| ----- |
| Release Notes for Archiva ${project.version} |
| ----- |
| |
| ~~ Licensed to the Apache Software Foundation (ASF) under one |
| ~~ or more contributor license agreements. See the NOTICE file |
| ~~ distributed with this work for additional information |
| ~~ regarding copyright ownership. The ASF licenses this file |
| ~~ to you under the Apache License, Version 2.0 (the |
| ~~ "License"); you may not use this file except in compliance |
| ~~ with the License. You may obtain a copy of the License at |
| ~~ |
| ~~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~~ |
| ~~ Unless required by applicable law or agreed to in writing, |
| ~~ software distributed under the License is distributed on an |
| ~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~~ KIND, either express or implied. See the License for the |
| ~~ specific language governing permissions and limitations |
| ~~ under the License. |
| |
| Release Notes for Archiva ${project.version} |
| |
| The Apache Archiva team is pleased to announce the release of Archiva |
| ${project.version}. Archiva is {{{http://archiva.apache.org/download.html} |
| available for download from the web site}}. |
| |
| Archiva is an application for managing one or more remote repositories, |
| including administration, artifact handling, browsing and searching. |
| |
| If you have any questions, please consult: |
| |
| * the web site: {{http://archiva.apache.org/}} |
| |
| * the archiva-user mailing list: {{http://archiva.apache.org/mailing-lists.html}} |
| |
| * New in Archiva ${project.version} |
| |
| Apache Archiva ${project.version} is a security fix release: |
| |
| ** Compatibility Changes |
| |
| * There are no compatibility changes |
| |
| ** New Feature |
| |
| * There are no new features in this release. |
| |
| ** Improvements |
| |
| * There are no improvements |
| |
| ** Bug/Security Fix |
| |
| * [MRM-2051}: upgrade dom4j (v2 branch) |
| * upgrade spring 4.2.9 |
| * [MRM-2050]: upgrade commons-fileupload and commons-io due to cves |
| * [MRM-2049]: upgrade httpclient due to cves |
| * [MRM-2048]- upgrade xerces due to CVE |
| |
| |
| Previous Release Notes |
| |
| * Release Notes for Archiva 2.2.8 |
| |
| Apache Archiva 2.2.8 is a security fix release: |
| |
| Released: 2022-05-25 |
| |
| 88 Bug/Security Fix |
| |
| * CVE-2022-29405 Apache Archiva Arbitrary user password reset vulnerability |
| |
| * Release Notes for Archiva 2.2.7 |
| |
| Apache Archiva 2.2.7 is a security fix release: |
| |
| Released: 2022-12-22 |
| |
| ** Compatibility Changes |
| |
| * [MRM-2021] There is a new flag 'literalVersion=true/false' for service archivaServices/searchService/artifact |
| which allows to change the behaviour for v=LATEST search. |
| |
| ** New Feature |
| |
| * There are no new features in this release. |
| |
| ** Improvements |
| |
| * There are no improvements |
| |
| ** Bug/Security Fix |
| |
| * [MRM-2027] Update of the log4j2 version to 2.17.0 |
| |
| * [MRM-2020] Fixed the behaviour of the startup script, if ARCHIVA_BASE is set (separating installation and data directory) |
| |
| * [MRM-2022] Fixed the handling of X-XSRF-TOKEN header in Javascript calls |
| |
| |
| * Release Notes for Archiva 2.2.6 |
| |
| Apache Archiva 2.2.6 is a security fix release: |
| |
| Released: 2021-12-15 |
| |
| ** Compatibility Changes |
| |
| * No API changes or known side effects. |
| |
| ** New Feature |
| |
| * There are no new features in this release. |
| |
| ** Improvements |
| |
| * There are no improvements |
| |
| ** Bug/Security Fix |
| |
| * Update of the log4j2 version to mitigate the log4j2 vulnerability (CVE-2021-44228) |
| |
| * Deactivated directory listings by the file servlet |
| |
| |
| * Release Notes for Archiva 2.2.5 |
| |
| Apache Archiva 2.2.5 is a bug fix release: |
| |
| Released: 2020-06-19 |
| |
| ** Compatibility Changes |
| |
| * No API changes or known side effects. |
| |
| ** New Feature |
| |
| * There are no new features in this release. |
| |
| ** Improvements |
| |
| * There are no improvements |
| |
| ** Bug Fix |
| |
| * [MRM-2008] Fix for group names with slashes |
| |
| * Better handling of LDAP filter |
| |
| |
| * Release Notes for Archiva 2.2.4 |
| |
| Apache Archiva 2.2.4 is a bug fix release: |
| |
| * Fixes for handling of artifacts |
| |
| * Improved validation of REST calls |
