Google Git
Sign in
apache / velocity-site / refs/heads/security-news-update / . / src / content / news.xml
blob: b775d03ee43883f5b65dd6de8b42f5b8712b0c43 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8" ?>
<news xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://velocity.apache.org/NEWS/1.0.0" xsi:schemaLocation="http://velocity.apache.org/NEWS/1.0.0 http://velocity.apache.org/site/tools/velocity-site-news/xsd/news-1.0.0.xsd">
<items>
<item id="CVE-2020-13936">
<date>2021-03-09</date>
<headline>Security Advisory for Velocity Engine - Velocity Sandbox Bypass - CVE-2020-13936</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
PROBLEM:
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
This issue has been assigned CVE-2020-13936.
WORKAROUND:
Applications using Apache Velocity that allow untrusted users to upload templates should upgrade to version 2.3. This version adds additional default restrictions on what methods/properties can be accessed in a template.
ACKNOWLEDGEMENTS:
This issue was discovered by Alvaro Munoz pwntester@github.com of Github Security Labs and was originally reported as GHSL-2020-048.
]]></text>
</item>
<item id="CVE-2020-13959">
<date>2021-03-09</date>
<headline>Security Advisory for Velocity tools - XSS Vulnerability - CVE-2020-13959</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
PROBLEM:
The default error page for VelocityView reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed.
XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
This issue has been assigned CVE-2020-13959.
WORKAROUND:
Applications based on Apache Velocity Tools should upgrade to version 3.1. This version escapes the reflected text on the default error page, preventing potential javascript execution.
ACKNOWLEDGEMENTS:
This issue was reported and a patch was submitted by Jackson Henry, member of Sakura Samurai.
]]></text>
</item>
<item id="tools31">
<date>2021-02-27</date>
<headline>Velocity Tools 3.1 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the release of Velocity Tools 3.1.
VelocityTools is a collection of Velocity subprojects with a common goal of providing tools and infrastructure
for building both web and standalone applications using the Apache Velocity template engine.
Main changes:
* Added an optional 'factory' attribute to tools with the classname of a factory for creating new tools instances.
* Added a new BreadcrumbTool meant to help displaying UI breadcrumb trails.
* Fix potential XSS vulterability in VelocityViewServlet error handling.
For a full list of changes, consult {{{https://velocity.apache.org/tools/3.1/changes.html}Velocity Tools 3.1 Changes section}} and {{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310130&version=12345408}JIRA changelog}}.
For notes on upgrading from earlier versions, see {{{https://velocity.apache.org/tools/3.1/upgrading.html}Velocity Tools 3.1 Upgrading section}}.
Downloads of Velocity Tools 3.1 are available {{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="engine23">
<date>2021-02-27</date>
<headline>Velocity Engine 2.3 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the release of Velocity Engine 2.3.
Main changes in this release:
+ Fix a minor security issue in user-edited templates applications: let SecureUberspector block methods on ClassLoader and subclasses.
+ New spring-velocity-support module for Velocity Engine integration in Spring Framework.
For a full list of changes, consult {{{https://velocity.apache.org/engine/2.3/changes.html}Velocity Engine 2.3 Changes section}} and {{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12348601}JIRA changelog}}.
For notes on upgrading, see {{{http://velocity.apache.org/engine/2.3/upgrading.html}Velocity Engine 2.3 Upgrading section}}.
Downloads of 2.3 are available {{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="engine22">
<date>2020-02-02</date>
<headline>Velocity Engine 2.2 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the release of Velocity Engine 2.2.
Main changes in this release:
+ New runtime.log.track_locations debugging configuration flag which displays the VTL stack trace in the logs in cases of errors, and populates slf4j MDC tags about position in VTL templates.
+ New example of how to build a customized VTL parser where the '#', '$', '*' and '@' characters can be replaced by alternate characters.
+ New backward compatibility flags to mimic 1.7.x event handlers and velicomacros behaviors.
For a full list of changes, consult {{{http://velocity.apache.org/engine/2.2/changes.html}Velocity Engine 2.2 Changes section}} and {{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12345391}JIRA changelog}}.
