Skip to content
Permalink
Browse files
Apache Archiva Main site deployment
  • Loading branch information
effrafax committed Apr 30, 2019
1 parent 2487c99 commit dc9aa900c84e0dd0214b008be0f2d11a5c4e897f
Showing 3 changed files with 31 additions and 7 deletions.
@@ -160,7 +160,9 @@ <h2><a name="Archiva_release_process"></a>Archiva release process</h2>
<p>The documentation is deployed as part of the process to the final location for review in the vote:</p>
<div class="source"><pre class="prettyprint">git checkout archiva-${ARCHV} # Checkout the release version of archiva
cd archiva-doc
mvn site-deploy</pre></div>
mvn site:site
mvn site:stage # Check the content in target/staging
cp -r target/staging/* &lt;web-content-git&gt;/docs/${ARCHV}/ # Copy to the git web content repository</pre></div>
<p>If the vote doesn't pass, the documentation will need to be removed from the server for redeployment.</p>
<p>Commit the sources and binaries from <tt>org/apache/archiva/archiva-jetty</tt> and <tt>org/apache/archiva/archiva</tt> to the svn distribution tree. First in dev tree: <tt>https://dist.apache.org/repos/dist/dev/archiva/</tt></p>
<div class="source"><pre class="prettyprint">svn co https://dist.apache.org/repos/dist/dev/archiva/ archiva-dev-release
@@ -174,17 +176,17 @@ <h2><a name="Archiva_release_process"></a>Archiva release process</h2>
sh ./release-script-redback-svn.sh $REDBV ${RELEASE_URL}/</pre></div>
<p>If the vote pass they will be copied to release tree: <tt>https://dist.apache.org/repos/dist/release/archiva</tt></p>
<p>Call for a vote in the dev list and wait for 72 hrs. for the vote results. 3 binding votes are necessary for the release to be finalized. If the vote fails or needs to be canceled, the version number should not be re-used if the version was made available for public download. After the vote has passed, move the files from dist dev to dist release:</p>
<div class="source"><pre class="prettyprint">svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/relase/archiva/
<div class="source"><pre class="prettyprint">svn mv https://dist.apache.org/repos/dist/dev/archiva/${ARCHV} https://dist.apache.org/repos/dist/release/archiva/

# Move also the POM and Redback and Redback Component releases, if there are new ones.</pre></div>
<p>To sync the jars to Maven Central, you need to merge the repository archiva-releases-stage to &quot;Central Rsync Repository&quot;</p>
<p>Mark the appropriate release version in JIRA as complete.</p>
<p>Update the archiva site (https://svn.apache.org/repos/asf/archiva/site/) for the versions and release notes URL:</p>
<p>Update the archiva site (https://gitbox.apache.org/repos/asf/archiva-site.git) for the versions and release notes URL:</p>
<p>Mostly these properties of the pom.xml should be edited:</p>
<div class="source"><pre class="prettyprint"> &lt;archivaReleaseVersion&gt;2.2.3&lt;/archivaReleaseVersion&gt;
&lt;archivaReleaseDate&gt;16th May 2017&lt;/archivaReleaseDate&gt;
&lt;archivaCurrentDevVersion&gt;3.0.0-SNAPSHOT&lt;/archivaCurrentDevVersion&gt;</pre></div>
<p>Run <tt>mvn site:run</tt> and verify the changes. Commit your changes. Then run <tt>mvn site-deploy</tt>.</p>
<p>Run <b>deploySite.sh</b>. The script will give the information where to check the content locally and asks before pushing to the remote repository.</p>
<p>Once mirroring done (can be 24H): remove previous versions from https://dist.apache.org/repos/dist/release/archiva/</p>
<p>Publish the reference docs (sh ./deploySite.sh in the archiva-modules directory) from the release tag. You may have to exclude the archiva-webapp module to do this, and will require MAVEN_OPTS=-Xmx256m. You may need to use Maven 2.2.1 instead of Maven 3.x for this.</p>
<p>Send out an announcement of the release to:</p>
@@ -133,9 +133,9 @@
<div class="hero-unit">
<span class="bignumber badge badge-warning">NEW</span>

<p><b>Our code source is now using git, so you can propose pull requests using <a class="externalLink" href="https://github.com/apache/archiva">github mirror</a></b></p>

