Adding release info.
diff --git a/src/site/apt/developers/releasing.apt b/src/site/apt/developers/releasing.apt
index 528e677..d43e4dd 100644
--- a/src/site/apt/developers/releasing.apt
+++ b/src/site/apt/developers/releasing.apt
@@ -92,7 +92,9 @@
+-------------
git checkout archiva-${ARCHV} # Checkout the release version of archiva
cd archiva-doc
-mvn site-deploy
+mvn site:site
+mvn site:stage # Check the content in target/staging
+cp -r target/staging/* <web-content-git>/docs/${ARCHV}/ # Copy to the git web content repository
+-------------
If the vote doesn't pass, the documentation will need to be removed from the server for redeployment.
@@ -120,7 +122,7 @@
After the vote has passed, move the files from dist dev to dist release:
+-------------
-svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/relase/archiva/
+svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/release/archiva/
# Move also the POM and Redback and Redback Component releases, if there are new ones.
+-------------
@@ -130,7 +132,7 @@
Mark the appropriate release version in JIRA as complete.
- Update the archiva site (https://svn.apache.org/repos/asf/archiva/site/) for the versions and release notes URL:
+ Update the archiva site (https://gitbox.apache.org/repos/asf/archiva-site.git) for the versions and release notes URL:
Mostly these properties of the pom.xml should be edited:
@@ -140,7 +142,7 @@
<archivaCurrentDevVersion>3.0.0-SNAPSHOT</archivaCurrentDevVersion>
+-------------
- Run <<<mvn site:run>>> and verify the changes. Commit your changes. Then run <<<mvn site-deploy>>>.
+ Run <<deploySite.sh>>. The script will give the information where to check the content locally and asks before pushing to the remote repository.
Once mirroring done (can be 24H): remove previous versions from https://dist.apache.org/repos/dist/release/archiva/
diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt
index cd2c6c9..aed31e0 100644
--- a/src/site/apt/security.apt
+++ b/src/site/apt/security.apt
@@ -37,6 +37,42 @@
%{toc|fromDepth=2|toDepth=2}
+* {CVE-2019-0213}: Apache Archiva XSS may be stored in central UI configuration
+
+ It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL.
+ The vulnerability is considered as minor risk, as only users with admin role can change the configuration,
+ or the communication between the browser and the Archiva server must be compromised.
+
+ Versions Affected:
+
+ * All versions before 2.2.4
+
+ Mitigation:
+
+ * Upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}}
+
+ * Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users
+ are assigned to admin role.
+
+
+* {CVE-2019-0214}: Apache Archiva arbitrary file write and delete on the server
+
+ It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
+ Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
+
+ Versions Affected:
+
+ * All versions before 2.2.4
+
+ Mitigation:
+
+ * It is highly recommended to upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}}, where additional validations are implemented
+ to prevent such malicious parameter values.
+
+ * As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user
+ may have only write permission to the directories needed.
+
+
* {CVE-2017-5657}: Apache Archiva CSRF vulnerabilities for various REST endpoints
Several REST service endpoints of Apache Archiva are not protected against CSRF attacks.
diff --git a/src/site/xdoc/index.xml.vm b/src/site/xdoc/index.xml.vm
index 4f0a552..96586e8 100644
--- a/src/site/xdoc/index.xml.vm
+++ b/src/site/xdoc/index.xml.vm
@@ -39,8 +39,7 @@
<div class="newsBox">
<div class="hero-unit">
<span class="bignumber badge badge-warning">NEW</span>
- <p><strong>Our code source is now using git, so you can propose pull requests using <a href="https://github.com/apache/archiva">github mirror</a></strong></p>
- <p><strong>${archivaReleaseDate} release of ${archivaReleaseVersion} See <a href="http://archiva.apache.org/docs/${archivaReleaseVersion}/tour/index.html">Quick Tour</a></strong></p>
+ <p><strong>${archivaReleaseDate} release of ${archivaReleaseVersion} is ready for download <href a="http://archiva.apache.org/download.html"/> </strong>. We recommend to update to the new version.</p>
</div>
</div>
</div>