[PR] Bump org.owasp.esapi:esapi from 2.3.0.0 to 2.5.2.0 [sling-org-apache-sling-xss]
dependabot[bot] opened a new pull request, #38: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/38 Bumps [org.owasp.esapi:esapi](https://github.com/ESAPI/esapi-java-legacy) from 2.3.0.0 to 2.5.2.0. Release notes Sourced from https://github.com/ESAPI/esapi-java-legacy/releases";>org.owasp.esapi:esapi's releases. 2.5.2.0 Release Notes The release notes for ESAPI release 2.5.2.0 are located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt Configuration files located in configuration jar Note that the attached file "esapi-2.5.2.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.2.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.2.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall. CVEs addressed CVE-2023-24998 was remediated. See Security Bulletin 11 for details. https://nvd.nist.gov/vuln/detail/CVE-2023-26119";>CVE-2023-26119 was remediated. It is not yet know if it impacted ESAPI. The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.2.0. 2.5.1.0 Update summary Updates to latest versions of direct dependencies, including: An update to AntiSamy: 1.7.0 --> 1.7.2 An update to SLFJ4 API: 1.7.36 --> 2.0.4(Note: 2.0.5 is available and likely would would result in "convergence" issues with the version AntiSamy 1.7.2 pulls in) A new codec (org.owasp.esapi.codecs.JSONCodec) is provided that provides JSON output encoding as per section 7 of RFC 8259. It is made available via Encoder.encodeForJSON(). (Note unlike other encoders, there is no corresponding decoder (i.e., decodeForJSON()) made available. Since that would normally be done by your JavaScript code, it wasn't deemed essential. Executing 'mvn site' now creates Javadoc for the ESAPI tag library (GitHub issue https://redirect.github.com/ESAPI/esapi-java-legacy/issues/733";>#733). Details For full details, please see the release notes for ESAPI release 2.5.1.0 located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.1.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.1.0-release-notes.txt Note the file "esapi-2.5.1.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.1.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) mailto:kevin.w.w...@gmail.com";>kevin.w.w...@gmail.com'. 2.5.0.0 Release notes for ESAPI release 2.5.0.0 are located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt IMPORTANT: This release drops all support for ESAPI Logging using Log4J 1 (except through SLF4J). If your ESAPI.Logger property is set to use Log4J and you do not change it, you will get obscure Exceptions or Errors thrown. (Generally an ExceptionInInitializerError.) Because we've upgraded to AntiSamy 1.7.0, there are also some potentially breaking changes in this release if you have customized your antisamy-esapi.xml file. As begun in the previous release, this release only supports Java 8 or later. If you do nothing else at least read this short "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt#L70";>Changes Requiring Special Attention" section of the 2.5.0.0 release notes. You have been warned! Finally, note that the file "esapi-2.5.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) https://github.com/ESAPI/esapi-java-legacy/blob/HEAD/mailto:kevin.w.w...@gmail.com";>kevin.w.w...@gmail.com'. 2.4.0.0 Release notes for ESAPI release 2.4.0.0 are located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation
Re: [PR] Bump esapi from 2.1.0.1 to 2.3.0.0 [sling-org-apache-sling-scripting-jsp-taglib-compat]
dependabot[bot] closed pull request #1: Bump esapi from 2.1.0.1 to 2.3.0.0 URL: https://github.com/apache/sling-org-apache-sling-scripting-jsp-taglib-compat/pull/1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Bump org.owasp.esapi:esapi from 2.1.0.1 to 2.5.2.0 [sling-org-apache-sling-scripting-jsp-taglib-compat]
dependabot[bot] opened a new pull request, #2: URL: https://github.com/apache/sling-org-apache-sling-scripting-jsp-taglib-compat/pull/2 Bumps [org.owasp.esapi:esapi](https://github.com/ESAPI/esapi-java-legacy) from 2.1.0.1 to 2.5.2.0. Release notes Sourced from https://github.com/ESAPI/esapi-java-legacy/releases";>org.owasp.esapi:esapi's releases. 2.5.2.0 Release Notes The release notes for ESAPI release 2.5.2.0 are located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.2.0-release-notes.txt Configuration files located in configuration jar Note that the attached file "esapi-2.5.2.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.2.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.2.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall. CVEs addressed CVE-2023-24998 was remediated. See Security Bulletin 11 for details. https://nvd.nist.gov/vuln/detail/CVE-2023-26119";>CVE-2023-26119 was remediated. It is not yet know if it impacted ESAPI. The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.2.0. 2.5.1.0 Update summary Updates to latest versions of direct dependencies, including: An update to AntiSamy: 1.7.0 --> 1.7.2 An update to SLFJ4 API: 1.7.36 --> 2.0.4(Note: 2.0.5 is available and likely would would result in "convergence" issues with the version AntiSamy 1.7.2 pulls in) A new codec (org.owasp.esapi.codecs.JSONCodec) is provided that provides JSON output encoding as per section 7 of RFC 8259. It is made available via Encoder.encodeForJSON(). (Note unlike other encoders, there is no corresponding decoder (i.e., decodeForJSON()) made available. Since that would normally be done by your JavaScript code, it wasn't deemed essential. Executing 'mvn site' now creates Javadoc for the ESAPI tag library (GitHub issue https://redirect.github.com/ESAPI/esapi-java-legacy/issues/733";>#733). Details For full details, please see the release notes for ESAPI release 2.5.1.0 located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.1.