Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

76 lines (53 sloc) 2.87 KB
Release Notes -- Apache Jackrabbit -- Version 2.0.6
Apache Jackrabbit 2.0.6 is a bug fix release that fixes issues reported
against previous releases. This release is fully compatible with the
earlier 2.0.x releases.
Security advisory (JCR-3883 / CVE-2015-1833)
This release fixes an important security issue in the jackrabbit-webdav module
reported by Mikhail Egorov.
When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.
Users of the jackrabbit-webdav module are advised to immediately update the
module to this release or disable WebDAV access to the repository.
Changes in this release
Bug fixes
[JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)
See the Jackrabbit issue tracker for more details about these changes:
The issue tracker also documents all the known issues in this release.
Release Contents
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.
The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
About Apache Jackrabbit
Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR, specified in JSR 170 and 283).
A content repository is a hierarchical content store with support for
structured and unstructured content, full text search, versioning,
transactions, observation, and more.
For more information, visit
About The Apache Software Foundation
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 100 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 2,500+ contributors.
For more information, visit
Jump to Line
Something went wrong with that request. Please try again.