eXist-db 6.0.0

eXist-db 6.0.0 Release Notes

Apart from two changes, version 6.0.0 is identical to version 5.4.0. The two changes are:

  1. It includes an update from Log4j2 version 2.15.0 to version 2.17.1. This Log4j2 update incorporates fixes for security issues CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228. To fix the security issues, Log4j2 removed some log format customisation functionality. eXist-db does not rely on this customisation support in its default configuration, however, if you are using such functionality, you will need to stick with eXist-db 5.4.0 or update your Log4j2 configuration; for more details see: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832.
  2. It includes an update to the Apache XML-RPC libraries used by eXist-db #3934. This fixes a known security issues with Apache XML-RPC (CVE-2019-17570 and CVE-2016-5002). Unfortunately, this update mandates changing how eXist-db sends the permissions of Documents and Collections over XML-RPC, as such the XML-RPC API in eXist-db 6.0.0 is not considered backwards compatible. If you make use of the XML-RPC API, you may need to use eXist-db 5.4.0 until you can update your applications. Oyxgen XML Editor is known to use the XML-RPC API as is the gulp-exist tool.

Where possible, we recommend that all users choose to deploy eXist-db 6.0.0 over eXist-db 5.4.0.

eXist-db 5.4.0

eXist-db 5.4.0 Release Notes

Version 5.4.0 includes critical fixes for defects found in version 5.3.1. It is recommended that all users of eXist-db 5.x.x upgrade to version 5.4.0 or newer.

NOTE We would like to remind users that eXist-db version 5.4.0 includes a version of Log4j2 that is known to have security issues (CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228), and we would recommend that all users should upgrade to eXist-db 6.0.0 or newer.

Features and Improvements

  • The macOS DMG file release is now notarized with Apple #4169 #4200
  • Implemented eXist-db specifix seialization options for use with the XQuery function fn:serialize; includes: exist:add-exist-id, exist:expand-xincludes, exist:highlight-matches, exist:jsonp, exist:json-ignore-whitespace-text-nodes, and exist:process-xsl-pi #3990
  • Implemented XQuery 3.1 function map:merge#2 for use-first, use-last, and use-any
  • Added additional options to the XQuery function file:sync; includes: after, exclude, and prune #4081
  • Added two additional parameter types for use when specifying a custom analyzer: `java.lang.String] and char[]` [#4082
  • Introduced a new and simpler Store Document API #4157
  • Simplified storage of predicates for XPath steps #3975
  • Optimised retrieving the first child of an in-memory document #4013
  • Improved RenderX compatibility with the xslfo:render function #4171
  • Updated the eXist-db Docker Image to use the latest OpenJDK 8 version #4178
  • Switched from Java to Jakarta JAXB
  • XQuery Mail Module now uses latest Jakarta Mail #3994
  • Improved instructions for recovering the database in RECOVERY.md #4060
  • Improved Backup/Restore CLI options descriptions #4070
  • Added support for JUnit 5 #3322
  • Improved how XSuite starts and stops the database #3985
  • Updated the HomeBrew release instructions #4141

Bug Fixes

  • Fix NPE in Function Calls that were defferred due to being forward references #4204
  • Ensured that XQuery variables are analyzed before evaluated when called from a module #4120
  • Fixed an issue whereby it was previously possible to run out of Journal files #4193
  • Fix issues with XQuery Map Immutability #4000
  • Fixed construction of in-memory DOM attributes #4013
  • Fixed an issue so that all nodes of an in-memory DOM document can be retrieved (instead of just the document element) #4013
  • Fixed a Writer handle leak in the REST Server #4034
  • Fixed a File Handle leak in the Lucene Index #4065
  • Fixed a File Handle leak in the EXPath Package Auto Deployment Startup Trigger #4071
  • Fixed an issue with following/preceding axes after predicate on an abbreviated step #4108
  • Fixed a number of SMTP bugs in the XQuery Mail module #4159
  • Fixed several issues around XML Reader pooling and reuse #4021 [#4052]https://github.com/eXist-db/exist/pull/4052)
  • Fixed issues with XSuite test descriptions #3985
  • Serveral fixes to Unary Lookups #3966
  • Allow Empty Enclosed Expressions in XQuery #4089
  • Corrected the XQuery function util:expand so that it correctly handles Documents and Attributes #4172
  • Corrected the XQuery function fn:generate-id to provide unique IDs for unique Nodes #4167
  • DejaVu Fonts were updated in the Docker Image #4028
  • Fixed an impossible type conversion in NativeValueIndex that generated noisy log messages #4175