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.1.0-release-notes.txt Note the file "esapi-2.5.1.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.1.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) mailto:kevin.w.w...@gmail.com";>kevin.w.w...@gmail.com'. 2.5.0.0 Release notes for ESAPI release 2.5.0.0 are located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt IMPORTANT: This release drops all support for ESAPI Logging using Log4J 1 (except through SLF4J). If your ESAPI.Logger property is set to use Log4J and you do not change it, you will get obscure Exceptions or Errors thrown. (Generally an ExceptionInInitializerError.) Because we've upgraded to AntiSamy 1.7.0, there are also some potentially breaking changes in this release if you have customized your antisamy-esapi.xml file. As begun in the previous release, this release only supports Java 8 or later. If you do nothing else at least read this short "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt#L70";>Changes Requiring Special Attention" section of the 2.5.0.0 release notes. You have been warned! Finally, note that the file "esapi-2.5.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) https://github.com/ESAPI/esapi-java-legacy/blob/HEAD/mailto:kevin.w.w...@gmail.com";>kevin.w.w...@gmail.com'. 2.4.0.0 Release notes for ESAPI release 2.4.0.0 are located at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt";>https://github.com/ESAPI/esapi-java-legacy/blo
Re: [PR] Bump esapi from 2.1.0.1 to 2.3.0.0 [sling-org-apache-sling-scripting-jsp-taglib-compat]
dependabot[bot] commented on PR #1: URL: https://github.com/apache/sling-org-apache-sling-scripting-jsp-taglib-compat/pull/1#issuecomment-1783554050 Superseded by #2. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] trivial - using the ubuntu node for compatibility with node 18 [sling-org-apache-sling-app-cms]
klcodanr opened a new pull request, #47: URL: https://github.com/apache/sling-org-apache-sling-app-cms/pull/47 (no comment) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (SLING-12120) Align Feature Structure with Starter
[ https://issues.apache.org/jira/browse/SLING-12120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17780354#comment-17780354 ] Robert Munteanu commented on SLING-12120: - [~dklco] - yes, syncing manually is what I usually do. I like the idea of automatically sync'ing (via tooling) certain 'base' features. I have the same idea for my demo app - https://github.com/rombert/pospai/tree/master/launcher/src/main/features/platform . I keep the Starter features under 'platform' and try to keep them manually in sync. Where that breaks down a bit is are 'merge conflicts', for instance: - downstream app removes config https://github.com/rombert/pospai/blob/b0159452474f237208a5196be83624c3bf2ac475/launcher/src/main/features/platform/scripting.json#L98-L102 that comes from the starter, it's not needed - starter adds another extension to the list - reconciling can't be done manually But maybe that's thinking too far ahead and if we manage to the the features right consumers can simply copy over and sync the starter features and delete the ones they don't need. > Align Feature Structure with Starter > > > Key: SLING-12120 > URL: https://issues.apache.org/jira/browse/SLING-12120 > Project: Sling > Issue Type: Improvement > Components: App CMS >Affects Versions: App CMS 1.1.6 >Reporter: Dan Klco >Assignee: Dan Klco >Priority: Major > Fix For: App CMS 1.1.8 > > > There's a significant delta between the configuration of the CMS app and the > Sling Starter. Now that the Sling Starter is receiving regular updates, it'd > be beneficial to align the feature structure in the CMS App with the starter > to enable easy syncing of updates. -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: [PR] chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin to v3.4.1 [sling-site]
rombert merged PR #132: URL: https://github.com/apache/sling-site/pull/132 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] chore(deps): update dependency org.jbake:jbake-maven-plugin to v2.7.0-rc.7 [sling-site]
rombert merged PR #131: URL: https://github.com/apache/sling-site/pull/131 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] chore(deps): update dependency com.github.eirslett:frontend-maven-plugin to v1.14.2 [sling-site]
rombert merged PR #141: URL: https://github.com/apache/sling-site/pull/141 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] chore(deps): update dependency org.apache.maven.plugins:maven-clean-plugin to v3.3.2 [sling-site]
rombert merged PR #142: URL: https://github.com/apache/sling-site/pull/142 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [VOTE] Release Apache Sling XSS Protection API 2.3.10
On Thu, 2023-10-26 at 16:43 +, Robert Munteanu wrote: > Please vote to approve this release: +1 Robert signature.asc Description: This is a digitally signed message part
Re: Please welcome Henry Kuijpers as new Sling committer
On Fri, 2023-10-20 at 09:46 +, Stefan Seifert wrote: > Welcome! Welcome! Robert
Re: Please welcome Roy Teeuwen as new Sling committer
On Fri, 2023-10-20 at 09:46 +, Stefan Seifert wrote: > Please join me in welcoming Roy! Welcome! Robert
[Jenkins] Sling » Modules » sling-org-apache-sling-starter » master #1100 is FIXED
Please see https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-starter/job/master/1100/ for details. No further emails will be sent until the status of the build is changed.