For notes on upgrading, see {{{http://velocity.apache.org/engine/2.2/upgrading.html}Velocity Engine 2.2 Upgrading section}}.
Downloads of 2.2 are available {{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="engine21">
<date>2019-03-31</date>
<headline>Velocity Engine 2.1 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the release of Velocity Engine 2.1.
Main changes in this release:
+ New VTL syntax: alternate reference values: ${foo|'foo'} evaluates to 'foo' whenever boolean evaluation of $foo is false.
+ New VTL syntax: Default block for empty loops: #foreach($i in $collection) ... #else nothing to display #end
+ Two more Engine 1.7 backward compatibility flags, parser.allow_hyphen_in_identifier and velocimacro.arguments.literal
+ Velocity Engine 2.1 now requires Java 1.8+.
For a full list of changes, consult {{{http://velocity.apache.org/engine/2.1/changes.html}Velocity Engine 2.1 Changes section}} and {{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12344272}JIRA changelog}}.
For notes on upgrading, see {{{http://velocity.apache.org/engine/2.1/upgrading.html}Velocity Engine 2.1 Upgrading section}}.
Downloads of 2.1 are available {{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="tools30">
<date>2018-10-09</date>
<headline>Velocity Tools 3.0 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the release of Velocity Tools 3.0.
VelocityTools is a collection of Velocity subprojects with a common goal of providing tools and infrastructure
for building both web and standalone applications using the Apache Velocity template engine.
Velocity Tools 3.0 brings a few new context tools (CollectionTool, JsonTool) and bugfixes
along with a complete rewrite for some other tools (BrowserTool, ImportTool, XmlTool).
It now uses Velocity Engine 2.0 and SLF4J.
For a complete list of changes, please visit {{{https://dist.apache.org/repos/dist/release/velocity/tools/3.0/release-notes.html}the Velocity Tools 3.0 releases notes}}.
For notes on upgrading from Velocity Engine 1.x and Velocity Tools 2.0, see {{{http://velocity.apache.org/engine/2.0/upgrading.html}Velocity Engine 2.0 Upgrading section}}
and {{{http://velocity.apache.org/tools/3.0/upgrading.html}Velocity Tools 3.0 Upgrading section}}.
Downloads of Velocity Tools 3.0 are available {{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="engine20">
<date>2017-08-06</date>
<headline>Velocity Engine 2.0 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the release of
Velocity Engine 2.0.
Among the main new features and enhancements:
+ Logging to the SLF4J logging facade.
+ Configurable whitespace gobbling.
+ Method arguments and array subscripts can now be arithmetic expressions.
+ Configurable method arguments conversion handler with automatic conversions between booleans, numbers, strings and enums.
+ Significant reduction of the memory consumption.
+ JSR-223 Scripting Engine implementation.
For a full list of changes, consult {{{http://velocity.apache.org/engine/2.0/changes.html}Velocity Engine 2.0 Changes section}} and {{{https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310104&version=12338243}JIRA changelog}}.
For notes on upgrading from Velocity 1.x, see {{{http://velocity.apache.org/engine/2.0/upgrading.html}Velocity Engine 2.0 Upgrading section}}.
Note for Velocity Tools users: Velocity Tools 3.0 shall soon be released. Meanwhile, you are encouraged to use the {{{https://repository.apache.org/content/repositories/snapshots/org/apache/velocity/velocity-tools-generic/3.0-SNAPSHOT/}Velocity Tools 3.x last snapshot}} (see {{{http://velocity.apache.org/tools/devel/upgrading.html}Velocity Tools 3.x Upgrading notes}}).
Downloads of 2.0 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="engine17">
<date>2010-11-29</date>
<headline>Velocity Engine 1.7 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the release of
Velocity Engine 1.7.
Since 1.6, there has been a lot of work: #@body()content#end, #[[literal content]]#,
major namespacing changes, $newListSyntax[$i], and more. Please see the change log
for details!
