Upgrade 12.2.0 to 12.2.1 or 12.3.0
The upgrade from Hippo CMS 12.2.0 (or earlier) to 12.2.1 and later requires special attention because for 12.2.1 and 12.3.0 many 3rd party dependencies needed to be updated, and some even removed, for security reasons.
In general these dependency updates will automatically apply and be effective for Hippo CMS implementations, and for most cases, if not all, be backwards compatible. However Hippo CMS implementations which directly use these 3rd party libraries may require some adjustments, or at least be verified against these changes.
All the relevant 3rd party dependency changes for Hippo CMS 12.2.1 and 12.3.0 are listed below in three separate sections:
- Global, inherited and/or shared dependency changes applicable to a Hippo CMS implementation project as a whole.
- Dependency changes applicable only to the CMS or Repository web application, or to modules (plugins, addons, etc.) to be packaged with it.
- Dependency changes applicable only for the SITE web application, or to modules (plugins, addons, etc.) for the SITE web application.
For some of these 3rd party dependency changes specific notes are provided when they may require extra attention, adjustment or at least verification of their potential impact on the Hippo CMS implementation.
Finally, there is one additional change for a security fix in the Hippo CMS product itself which is described below first.
Changed behavior: XML Escaping by default in HST MessagesReplace Tag library
A XSS vulnerability in the HST MessagesReplace Tag library, see SECURITY-66, required adding XML escaping of replacement values by default.
For normal usages of the MessagesReplace tag this will have no impact.
Except for a very uncommon usage in which the output of the tag itself is buffered first and later escaped separately (or maybe wrapped by a <c:out/> tag). In that special case the output now may get escaped twice, if and only if there were characters needed to be escaped.
For those cases the default XML escaping can be disabled with the optional boolean attribute escapeMessageXml, like in the following pseudo freemarker fragment
<@hst.messagesReplace escapeMessageXml=false> ... </@hst.messagesReplace>
or JSP fragment
<hst:messagesReplace escapeMessageXml="false"> ... </hst:messagesReplace>
Global, inherited and/or shared dependency changes
Removed Maven version properties and dependency management definitions
The hippo-cms7-project parent pom (typically the grant-parent of a Hippo CMS implementation root pom.xml) no longer defines the following version properties:
<tika-core.version>1.3</tika-core.version> <tika-parsers.version>1.3</tika-parsers.version> <xerces.version>2.9.1</xerces.version>
The tika dependencies (and its parsers specific exclusions) are now managed through the new hippo-repository-tika module and no longer through the hippo-cms7-project pom.xml. Implementions directly depending on Apache Tika will need to add a dependency on hippo-repository-tika.
Apache Xerces no longer is used at all by the Hippo CMS product and both its version property as well as its dependency management have been removed!
Significant Maven version property changes
The following Maven version properties in the hippo-cms7-project root pom.xml are significantly changed:
<cxf.version>3.1.15</cxf.version> # updated from 3.1.14 <jackson2.version>2.8.11</jackson2.version> # updated from 2.8.8 <jackson2-databind.version>2.8.11.1</jackson2-databind.version> # new <spring.version>4.3.15.RELEASE</spring.version> # updated from 4.2.6.RELEASE <groovy.version>2.4.15</groovy.version> # updated from 2.4.7
Xerces and NekoHTML dependencies no longer used nor provided
Because of a potential vulnerability in Apache Xerces, see SECURITY-52, although not applicable to the Hippo CMS product, all usages and dependency management for Apache Xerces have been removed. This also includes replacing NekoHTML (net.sourceforge.nekohtml:nekohtml) with HTML Cleaner (net.sourceforge.htmlcleaner:htmlcleaner) for the Hippo HTMLDiff (org.hippoecm:htmldiff) library. The latter has been upgrade from version 1.01.04 to 2.0.0.
If your project has a direct usage of the Xerces library, that dependency now has to be added explicitly to the project for this upgrade.
FasterXML Jackson2 version updated from 2.8.8 to 2.8.11
Because of potential deserialization vulnerabilities in FasterXML Jackson2, see SECURITY-49, although not applicable to the Hippo CMS product, these libraries have been updated to 2.8.11 (and 2.8.11.1 for jackson-databind).
This also causes a required update of Apache CXF as well as Spring Framework, both using and depending on Jackson2.
Besides some internal adjustments, the update to Jackson2 2.8.11 should work fine out-of-the-box. However do check the Jackson Release 2.8 notes.
Apache CXF version updated from 3.1.14 to 3.1.15
Because of the necessary update of Jackson2, Apache CXF also has been updated from 3.1.14 to 3.1.15. This upgrade has no known impact.
Spring Framework version updated from 4.2.6 to 4.3.15
Because of several potential security vulnerabilities , see SECURITY-47, Spring Framework has been updated from 4.2.6 to 4.3.15.
While this update didn't require any internal changes or adjustments for the Hippo CMS product and should work fine out-of-the-box, please also check the Upgrading to Spring Framework 4.x documentation.