<p><b>30th April 2019 release of 2.2.4 See <a class="externalLink" href="http://archiva.apache.org/docs/2.2.4/tour/index.html">Quick Tour</a></b></p>
<p><b>30th April 2019: The new Apache Archiva release version 2.2.4 is ready for download </b>.
This is a bugfix release. Please have a look at the <a class="externalLink" href="http://archiva.apache.org/docs/2.2.4/release-notes.html">release notes</a> for further information.
As this release contains <b>security fixes</b>, we recommend to update to the new version immediately. </p>
</div>
</div>
</div>
@@ -126,6 +126,8 @@ <h2><a name="Security_Vulnerabilities"></a>Security Vulnerabilities</h2>
<p>For more information about reporting vulnerabilities, see the <a class="externalLink" href="http://www.apache.org/security/"> Apache Security Team</a> page.</p>
<p>This is a list of known issues</p>
<ul>
<li><a href="#CVE-2019-0213:_Apache_Archiva_XSS_may_be_stored_in_central_UI_configuration">CVE-2019-0213: Apache Archiva XSS may be stored in central UI configuration</a></li>
<li><a href="#CVE-2019-0214:_Apache_Archiva_arbitrary_file_write_and_delete_on_the_server">CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server</a></li>
<li><a href="#CVE-2017-5657:_Apache_Archiva_CSRF_vulnerabilities_for_various_REST_endpoints">CVE-2017-5657: Apache Archiva CSRF vulnerabilities for various REST endpoints</a></li>
<li><a href="#CVE-2013-2251:_Apache_Archiva_Remote_Command_Execution">CVE-2013-2251: Apache Archiva Remote Command Execution</a></li>
<li><a href="#CVE-2013-2187:_Apache_Archiva_Cross-Site_Scripting_vulnerability">CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability</a></li>
@@ -135,6 +137,26 @@ <h2><a name="Security_Vulnerabilities"></a>Security Vulnerabilities</h2>
<li><a href="#CVE-2011-0533:_Apache_Archiva_cross-site_scripting_vulnerability">CVE-2011-0533: Apache Archiva cross-site scripting vulnerability</a></li>
<li><a href="#CVE-2010-3449:_Apache_Archiva_CSRF_Vulnerability">CVE-2010-3449: Apache Archiva CSRF Vulnerability</a></li></ul>
<div class="section">
<h3><a name="CVE-2019-0213:_Apache_Archiva_XSS_may_be_stored_in_central_UI_configuration"></a><a name="CVE-2019-0213">CVE-2019-0213</a>: Apache Archiva XSS may be stored in central UI configuration</h3>
<p>It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised. </p>
<p>Versions Affected:</p>
<ul>
<li>All versions before 2.2.4</li></ul>
<p>Mitigation:</p>
<ul>
<li>Upgrade to <a href="./download.cgi"> Archiva 2.2.4 or higher</a></li>
<li>Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users are assigned to admin role.</li></ul></div>
<div class="section">
<h3><a name="CVE-2019-0214:_Apache_Archiva_arbitrary_file_write_and_delete_on_the_server"></a><a name="CVE-2019-0214">CVE-2019-0214</a>: Apache Archiva arbitrary file write and delete on the server</h3>
<p>It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.</p>
<p>Versions Affected:</p>
<ul>
<li>All versions before 2.2.4</li></ul>
<p>Mitigation:</p>
<ul>
<li>It is highly recommended to upgrade to <a href="./download.cgi"> Archiva 2.2.4 or higher</a>, where additional validations are implemented to prevent such malicious parameter values.</li>
<li>As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user may have only write permission to the directories needed.</li></ul></div>
<div class="section">
<h3><a name="CVE-2017-5657:_Apache_Archiva_CSRF_vulnerabilities_for_various_REST_endpoints"></a><a name="CVE-2017-5657">CVE-2017-5657</a>: Apache Archiva CSRF vulnerabilities for various REST endpoints</h3>
<p>Several REST service endpoints of Apache Archiva are not protected against CSRF attacks. A malicious site opened in the same browser as the archiva site, may send HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. adminstrator rights).</p>
<p>Versions Affected:</p>

0 comments on commit dc9aa90

Please sign in to comment.