Since 1.7-beta1, we fixed, {{{https://issues.apache.org/jira/browse/VELOCITY-785}VELOCITY-785}}, {{{https://issues.apache.org/jira/browse/VELOCITY-766}VELOCITY-766}}, {{{https://issues.apache.org/jira/browse/VELOCITY-760}VELOCITY-760}}, and {{{https://issues.apache.org/jira/browse/VELOCITY-753}VELOCITY-753}}. We also added
access to current template and directive debugging info through $<foo>.info
(where <foo> is the namespace you are seeking info about).
For more details on these, again, see the
{{{http://velocity.apache.org/engine/devel/changes-report.html}change log}}.
Downloads of 1.7 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
This is a drop-in replacement for Velocity 1.6, however, it also begins
the transition to 2.0 features. Users upgrading should expect deprecation
warnings in their logs.
]]></text>
</item>
<item id="tools20">
<date>2010-05-10</date>
<headline>VelocityTools 2.0 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are very pleased to make VelocityTools 2.0 available for download.
This should be useable as a drop in replacement for Tools 1.4 or
Tools 2.0-beta4, with a few minor exceptions.
The 2.x series of VelocityTools requires Velocity 1.6 and JDK 1.5+.
Since the last beta release, there have been a variety of enhancements. Here's the notable ones:
* Added a 'readOnly' config option to allow write operations on ValueParser and ParameterTool when set to false
* Added a beta-quality UiDependencyTool (included in velocity-view, but not in default tools.xml)
* Added an alpha-quality MarkupTool (included in generic tools, but not in default tools.xml)
* Fixed (as much as possible) some significant last-iteration LoopTool problems, and added a getThis() method as a more reliable workaround in nested loops. See {{{https://issues.apache.org/jira/browse/VELTOOLS-124}VELTOOLS-124}}.
* VelocityLayoutServlet now checks request attributes for non-default layouts.
* The velocity-view.tld is now valid.
* VelocityView[Servlet] have improved exception and http management (particularly for ResourceNotFoundExceptions).
* Miscellaneous documentation and build.xml improvements
The Velocity developers are very interested in all feedback regarding
Tools 2.0, especially regarding backwards compatibility with apps designed
for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition
for developers and their applications.
Downloads of Tools 2.0 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="engine164">
<date>2010-05-10</date>
<headline>Velocity Engine 1.6.4 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers would like to announce the release of
Velocity Engine 1.6.4.
This release provides two small bugfixes and one critical fix. The critical
fix resolves a 100% CPU loop hang under simultaneous HashMap calls in our
ClassMap implementation due to a classic bug in Sun's implementation. We now
use ConcurrentHashMap when available and Hashtable otherwise. It's also
important to note that the auto-init feature is now only supported with Java
1.5+.
For more information, see {{{https://issues.apache.org/jira/browse/VELOCITY-717}VELOCITY-717}}, {{{https://issues.apache.org/jira/browse/VELOCITY-750}VELOCITY-750}}, and {{{https://issues.apache.org/jira/browse/VELOCITY-718}VELOCITY-718}},
.
Downloads of 1.6.4 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
This is a drop-in replacement for Velocity 1.6.3.
]]></text>
</item>
<item id="engine17beta1">
<date>2010-04-16</date>
<headline>Velocity Engine 1.7-beta1 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers would like to announce the release of
Velocity Engine 1.7-beta1.
Since 1.6, there has been a lot of work. Here's an overview:
* Support macro bodies. Just call them like this: #@foo() body content #end
* Can now escape single and double quotes in strings by doubling them
* Added #[[this is included in the output but not parsed]]# syntax to replace #literal
* All #set calls are now global by default; no more implicit local namespaces (not that there were well functioning ones before). To #set a local variable, use the new provided namespaces: $foreach, $macro, $template, $evaluate, $define and $foo (would exist inside the body of #@foo() #end). These must now be used to #set any variable "locally" like this: #set( $macro.mylocal = 'foo' ). When nested, access to parent namespaces is similarly explicit (e.g. $macro.parent). Please see the {{{http://velocity.apache.org/engine/devel/changes-report.html}change log}} for details.
