Skip to content
Fetching contributors…
Cannot retrieve contributors at this time
125 lines (96 sloc) 5.71 KB
Release Notes -- Apache Jackrabbit -- Version 2.2.14
This is Apache Jackrabbit(TM) 2.2, a fully compliant implementation of the
Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).
Apache Jackrabbit 2.2.14 is patch release that contains fixes and
improvements over previous 2.2.x releases. This release is backwards
compatible with all earlier 2.x releases.
Security advisory (JCR-3883 / CVE-2015-1833)
This release fixes an important security issue in the jackrabbit-webdav module
reported by Mikhail Egorov.
When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.
Users of the jackrabbit-webdav module are advised to immediately update the
module to this release or disable WebDAV access to the repository.
Changes in this release
Bug fixes
[JCR-3439] PrincipalManagerImpl.CheckedGroup should implement JackrabbitPrincipal
[JCR-3447] InternalValueFactory should use the DataStore whenever available
[JCR-3483] Result set iterator causes infinite loop when used after session has been closed
[JCR-3486] Potential null pointer exception in session save operation
[JCR-3501] When cancelling an update modcount of modified states must be reset
[JCR-3502] Deleted states are not merged correctly
[JCR-3523] Workspace.copy changes WeakReferences to References
[JCR-3539] NotQuery#advance (and for older versions skipTo) violates Lucene advance contract in case a Filter is used
[JCR-3551] DavEx cannot handle Double.NaN properties
[JCR-3617] Inconsistent CachingHierarchyManager under concurrent access
[JCR-3630] XSS in DirListingExportHandler
[JCR-3635] Manually specified jcr:frozenUuid overwriting the one assigned by the VersionManager when versioning node
[JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)
[JCR-3442] Allow (override) access of the system search manager to RepositoryImpl subclasses
[JCR-3566] add TCK test for NaN and infinity double property values
For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at
Node type unregistration problem in 2.2.[0-10]
Earlier 2.2.x releases (< 2.2.11) mistakenly allowed node types to be
unregistered without no checks on whether those types are still referenced
in content. Before Jackrabbit 2.1 the "checkForReferencesInContent" method
used to always throw a "not yet implemented" exception since we haven't yet
implemented that functionality and didn't want people to accidentally break
the consistency of their content by removing types that are still used.
However, before the 2.1 release this exception was accidentally disabled
and thus in Jackrabbit versions 2.1.x and 2.2.x it has so far been possible
to remove node types with no such consistency constraints.
This issue was fixed in Jackrabbit 2.2.11 by re-enabling the exception in
the checkForReferencesInContent method, which will break all client code
that tries to unregister node types. If you need this functionality and
are aware of the potential problems, you can restore the old behaviour
by setting the disableCheckForReferencesInContentException system property
to "true".
Data consistency issue in 2.2.[0-6]
Earlier 2.2.x releases (< 2.2.7) had a problem where very large positive
or negative long property values (more than 62 bits) could not be correctly
read from the reepository. The values are still correctly stored in the
reporistory, and can be properly read after upgrading to this release,
but any previous computations or other information derived from such
properties should be checked for correctness.
Release Contents
This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.
The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
About Apache Jackrabbit
Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
For more information, visit
About The Apache Software Foundation
Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 100 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 2,500+ contributors.
For more information, visit
Jump to Line
Something went wrong with that request. Please try again.