| |
| ** Compatibility Changes |
| |
| No API changes or known side effects. |
| |
| Released: 2019-04-30 |
| |
| ** New Feature |
| |
| * There are no new features in this release. |
| |
| ** Improvements |
| |
| * Adding additional validation to REST service calls for artifact upload |
| |
| ** Bug Fix |
| |
| * [MRM-1972] Stored XSS in Web UI Organization Name |
| |
| * [MRM-1966] Repository-purge not working |
| |
| * [MRM-1958] Purge by retention count deletes files but leaves history on website. |
| |
| * [MRM-1929] Repository purge is not reflected in index |
| |
| |
| * Release Notes for Archiva 2.2.3 |
| |
| ** New in Archiva 2.2.3 |
| |
| Apache Archiva 2.2.3 is a bug fix release: |
| >>>>>>> Stashed changes |
| |
| * Some fixes for the REST API were added to detect requests from unknown origin |
| |
| * Some bugfixes were added |
| |
| * Compatibility Changes |
| |
| * The REST services are now checking for the origin of the requests by analysing Origin |
| and Referer header of the HTTP requests and adding an validation token to the Header. |
| This prevents requests from malicious sites if they are open in the same browser. If you use |
| the REST services from other clients you may change the behaviour with the new |
| configuration properties for the redback security (<<<rest.csrffilter.*>>>, <<<rest.baseUrl>>>). |
| For more information see {{{./adminguide/customising-security.html}Archiva Security Configuration}} and |
| the {{{/redback/integration/rest.html}Redback REST documentation }}. |
| |
| <<Note:>> If your archiva installation is behind a reverse proxy or load balancer, it may be possible |
| that the Archiva Web UI does not load after the upgrade. If this is the case you may access the WebUI |
| via localhost or edit archiva.xml manually. In the "Redback Runtime Configuration" properties you have to |
| enter the base URLs of your archiva installation to the <<<rest.baseUrl>>> field. |
| |
| * Archiva uses redback for authentication and authorization in version 2.6 |
| |
| * Release Notes |
| |
| The Archiva ${project.version} features set can be seen in the {{{./tour/index.html} feature tour}}. |
| |
| * Changes in Archiva ${project.version} |
| |
| Released: <<${releaseDate}>> |
| |
| |
| ** New Feature |
| |
| |
| ** Improvement |
| |
| * [MRM-1925] - Make User-Agent header configurable for HTTP requests |
| |
| * [MRM-1861], [MRM-1924] - Increasing timeouts for repository check |
| |
| * [MRM-1937] - Prevent creating initial admin user with wrong name. |
| |
| * Adding origin header validation checks for REST requests |
| |
| ** Bugs fixed |
| |
| * [MRM-1859] - Error upon viewing 'Artifacts' tab when browsing an artifact |
| |
| * [MRM-1874] - Login Dialog triggers multiple events (+messages) |
| |
| * [MRM-1908] - Logged on users can write any repository |
| |
| * [MRM-1909] - Remote repository check fails for https://repo.maven.apache.org/maven2 |
| |
| * [MRM-1923] - Fixing bind issue with certain ldap servers, when user not found |
| |
| * [MRM-1926] - Invalid checksum files in Archiva repository after download from remote repository |
| |
| * [MRM-1928] - Bad redirect URL when using Archiva through HTTP reverse proxy |
| |
| * [MRM-1933] - No message body writer has been found for class org.apache.archiva.rest.services.ArchivaRestError |
| |
| * [MRM-1940] - Slashes appended to remote repo url |
| |
| |
| ** Task |
| |
| |
| |
| * History |
| |
| Archiva was started in November 2005, building a simple framework on top of some existing repository conversion |
| tools within the Maven project. Initial development focused on repository conversion, error reporting, and indexing. |
| From January 2006 a web application was started to visualise the information and to start incorporating |
| functionality from the unmaintained maven-proxy project. |
| |
| Development continued through many stops and starts. Initial versions of Archiva were built from source by contributors, |
| and the first alpha version was not released until April 2007. Some significant changes were made to improve |
| performance and functionality in June 2007 and over the next 6 months and a series of alpha and beta releases, a concerted effort |
| was made to release the 1.0 version. |
| |
| Archiva became an Apache "top level project" in March 2008. |
| |