* Enhanced #break to function anywhere and optionally accept a namespace argument when you want to break beyond the nearest scope. (e.g. #break( $macro ))
* Added bracketed index syntax: $foo[0] or #set( $foo[0] = 1 )
* #stop now ends rendering/execution of a template, not parsing of a template
* OSGI-ready manifests are now provided in the jars
* A variety of small bugfixes, performance boosts and better exceptions/logging.
* Removed very obsolete Veltag and WebMacro conversion code.
For more details on these, see the
{{{http://velocity.apache.org/engine/devel/changes-report.html}change log}}.
Downloads of 1.7-beta1 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
This should work as a drop-in replacement for Velocity 1.6.3 in most cases.
Users of $velocityCount, $velocityHasNext and #literal should take note of their deprecations. Users of #stop and #break should be aware of significant changes
to those features.
]]></text>
</item>
<item id="engine163">
<date>2009-12-16</date>
<headline>Velocity Engine 1.6.3 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers would like to announce the release of
Velocity Engine 1.6.3.
This release provides users the ability to revert to the previous
#if behavior, which did not call toString() in order to check its status.
This results in inconsistent reference treatment, but offers much superior performance in cases where toString() is an expensive operation.
To enable this reversion, set the "directive.if.tostring.nullcheck"
property to false in your velocity.properties. This should restore
performance of the #if directive to previous levels.
For more information, see {{{https://issues.apache.org/jira/browse/VELOCITY-731}VELOCITY-731}}.
Downloads of 1.6.3 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
This is a drop-in replacement for Velocity 1.6.2.
]]></text>
</item>
<item id="engine162">
<date>2009-03-19</date>
<headline>Velocity Engine 1.6.2 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers would like to announce the release of
Velocity Engine 1.6.2.
This release fixes the behaviour of $velocityHasNext ({{{https://issues.apache.org/jira/browse/VELOCITY-651}VELOCITY-651}}
and {{{https://issues.apache.org/jira/browse/VELOCITY-658}VELOCITY-658}}), resolves some regression bugs
({{{https://issues.apache.org/jira/browse/VELOCITY-667}VELOCITY-667}}, {{{https://issues.apache.org/jira/browse/VELOCITY-681}VELOCITY-681}},
{{{https://issues.apache.org/jira/browse/VELOCITY-701}VELOCITY-701}}), and fixes two problems with resource loaders
({{{https://issues.apache.org/jira/browse/VELOCITY-693}VELOCITY-693}}, {{{https://issues.apache.org/jira/browse/VELOCITY-702}VELOCITY-702}}).
It is a drop-in replacement for Velocity 1.6.1.
Downloads of 1.6.2 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="tools20beta4">
<date>2009-05-27</date>
<headline>VelocityTools 2.0-beta4 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to make a fourth beta release of
VelocityTools 2.0 available for download.
This should be useable as a drop in replacement for Tools 1.4 or
Tools 2.0-beta3, with a few minor exceptions.
The 2.x series of VelocityTools requires Velocity 1.6 and JDK 1.5+.
Since the last beta release, there have been a number of significant fixes
and enhancements. Here's the key ones:
* Tools references are no longer read-only by default
* LinkTool double-encoding problem is fixed
* Upgraded to depend on Engine 1.6.2
* Deprecated ListTools due to irrelevance in Engine 1.6.x
* ResourceTool now gives access to bundle keys
* MultiViewsTool was changed into new, better IncludeTool
* Added syntactical sugar to CookieTool
* Multiple new methods contributed for DisplayTool
* Added the WebappUberspector for natural #set of attributes in webapp scopes (e.g. #set( $request.foo = 'bar' ))
* Refactored JeeConfig to be an interface
The Velocity developers are very interested in all feedback regarding
Tools 2.0, especially regarding backwards compatibility with apps designed
for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition
for developers and their applications.
Downloads of Tools 2.0-beta4 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="engine161">
<date>2008-12-15</date>
<headline>Velocity Engine 1.6.1 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers would like to announce the release of
Velocity Engine 1.6.1.
