[jcifs] Davenport 0.9.10

[Eric Glass]

Davenport 0.9.10 has been released; changes are listed below.


Version 0.9.10: August 23, 2004

SUMMARY OF CHANGES:

Introduced support for WebDAV locking (WebDAV compliance class 2).
Fixed XML vulnerabilities.
Overhauled the distribution layout.


CHANGE:

Introduced support for WebDAV locking (WebDAV compliance class 2).

DETAILS:

This version introduces support for WebDAV locks. Two implementations
are supplied, providing both SMB locks (where the WebDAV lock is
backed by a physical lock on the SMB resouce) and application-server
locks (maintained only by the Davenport application).


CHANGE:

Fixed XML vulnerabilities.

DETAILS:

Previous versions of Davenport were susceptible to XML-based denial of
service attacks. This includes entity expansion attacks (whereby the
client sends a document containing entities crafted to adversely
affect the server upon expansion) and parsing-based attacks (where the
client causes the server to parse an extremely large XML document,
consuming excessive resources).


RESOLUTION:

Davenport no longer expands entity references, and blocks attempts to
resolve external entities. Additionally, the allowable size of the XML
document sent by the client is limited (configurable via the
"maximumXmlRequest" parameter.


CHANGE:

Overhauled the distribution layout.

DETAILS:

The layout of the source and distribution tree has been changed. 
Davenport is now distributed in binary form as a preconfigured Jetty
servlet container installation; this is available as a .zip or .tgz
archive, as well as a Linux RPM. The documentation has been revisited
as well.