New release 2.2.5
diff --git a/pom.xml b/pom.xml
index 2b67f7d..73242f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,8 +38,8 @@
<archivaLastSerieVersion>1.3.9</archivaLastSerieVersion>
<archivaLastSerieVersionDate>1 July 2014</archivaLastSerieVersionDate>
-->
- <archivaReleaseVersion>2.2.4</archivaReleaseVersion>
- <archivaReleaseDate>30th April 2019</archivaReleaseDate>
+ <archivaReleaseVersion>2.2.5</archivaReleaseVersion>
+ <archivaReleaseDate>17th June 2020</archivaReleaseDate>
<archivaCurrentDevVersion>3.0.0-SNAPSHOT</archivaCurrentDevVersion>
<redbackCurrentDevVersion>3.0.0-SNAPSHOT</redbackCurrentDevVersion>
<supportedVersions></supportedVersions>
diff --git a/src/site/apt/developers/releasing.apt b/src/site/apt/developers/releasing.apt
index 9dceb26..e0d6f14 100644
--- a/src/site/apt/developers/releasing.apt
+++ b/src/site/apt/developers/releasing.apt
@@ -74,7 +74,8 @@
your settings.xml for {{archiva-repository.releases}}.
Prepare your environment:
- For Archiva 2.x you have to use JDK 7 and set memory settings.
+ For Archiva 2.x you have to use two different JDKs for the process. JDK 7 is used for the prepare release (compile)
+ and JDK 8 for uploading (supported SSL versions)
+-------------
export JAVA_HOME=<PATH_TO_JDK7>
@@ -90,8 +91,14 @@
+-------------
Check that it has been properly tagged. The tag name must be.. archiva-[VERSION].
- If all works fine, execute
+ You can rollback with `mvn release:rollback`.
+ If all works fine, set JDK 8 and execute the release:perform task
+
++-------------
+export JAVA_HOME=<PATH_TO_JDK8>
+export PATH=$JAVA_HOME/bin:$PATH
++-------------
+-------------
mvn release:perform
+-------------
@@ -105,8 +112,12 @@
ARCHV="2.2.4" # Enter the new archiva version
RELEASE_URL="http://archiva-repository.apache.org/archiva/repository/archiva-releases-stage"
wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.tar.gz
+wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.tar.gz.asc
+wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.zip
+wget ${RELEASE_URL}/org/apache/archiva/archiva-jetty/${ARCHV}/archiva-jetty-${ARCHV}-bin.zip.asc
# Verify the signatures:
gpg -v archiva-jetty-${ARCHV}-bin.zip.asc
+gpg -v archiva-jetty-${ARCHV}-bin.tar.gz.asc
+-------------
The documentation is deployed as part of the process to the final location for review in the vote:
@@ -149,11 +160,12 @@
# Move also the POM and Redback and Redback Component releases, if there are new ones.
+-------------
+ Merge the archiva-releases-stage to archiva-releases on archiva-repository.apache.org
+
To sync the jars to Maven Central, you need to merge the repository archiva-releases-stage to "Central Rsync Repository"
Mark the appropriate release version in JIRA as complete.
-
Update the archiva site ({{https://gitbox.apache.org/repos/asf/archiva-site.git}}) for the versions and release notes URL:
Mostly these properties of the pom.xml should be edited:
diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt
index aed31e0..d99b63f 100644
--- a/src/site/apt/security.apt
+++ b/src/site/apt/security.apt
@@ -36,6 +36,22 @@
%{toc|fromDepth=2|toDepth=2}
+* {CVE-2020-9495}: Apache Archiva login service is vulnerable to LDAP injection
+
+ By providing special values to the archiva login form a attacker is able to retrieve user attribute data from the connected LDAP server.
+ With certain characters it is possible to modify the LDAP filter used to query the users on the connected LDAP server.
+ By measuring the response time, arbitrary attribute data can be retrieved from LDAP user objects.
+
+ Versions Affected:
+
+ * All versions before 2.2.5
+
+ Mitigation:
+
+ * Upgrade to {{{./download.cgi} Archiva 2.2.5 or higher}}
+
+ * Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users
+ are assigned to admin role.
* {CVE-2019-0213}: Apache Archiva XSS may be stored in central UI configuration
diff --git a/src/site/xdoc/index.xml.vm b/src/site/xdoc/index.xml.vm
index bd9ffcf..6992b17 100644
--- a/src/site/xdoc/index.xml.vm
+++ b/src/site/xdoc/index.xml.vm
@@ -40,7 +40,7 @@
<div class="hero-unit">
<span class="bignumber badge badge-warning">NEW</span>
<p><strong>${archivaReleaseDate}: The new Apache Archiva release version ${archivaReleaseVersion} is ready for download <a href="http://archiva.apache.org/download.html"/> </strong>.
- This is a bugfix release. Please have a look at the <a href="http://archiva.apache.org/docs/2.2.4/release-notes.html">release notes</a> for further information.
+ This is a bugfix release. Please have a look at the <a href="http://archiva.apache.org/docs/2.2.5/release-notes.html">release notes</a> for further information.
As this release contains <strong>security fixes</strong>, we recommend to update to the new version immediately. </p>
</div>
</div>