On 11/10/06, Dave <snoopdavegmail.com> wrote:
> > > On 11/10/06, Henri Yandell <flamefewgmail.com> wrote:
> > > > Sorry for not bringing this up earlier.
> > > >
> > > > We need to remove the javamail and
activation jars from the 2.3
> > > > release as well (and re-pgp/md5 it).
> > >
> > > Yes and we have a security fix in 2.3.1 that
we never formally released.
> > >
> > > > Dave, is this something you have time
for as 2.3 RM, or do you need
> > > > someone to volunteer?
> > >
> > > I'll have time for some RM work next week for
3.1 and I can easily add 2.3.1.
> >
> > Either 2.3.1 with a vote to release it - and
removing 2.3 from the
> > mirrors/archives, or just modifying 2.3 to not
contain the jars is
> > fine by me.
> >
> > Hen
> >
>