Issues
- remove support for loginStorage="cookie" and sessionStorage="cookie"LDEV-5403Pothys - MitrahSoft
- restore missing security options subset for single modeLDEV-5379Zac Spitzer
- allow auto session rotate on unknown session cookie (disabled)LDEV-5304
- harden javasettings maven supportLDEV-5270
- mavenLoad/createobject/etc doesn't respect lucee.enable.bundle.download=falseLDEV-5229Resolved issue: LDEV-5229
- add lucee.enable.maven.download=false to disable maven downloadsLDEV-5228Resolved issue: LDEV-5228
- Password.txt is NOT used.LDEV-5223Resolved issue: LDEV-5223Pothys - MitrahSoft
- enable lucee.security.limitEvaluation by default for Lucee 7LDEV-5177Resolved issue: LDEV-5177Zac Spitzer
- add a method to return a pom.xml for a list of bundles using the maven matcher for OSV scannerLDEV-4981
- update software.amazon.ion.java from 1.0.2 due to CVE-2024-21634LDEV-4980Resolved issue: LDEV-4980Michael Offner
- use stricter application options for admin (search results, implicit scopes, limit evaluation)LDEV-4854Resolved issue: LDEV-4854Pothys - MitrahSoft
- java udfs should be disabled when direct_java_access is disabledLDEV-4853Michael Offner
- add securityManager settings to getApplicationSettings()LDEV-4852
- reduce overhead of checkFileLocationLDEV-4851Resolved issue: LDEV-4851
- update commons-compress to 1.26.1, commons-io to 2.16.1LDEV-4839Resolved issue: LDEV-4839Pothys - MitrahSoft
- update to jsch - 0.2.17 - CVE-2023-48795 / terrapin ssh attackLDEV-4773Resolved issue: LDEV-4773Pothys - MitrahSoft
- filter out S3 secretsLDEV-4718Resolved issue: LDEV-4718Pothys - MitrahSoft
- update commons-compress to 1.24.0 due to tar related CVE-2023-42503LDEV-4699Resolved issue: LDEV-4699Pothys - MitrahSoft
- Secure XML by defaultLDEV-4654
- org.lucee.ehcache-2.10.9.2.jar has CVEs from jetty bundles / docker imagesLDEV-4629Resolved issue: LDEV-4629Justin Carter
- unbundle hibernate from standard distribution 5.4.1LDEV-4609Resolved issue: LDEV-4609Zac Spitzer
- update guava in ESAPI extension to 32.01 due to CVELDEV-4565
- update docker images for 6.0 release (debian, java, nginx)LDEV-4536Resolved issue: LDEV-4536Michael Offner
- update commons-collections 3.2.1 to 4.4.0 in hibernate 5.4 extensionLDEV-4519Resolved issue: LDEV-4519
- update hibernate extension dom4j lib due to CVEsLDEV-4478Resolved issue: LDEV-4478Michael Offner
- remove xmpcore from lucee coreLDEV-4477Resolved issue: LDEV-4477Zac Spitzer
- update mysql to 8.0.33LDEV-4471Resolved issue: LDEV-4471Zac Spitzer
- update postgres jdbc to 42.6.0LDEV-4470Resolved issue: LDEV-4470Zac Spitzer
- don't deploy admin when not enabledLDEV-4441Resolved issue: LDEV-4441Pothys - MitrahSoft
- update zip extension CVE-2023-22899LDEV-4376Resolved issue: LDEV-4376Zac Spitzer
- add google OSV scanner workflowLDEV-4326Resolved issue: LDEV-4326Pothys - MitrahSoft
- update exasol extension to 7.1.16 due to CVELDEV-4296
- Update apache tika to 1.28.4LDEV-4284Resolved issue: LDEV-4284Michael Offner
- update commons-codec to 1.15.0 for s3 ext v0.94LDEV-4283Resolved issue: LDEV-4283
- update httpclient to 4.5.13 due to CVELDEV-4281Resolved issue: LDEV-4281Michael Offner
- update metadata-extractor in image extension to 2.18.0 due to CVELDEV-4280Resolved issue: LDEV-4280Michael Offner
- Many vulnerable libs in Lucee preventing use in Government shopsLDEV-4279Pothys - MitrahSoft
- update ORM ehcache lib to 2.10.9.2 due to CVELDEV-4073Resolved issue: LDEV-4073Zac Spitzer
- move WEB-INF out of webroot by default for new installsLDEV-4042
- update zip4j to 2.10.0LDEV-3983Resolved issue: LDEV-3983
- update Jackson Databind in extensionsLDEV-3982
- add function sanitizeHTML to esapi extensionLDEV-3953Resolved issue: LDEV-3953Michael Offner
- admin crashes when file access set to local, trying to access userdataLDEV-3906Resolved issue: LDEV-3906Pothys - MitrahSoft
- update commons-io to 2.11LDEV-3870Resolved issue: LDEV-3870
- update commons-compress to 1.23LDEV-3869Resolved issue: LDEV-3869
- update Apache Commons Codec to 1.15LDEV-3819Resolved issue: LDEV-3819Michael Offner
- CFGlobal variables are created in an unsecure cookieLDEV-3724Resolved issue: LDEV-3724
- XSS on error pagesLDEV-3708Pothys - MitrahSoft
- change HtmlEditFormat and HtmlCodeFormat to default to ESAPI encoders (Lucee 6)LDEV-3694
- Disable XML entities by default against XXE in Lucee 6.0 & 5.4LDEV-3451Resolved issue: LDEV-3451Pothys - MitrahSoft
50 of 95