This release fixes the method reflection problems discovered in
{{{https://issues.apache.org/jira/browse/VELOCITY-651}VELOCITY-651}}
and an macro argument bug identified in
({{{https://issues.apache.org/jira/browse/VELOCITY-615}VELOCITY-615}}).
It is a drop-in replacement for Velocity 1.6.
Downloads of 1.6.1 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="engine16">
<date>2008-12-01</date>
<headline>Velocity Engine 1.6 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are very pleased to announce the release of
Velocity Engine 1.6.
This release contains numerous fixes, features and improvements.
Please see the
{{{http://velocity.apache.org/engine/releases/velocity-1.6/changes-report.html}change log}}
for a full listing. This should be a drop-in replacement for Velocity 1.5.
Highlights in this release include:
* Dramatically improved performance
* New core directives: #evaluate, #define, and #break
* Support for vararg method calls
* Long requested ability to #parse( 'mymacros.vm' )
* Ability to call methods like size() and get(int) on arrays
Downloads of Engine 1.6 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="tools20beta3">
<date>2008-12-01</date>
<headline>VelocityTools 2.0-beta3 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to make the third beta release of
VelocityTools 2.0 available for download.
This should be useable as a drop in replacement for Tools 1.4 or
Tools 2.0-beta2, with a few minor exceptions.
The 2.x series of VelocityTools also requires both Velocity 1.5+ and JDK 1.5+.
Since the last beta release, there have been a number of small fixes,
additional features (like caching for VelocityViewTag), and especially,
improvements in the extensibility of VelocityView.
The Velocity developers are very interested in all feedback regarding
Tools 2.0, especially regarding backwards compatibility with apps designed
for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition
for developers and their applications.
Downloads of Tools 2.0-beta3 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="engine16beta2">
<date>2008-10-27</date>
<headline>Velocity Engine 1.6-beta2 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are very pleased to make the seconde beta release of
Velocity Engine 1.6 available for download.
This release contains many bugfixes and a new "strict reference mode"
feature. Please see the
{{{http://velocity.apache.org/engine/devel/changes-report.html}change log}}
for a full listing. This should be a drop-in replacement for Velocity 1.5
or Velocity 1.6-beta1.
Downloads of Tools 1.6-beta2 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="engine16beta1">
<date>2008-09-22</date>
<headline>Velocity Engine 1.6-beta1 released</headline>
<categories>
<category>velocity</category>
<category>engine</category>
</categories>
<text><![CDATA[
The Velocity developers are very pleased to make the first beta release of
Velocity Engine 1.6-beta1 available for download.
This release contains many bugfixes, new features and drastic
performance improvements. Please see the
{{{http://velocity.apache.org/engine/devel/changes-report.html}change log}}
for a full listing. This should be a drop-in replacement for Velocity 1.5.
Downloads of Tools 1.6-beta1 are available
{{{http://velocity.apache.org/download.cgi#engine}here}}.
]]></text>
</item>
<item id="tools20beta2">
<date>2008-07-11</date>
<headline>VelocityTools 2.0 Beta2 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to make the second beta release of
VelocityTools 2.0 available for download.
Major development in VelocityTools 2.0 has completed, and the focus
has been on fixing the remaining bugs and providing a clear migration path
for users of VelocityTools 1.x. Significant new features in 2.0
include very flexible, composable toolbox configuration (via either java, xml,
and/or properties), lazy-loading/initialization of tools, the
VelocityViewTag for embedding Velocity within JSP, simplified embedding
of VelocityTools in other frameworks, an assortment
of new and improved tools, and much more.
This should be useable as a drop in replacement for Tools 1.4,
with a few minor exceptions where things already deprecated earlier
in 1.x have been removed. The 2.x series of VelocityTools also requires
both Velocity 1.5+ and JDK 1.5+.
At this point, the new tool management and configuration
facilities are extremely stable and useable. Documentation has
continued to improve dramatically and is nearing completion.
There are no open or known bugs in this release nor significant
changes anticipated before 2.0 final is released.
We are also more than happy to answer questions on the mailing lists.
More information on the changes between Tools 1.x and 2.x may be found
{{{http://wiki.apache.org/velocity/VelocityTools2/Planning}here}}.
