Third-Party Update: Jackson Databind

Jackson Databind has been updated to version 2.10.5.1 to avoid a security vulnerability of the previous version (CVE-2020-25649).

(CMS-18754)

Fixed CVE-2020-15250 for JUnit < 4.13.1

Fixed security issue regarding JUnit Rule TemporaryFolder by updating to JUnit 4.13.1.

For details see: TemporaryFolder on unix-like systems does not limit access to created files · Advisory · junit-team/junit4

(CMS-18630)

Configurable Limit for "My Edited Content"

The new Spring property "userchanges.max-length" for the User Changes App can be used to configure the maximum length of users' "My Edited Content" lists for automatic update by the User Changes App . If the maximum has been reached, no further edited contents will be added to the list by the User Changes App . The default is unlimited ( Integer#MAX_VALUE ) to keep the existing behavior, for backwards-compatibility.

It is recommended to configure a maximum that can still be handled by editors, and is a lot lower than the maximum number of contents that can be stored in a MongoDB document. The latter depends on the length of stored document IDs but can be estimated to something around 600.000 contents.

Also, the performance of the User Changes App has been improved when it needs to process many repository changes.

(CMS-18409)

Library catalog tree fixed when categories have multiple parents

In some catalogs it is possible to put a category to multiple places within the catalog tree. That led to a broken tree. The unique parent of the catalog object defines the home of such a category. If there are more occurrences of that category in the tree it is shown as a link.

(CMS-18169)