Fixed CVE-2020-15250 for JUnit < 4.13.1

Fixed security issue regarding JUnit Rule TemporaryFolder by updating to JUnit 4.13.1.

For details see: TemporaryFolder on unix-like systems does not limit access to created files · Advisory · junit-team/junit4

(CMS-18630)

CVE-2020-27216: Jetty Updated to 9.4.35

Jetty has been updated to 9.4.35.v20201120 to address CVE-2020-27216 (Creation of Temporary File With Insecure Permissions).

All Jetty artifacts managed by org.eclipse.jetty:jetty-bom are affected, including:

(CMS-18629)

Fixed Dataview Initialization for Autowired Dependencies

Dataviews did not receive autowired dependencies of the origin class if the original content bean was replaced with an extended content bean class. Only customizations of the Blueprint which both extended CMQueryListImpl and replaced the original "contentBeanFactory:CMQueryList" content bean were affected by this bug.

(CMS-18615)

Fixed Solr Core Creation in Docker Setup

Fixed a bug in the script for the creation of Solr cores at a Solr Slave server in apps/solr/docker/solr/src/docker/bin/config.sh .

(CMS-18614)

XLIFF-Export: Fixed Possible CapTranslateItemException for Master without Derived

In previous CMCC releases you may have experienced a CapTranslateItemException like:

CapTranslateItemException: Master aspect does not have any matching derived target contents

As for actions like FilteredDerivedContentAction it is a common approach removing derived target contents from a translation process, the behavior got changed in that way, that this state is ignored. Thus, for a given master without derived targets, no translation item, and as a result no XLIFF file will be generated.

(CMS-18523)

ArrayStoreException when querying settings fixed

When querying for settings in a content object, an ArrayStoreException occurred, when using the 'paths' query parameter with nested path lists.

(CMS-18520)

Editorial Comments: Support for multiple hibernate data sources

A bug has been fixed which prevented to define a custom hibernate connection next to the editorial comments hibernate connection. All beans of hibernate, jpa and liquibase for editorial comments are now injected by name instead of type.

(CMS-18418)

Liquibase not executed with every Studio-Server startup anymore

The database migration tool Liquibase was executed with every start of a Studio Server instance. When the start of the Studio Server was interrupted during the execution of Liquibase, it was possible that a lock on the database remained, which had to be removed manually.

Now Liquibase will only be executed when the database needs to be migrated. If the database is up to date, Liquibase will not run.

(CMS-18387)

Customize Annotation not working in CaasConfig

The @Customize annotation was not executed. Therefore the the Spring bean "contentSegmentStrategyMap" was not customized correctly and the related map was empty.

(CMS-18321)

Content Hub: details request respects that entity might be null

The request /details of the Content Hub rest service assumed that an entity is always available when details are requested. Now the request delivers an error when the entity can't be found.

(CMS-18298)

TransformedBlobHandler sends uncacheable response if blob hash does not match

TransformedBlobHandler sends uncacheable response if blob hash does not match. The TransformedBlobHandler uses HandlerBase#isSingleNode and the external configuration option cae.single-node to control this behavior.

(CMS-18048)

Made CAE SameSite Cookie strategy configurable

The config options prefixed cae.cookie control the CAE's behavior when sending cookies. It is now possible to configure the value of the SameSite attribute and whether or not to force all cookies to Secure and HttpOnly .

(CMS-17573)

XLIFF-Import: Fixed possible IllegalArgumentException for Struct Lists

If you had exported Struct entries of type List<Struct> with the option EMPTY_IGNORE enabled, you may have experienced an IllegalArgumentException like a list of length 1 was entered at position 2, which does not exist .

This has been fixed.

(CMS-17572)

Fixed type error "Cannot read property 'parentNode' of null"

When to-dos in a project in Studio are filtered for a selected day and when the 'Show all to-dos' button is clicked, the type error mentioned above appears. This has been fixed now.

(CMS-17215)

Error in CKDialogBase

(CMS-16095)

Avoid clear text passwords in SAP OAuth2 Calls in commerce adapter

User and userGroup that can be passed to the preview token service are configurable. By default the property hybris.previewTokenUser is set to "anonymous". If you do not want any user to be passed for preview tickets, just configure hybris.previewTokenUser and leave it blank.

(CMS-15815)

Fixed CAE Feeder bug that caused missing changes

Fixed a bug in the CAE Feeder that caused some updates to be ignored in rare cases. The workaround for this bug was to restart the CAE Feeder application, which caused it to replay these missing updates. With this bug fix, this isn't necessary anymore.

Furthermore, a related bug was fixed that some documents were re-indexed after restarting the CAE Feeder , even though the documents were already up to date. This also happened in rare cases only.

(CMS-14695)

DatePropertyField is now editable by typing

A bug has been fixed where the DatePropertyField prevented users from edit the date by typing because the field directly wrote the new value even if the value is invalid. This lead to a bad request and the value was resetted to its original valid value.

(CMS-13886)