I have created a second release candidate that includes fixes for the security issue, ROL-1642 and the 4.0 to 4.0.1 database upgrade issue that Anil found. The new RC is here:
http://people.apache.org/~snoopdave/apache-roller-4.0.1 The full list of fixes made is here http://tinyurl.com/4cjfb2. The build was made from the current 4.0 branch and compiled with Java 1.5.0_16. If you want to help out, please download the build install it and let us know if it looks good. Vote +1 for release or vote -1 and provide a list of specific reasons why the RC should not be released as 4.0.1. If we get any -1 votes, we'll figure out how to address them, create RC3 and call for another vote... and so on until we have a 4.0.1 release. - Dave
