June 29th, 2009

Introduction

This is a minor release that addresses a security issue discovered in Fedora 3.2.  If you are running Fedora 3.2, please see Upgrading from 3.x. If you are running Fedora 2.x, see Upgrading from 2.x.

Bug Fix

• FCREPO-510 : With AuthZ off, REST API allows execution of unauthenticated requests
  Fedora's authentication filters are intended to prevent the unathenticated execution of certain API requests, even when XACML policy enforcement (AuthZ) is turned off.  With Fedora 3.1 and 3.2, when going against the REST API, this protection was not properly provided. This did not present a security problem with Fedora's default policy enforcement in place, but if XACML has been DISABLED, this bug could allow malicious users to add, change, or remove content from a repository via Fedora's REST API.

Known Issues

Please see the this link for an up-to-date list of outstanding bugs.

Previous Release Notes

All release notes for Fedora 3.x and 2.x can be found here.

Copyright © 2009 DuraSpace
Copyright © 2008-2009 Fedora Commons, Inc.
Copyright © 2002-2007 The Rector and Visitors of the University of Virginia and Cornell University