Apache HttpComponents Client version updated to 4.5.5
Some Hippo CMS modules had a direct or transitive dependency on Apache HttpComponent Client libraries <= 4.3.x. These are all updated to use version 4.5.5, as well as the Apache HttpComponents Core version 4.4.9, for SECURITY-54. These libraries updates should be backwards compatible for most usages. In addition remaining dependencies on the legacy HttpClient version 3.x have all been removed. Any custom usage of the legacy Commons HTTP Client library is likely to require code updates to use the supported version of HTTP Components or an alternative library.
Apache Commons BeanUtils version updated from 1.8.0 to 1.9.13
Some Hippo CMS modules still had a transitive dependency on Commons BeanUtils 1.8.0. These are all updated to use version 1.9.13 for SECURITY-34. There is no known impact.
JSoup version updated from 1.7.1 to 1.11.2
The JSoup library update, as needed for SECURITY-50, used by the Essentials BlogImporter in the CMS web application and the Enterprise hippo-addon-eforms in the Hippo SITE web application, has no known impact.
Dependency changes for the Hippo CMS or Repository web application
Apache jackrabbit version updated fom 2.14.0 to 2.16.1
The Apache Jackrabbit update was required because of necessary vulnerability fixes for Apache Tika, PDFBox and POI, but is itself fully backwards compatible. In addition there was a CSRF vulnerability in the Jackrabbit webdav module, see SECURITY-36. Although not used nor formally supported for Hippo CMS, now also is fixed in case of downstream (only) usages.
The only important impact to note concerns the Jackrabbit RMI implementation: Java RMI client applications for Jackrabbit 2.16 and Hippo CMS 12.2.1 and 12.3.0 no longer can be used to connect to a Hippo CMS server build with earlier versions. Java RMI client applications build for earlier versions however still can be used to connect to Jackrabbit 2.16 and Hippo CMS 12.2.1, and later.
New hippo-repository-tika module
A new module has been added to the hippo-repository project, hippo-repository-tika, which now (version) manages the usage of Apache Tika and related Tika parsers, including the Apache POI and Apache PDFBox dependencies.
A Hippo CMS implementation which makes direct use of Apache Tika, POI and/or PDFBox, or any other Tika parser, in the context of the CMS or Repository web application, now will need to add a dependency on hippo-repository-tika to ensure the correct dependency versions are included. And when creating new Tika instances use the new org.onehippo.repository.tika.TikaFactory class instead to reuse the Tika parsers configuration from the Hippo Repository.
Apache PDFBox version updated from 1.8.8 to 2.0.8
The major version update of Apache PDFBox to 2.0.8, as needed for SECURITY-31, does have backwards incompatible API changes!
While these changes were trivial to adjust to for the Hippo CMS product itself, and we are not aware of any customer implementation with direct/custom usage of PDFBox, please note that this change may require code adjustments. If so, please follow the Migration to PDFBox 2.0.0 documentation.
Please note that the major version update to 2.0.8 was neccesary for the upgrade to Tika 1.7, and only is needed for the Hippo CMS or Repository web application.
PDFBox is also used for the optional Enterprise hippo-addon-eforms in the Hippo SITE web application (see below), but there it only is updated to 1.8.13!
Apache Tika version update from 1.3 to 1.7
The update of Apache Tika, as needed for SECURITY-32, only required adjustments for loading and configuring the default Tika parsers and its dependencies in the Hippo CMS product, which now is handled through the new hippo-repository-tika module.
Apache POI version updated from to 3.8 to 3.17
The update of Apache POI, as needed for SECURITY-51, has no known impact.
Apache Groovy version updated from 2.4.11 to 2.4.15
The update of Apache Groovy, as needed for SECURITY-55, has no known impact.
Dependency changes for the Hippo SITE web application
Besides the changed dependencies for Apache CXF, Spring Framework, Commons BeanUtils and JSoup, and the removal of the Xerces dependencies, all mentioned in the global section above, there are few additional changes specific to the Hippo SITE web application.
Apache PDFBox version updated from 1.8.8 to 1.8.13
For the Enterprise hippo-addon-eforms module the Apache PDFBox dependency was updated for SECURITY-31, with no known impact.
Apache Commons FileUpload version updated from 1.3.2 to 1.3.3
The update of Commons FileUpload, as needed for SECURITY-62, has no known impact.
Spring Data Redis version updatd from 1.7.5 to 1.8.11
The update of Spring Data Redis as needed for SECURITY-47, and used by the optional Enterprise hippo-addon-caching module, might have some API changes impact when directly used in a custom implementation. Please see the Spring Data Redis reference documentation.
Spring Security version update from 4.0.4 to 4.2.5
The update of Spring Security as needed for SECURITY-47, and used by the hippo-addon-crisp module, might have some API changes impact when directly used in a custom implementation. Please see the Spring Security reference documentation.
Spring Security JWT version updated from 1.0.4 to 1.0.9
The update of Spring Security JWT as needed for SECURITY-47, and used by hippo-addon-crisp module, has no known impact.