Updated Dependencies

  • Apache Ant updated from 1.10.10 to 1.10.12
  • Apache Commons Compress updated from 1.20 to 1.21
  • Apache Commons IO updated from 2.10.0 to 2.11.0
  • Apache HTTP Components updated from 4.4.14 to 4.4.15
  • Apache Tika updated from 1.26 to 2.2.1
  • Apache XML Graphics updated from 2.6 to 2.7
  • Bouncy Castle updated from 1.69 to 1.70
  • Caffeine updated from 2.9.1 to 2.9.3
  • Eclipse AspectJ updated from 1.9.4 to 1.9.8-M1
  • Eclipse Jetty updated from 9.4.42.v20210604 to 9.4.44.v20210927
  • FasterXML Jackson updated from 2.12.3 to 2.13.1
  • FastUtil updated from 8.5.4 to 8.5.6
  • Jakarta Activation updated from 2.0.0 to 2.0.1
  • Jakarta Mail updated from Java Mail 1.6.5 to Jakarta Mail 2.0.1
  • Jansi updated from 2.3.3 to 2.4.0
  • Java JAXB Runtime updated from 3.0.1 to 3.0.2
  • jline updated from 3.20.0 to 3.21.0
  • JUnit 5 5.8.2 added
  • RSyntaxTextArea updated from 3.1.3 to 3.1.6
  • Saxon-HE updated from 9.9.1-7 to 9.9.1-8
  • SLF4j updated from 1.7.30 to 1.7.33
  • XMLUnit updated from 2.8.2 to 2.8.4

eXist-db 4.10.0

eXist-db 4.10.0 Release Notes

Verison 4.10.0 is identical to version 4.9.0, apart from it includes an update from Log4j2 version 2.15.0 to version 2.17.1. This Log4j2 update incorporates fixes for security issues CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228. To fix the security issues, Log4j2 removed some log format customisation functionality. eXist-db does not rely on this customisation support in its default configuration, however, if you are using such functionality, you will need to stick with eXist-db 4.9.0 or update your Log4j2 configuration; for more details see: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832.

Where possible, we recommend that all users choose to deploy eXist-db 4.10.0 over eXist-db 4.9.0.

eXist-db 4.9.0

eXist-db 4.9.0 Release Notes

Version 4.9.0 includes critical fixes for defects found in version 4.8.0. It is recommended that all users of eXist-db 4.x.x upgrade to version 4.9.0 or newer.

NOTE We would like to remind users that eXist-db version 4.9.0 includes a version of Log4j2 that is known to have security issues (CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228), and we would recommend that all users should upgrade to eXist-db 4.10.0 or newer.

Bug Fixes

  • Fixed an issue whereby Renaming or Moving a Collection could corrupt the Collection Hierarchy. Regression since eXist-db 4.7.0 #4201
  • Fixed an issue whereby it was previously possible to run out of Journal files #4194
  • Fixed an issue with Collection structures being overwritten during startup #4188
  • Made the startup more resilient when there are problems with removed Accounts and Groups #4192
  • Repaired the Ant Build
  • Repaired the JUnit Test Suite - all tests passing
  • Fixed the CI (Continuous Integration) - Switched from Travis CI to GitHub Actions

Updated Dependencies

  • Apache Ant updated from 1.10.2 to 1.10.12
  • Apache Commons Codec updated from 1.11 to 1.15
  • Apache Commons Compress updated from 1.17 to 1.21
  • Apache Commons Configuration2 from 2.2 to 2.7
  • Apache Commons File Upload updated from 1.3.3 to 1.4
  • Apache Commons HTTP Client updated from 4.5.5 to 4.5.13
  • Apache Commons HTTP Components updated from 4.4.9 to 4.4.15
  • Apache Commons IO from 2.6 to 2.11
  • Apache Commons Lang3 updated from 3.7 to 3.12.0
  • Apache Commons Net updated from 3.6 to 3.8.0
  • Apache FOP updated from 2.3 to 2.6
  • Apache Ivy updated from 2.4.0 to 2.5.0
  • Apache PDFBox FontBox updated from 2.0.13 to 2.0.22
  • Bouncy Castle updated from 1.60 to 1.70
  • Caffeine updated from 2.6.2 to 2.9.3
  • EasyMock updated from 3.6 to 4.3
  • Evolved Binary Java8 Functional Utilities from 1.21 to 1.23.0
  • FasterXML UUID Generator updated from 3.1.5 to 3.3.0
  • Hamcrest updated from 1.3 to 2.2
  • Jansi updated from 1.17.1 to 1.18
  • Java JAXB API updated from 2.3.0 to 2.3.1
  • JMock updated from 2.4.0 to 2.12.0.jar
  • JUnit updated from 4.12 to 4.13.2
  • LZ4 for Java updated from 1.5.0 to 1.8.0
  • org.json updated from 20140107 to 20211205
  • Quartz Scheduler updated from 2.30 to 2.3.2
  • Scribe updated from 1.3.5 to 1.3.7
  • SLF4j updated from 1.7.25 to 1.7.32
  • Smack XMPP updated from 3.1.0 to 3.2.1
  • Spy Memcached updated from 2.5 to 2.12.3

eXist-db 4.8.0

eXist-db 4.8.0 Release Notes

This is mainly a security hot-fix for eXist-db 4.7.1 and addresses and closes CVE-2021-44228 by updating log4j to version 2.15.0. Other small enhancements and bug fixes include:

Enhancements

  • Include stack detail in XPathExceptions from fn:doc and fn:collection

Bug Fixes

  • Improve security when opening a Collection by checking that the calling user has Permission.EXECUTE all the way from the root of the Collection hierarchy
  • Fix a memory-leak that can occir during shutdown
  • Fix a concurrent modification issue during shutdown
  • Made JMX Agent Factory Thread Safe
  • Small fixes to YAJSW service scripts
  • Avoid a NPE when reporting an error
  • Fix build scripts for DMG to work on latest macOS
  • Fix dist-war build to use HTTPS instead of HTTP for downloads