The Velocity developers are very interested in all feedback regarding
Tools 2.0, especially regarding backwards compatibility with apps designed
for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition
for developers and their applications.
Downloads of Tools 2.0-beta2 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="tools20beta1">
<date>2007-12-26</date>
<headline>VelocityTools 2.0 Beta1 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to make the first beta release of
VelocityTools 2.0 available for download and testing.
This release marks the completion of major
development in VelocityTools 2.0, which is now the main development
trunk. Significant new features in 2.0
include very flexible, composable toolbox configuration (via either java, xml,
and/or properties), lazy-loading/initialization of tools, the
VelocityViewTag for embedding Velocity within JSP, an assortment
of new and improved tools, and much more.
This should be useable as a drop in replacement for Tools 1.4,
with a few minor exceptions where things already deprecated earlier
in 1.x have been removed. This also is the first Tools release to require both
Velocity 1.5+ and JDK 1.5+.
At this point, the new tool management and configuration
facilities are extremely stable and useable. Documentation has
been radically improved since the alpha release, though more work
remains there before 2.0 final is released. There are no open or known
bugs in this release and encourage further testing (especially of
the library's backwards compatibility) as we progress rapidly toward
the 2.0 release.
We are also more than happy to answer questions on the mailing lists.
More information on the changes between Tools 1.x and 2.x may be found
{{{http://wiki.apache.org/velocity/VelocityTools2Planning}here}}.
The Velocity developers are very interested in all feedback regarding
Tools 2.0, especially regarding backwards compatibility with apps designed
for Tools 1.4 or earlier. We aim to enable a smooth, incremental transition
for developers and their applications.
Downloads of Tools 2.0-beta1 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="tools14">
<date>2007-11-26</date>
<headline>VelocityTools 1.4 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The VelocityTools developers are pleased to announce the release
of VelocityTools 1.4.
There have been many important bug fixes since the 1.3 release
and a handful of new features. While important, the overall slate
of changes is small compared to previous releases due to the rapid
progress of the upcoming 2.0 version. This is expected to be the
last release of the 1.x series, as 2.0 is both superior and backwards
compatible.
New features in VelocityTools 1.4 include more configurability for
NumberTool and DateTool, the new ComparisonDateTool, and new abilities
for EscapeTool and LinkTool. For a full listing of new features and bug
fixes please see the
{{{http://velocity.apache.org/tools/releases/1.4/changes.html}change log}}.
Downloads are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="dvsl10">
<date>2007-08-13</date>
<headline>DVSL 1.0 released</headline>
<categories>
<category>velocity</category>
<category>dvsl</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to make the release of
DVSL 1.0 available for download and testing.
This release fixes an incompatibility between DVSL 0.x and Velocity 1.5 or newser,
along with some minor cleanup and refactoring. It is not a drop in replacement
of DVSL 0.45 since the main package has changed from org.apache.tools.dvsl to
org.apache.dvsl.
Files can be downloaded {{{http://velocity.apache.org/download.cgi#dvsl}here}}.
]]></text>
</item>
<item id="tools20alpha1">
<date>2007-07-02</date>
<headline>VelocityTools 2.0 Alpha1 released</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to make the first alpha release of
VelocityTools 2.0 available for download and testing.
This is a milestone release marking the completion of most major
development in the Tools 2.x branch. Significant new features include
very flexible, composable toolbox configuration (via either java, xml,
and/or properties), lazy-loading/initialization of tools, the
VelocityViewTag for embedding Velocity within JSP, an assortment
of new and improved tools, and more.
This should be useable as a drop in replacement for Tools 1.3,
with a few exceptions where things already deprecated in 1.x have been
removed. This also is the first Tools release to require both
Velocity 1.5+ and JDK 1.5+.
Early adopters may consider the new tool management and configuration
facilities to be quite stable. At this point, documentation is
limited to javadoc and the example apps, which have been updated
to demonstrate the new tools, the VelocityViewTag, and configuration.
We are also more than happy to answer questions on the mailing lists.
More information on the changes between Tools 1.x and 2.x may be found
{{{http://wiki.apache.org/velocity/VelocityTools2Planning}here}}.
The Velocity developers are very interested in all feedback regarding
Tools 2.0, especially regarding backwards compatibility with apps designed
for Tools 1.3 or earlier. We aim to enable a smooth, incremental transition
for developers and their applications.
Downloads of Tools 2.0-alpha1 are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="anakia10texen10">
<date>2007-05-06</date>
<headline>Anakia 1.0 and Texen 1.0 released</headline>
<categories>
<category>anakia</category>
<category>texen</category>
<category>velocity</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to issue two new releases:
Anakia 1.0 and Texen 1.0.
Anakia is an XML text transformation tool based on Apache
Velocity and Apache Ant. It provides an alternative to using Ant
's <style> task and XSL to process XML files. A common use of
Anakia is to process xdoc files and create site/project
documentation. More information on Anakia can be found here:
{{http://velocity.apache.org/anakia/releases/anakia-1.0/}}
Texen is a general-purpose text generation utility, also based on
Apache Velocity and Apache Ant. More information is here:
{{http://velocity.apache.org/texen/releases/texen-1.0/}}
Both Anakia and Texen were previously part of the core Velocity
engine distribution but have been split off into their own
packages to simplify maintenance and facilitate different release
cycles. To avoid namespace conflict, org.apache.velocity.anakia
has been moved to org.apache.anakia and org.apache.velocity.texen
has been changed to org.apache.texen.
]]></text>
</item>
<item id="velocity-docbook-framework-10">
<date>2007-04-09</date>
<headline>Velocity DocBook Framework 1.0 released</headline>
<categories>
<category>docbook</category>
<category>velocity</category>
</categories>
<text><![CDATA[
The Velocity developers are very pleased to announce the first
release of the Velocity Docbook framework. It is intended to
help creating high-quality documentation in the DocBook format
which can be used online or as PDF for print out.
The downloads and documentation are available from {{http://velocity.apache.org/docbook/}}.
]]></text>
</item>
<item id="velocity-15">
<date>2007-03-06</date>
<headline>Velocity 1.5 Released!</headline>
<categories>
<category>engine</category>
<category>velocity</category>
</categories>
<text><![CDATA[
The Velocity developers are very pleased to announce the final
release of Velocity 1.5. Downloads are available
{{{http://velocity.apache.org/download.cgi}here}}.
After a little more tweaking on Beta 2, the 1.5 final release
is finally here! Since Beta 2 we have fixed a major problem
with the new SecureUberspector as well as several bugs and
broken links in our documentation.
Some of the other new features since Velocity 1.4 include:
* floating point number arithmetic
* new event handlers for altering #include/#parse behavior
* literal map syntax
A complete list of changes is available at our
{{{http://issues.apache.org/jira/browse/VELOCITY?report=com.atlassian.jira.plugin.system.project:roadmap-panel}issue
tracker}}. You should also check out the
{{{http://wiki.apache.org/velocity/Velocity15ReleaseNotes}release
notes}} on the Wiki. Please report any additional bugs in the
issue tracker and we will try to address them before the next
release.
]]></text>
</item>
<item id="velocity-tools-13">
<date>2007-02-08</date>
<headline>VelocityTools 1.3 is available</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The VelocityTools developers are pleased to announce the release
of VelocityTools 1.3.
There have been many improvements made since the 1.2 release. A
key focus in this version has been ease of use. We've simplifyied
developing your own tools by eliminating the ViewTool and Configurable
interfaces, and we've simplifyied the syntax for using many of
our existing tools within Velocity templates to both save keystrokes
and reduce visual clutter.
The distribution also comes with a new "showcase" example webapp
that demonstrates many of the uses of the various tools as well
as allowing you to interactively play with them. Just download the
binary distribution, and deploy the "showcase.war" example to your
servlet container to try it out.
Also included are the usual slate of bug fixes, dependency
upgrades, entirely new tools, and new functions for existing tools.
For a full listing of changes, see the
{{{http://velocity.apache.org/tools/devel/changes.html}change log}}.
Downloads are available
{{{http://velocity.apache.org/download.cgi#tools}here}}.
]]></text>
</item>
<item id="velocity-tools-13rc1">
<date>2007-01-25</date>
<headline>VelocityTools 1.3 Release Candidate 1 available</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The VelocityTools developers are pleased to announce the first release
candidate for VelocityTools 1.3. Downloads are available
{{{http://velocity.apache.org/download.cgi}here}}.
]]></text>
</item>
<item id="velocity-tools-13beta1">
<date>2007-01-13</date>
<headline>Velocity Tools 1.3 Beta 1 available</headline>
<categories>
<category>velocity</category>
<category>tools</category>
</categories>
<text><![CDATA[
The Velocity Tools developers are pleased to announce the first beta
release of Velocity Tools 1.3. Downloads are available
{{{http://velocity.apache.org/download.cgi}here}}.
]]></text>
</item>
<item id="new-website">
<date>2007-01-07</date>
<headline>New Velocity Web Site has been deployed</headline>
<categories>
<category>general</category>
<category>velocity</category>
</categories>
<text><![CDATA[
The new {{{http://velocity.apache.org/}Apache Velocity Web
Site}} is online. Subscribe to the
{{{http://velocity.apache.org/rss/news.rss}RSS feed}} to keep
up to date.
]]></text>
</item>
<item id="velocity-tlp">
<date>2006-10-26</date>
<headline>Velocity Approved as Top Level Project</headline>
<categories>
<category>general</category>
<category>velocity</category>
</categories>
<text><![CDATA[
The Board of the Apache Software Foundation has passed a
resolution to upgrade Jakarta Velocity into an Apache Top Level
Project (TLP), to be renamed Apache Velocity. We are excited of
the new prominence of the Velocity project.
Please stay tuned for our new website at
{{http://velocity.apache.org/}}. In the meantime, note that our
new mailing lists are <user@velocity.apache.org> (subscribe at
<user-subscribe@velocity.apache.org>) for general questions, and
<dev@velocity.apache.org> (subscribe at
<dev-subscribe@velocity.apache.org>) for development-related
activity.
]]></text>
</item>
<item id="velocity-1.5-beta-2">
<date>2006-11-24</date>
<headline>Velocity 1.5 Beta 2 Released</headline>
<categories>
<category>engine</category>
<category>velocity</category>
</categories>
<text><![CDATA[
The Velocity developers are pleased to announce the second beta
release of Velocity 1.5. Downloads are available
{{{http://velocity.apache.org/download.cgi}here}}.
This beta version is one of the final steps before the
long-awaited version 1.5. Since Beta 1 we have added a new
InvalidReferenceEventHandler (to catch invalid references), the
SecureUberspector (to prevent introspection on "dangerous
objects"), and a StringResourceLoader. We've also fixed some
critical bugs, including a subtle synchronization problem
causing page generation to fail under heavy loads.
Some of the other new features since Velocity 1.4 include:
* floating point number arithmetic
* new event handlers for altering #include/#parse behavior
* literal map syntax
A complete list of changes is available at our
{{{http://issues.apache.org/jira/browse/VELOCITY?report=com.atlassian.jira.plugin.system.project:roadmap-panel}issue
tracker}}. You may also want to check out the draft
{{{http://wiki.apache.org/velocity/Velocity15ReleaseNotes}release
notes}} on the Wiki. Please report any additional bugs in the
issue tracker, especially those that need to be fixed before our
final release. (use 1.5 beta 2 as the version).
]]></text>
</item>
<item id="velocity-repo-moved">
<date>2006-12-01</date>
<headline>The Velocity SVN Repository moved!</headline>
<categories>
<category>general</category>
<category>velocity</category>
</categories>
<text><![CDATA[
As part of our move to top-level status, we moved the Subversion
repository. It is now available from {{http://svn.apache.org/repos/asf/velocity}}.
Please update your references. If you have already checked out
the source code, you can use the <<<svn switch>>> command to update your local copy.
]]></text>
</item>
</items>
</news>