Apache Axis2 1.7.3 Release Note
-------------------------------

Apache Axis2 1.7.3 is a security release that contains a fix for [CVE-2010-3981][]. That security
vulnerability affects the admin console that is part of the Axis2 Web application and was originally
reported for SAP BusinessObjects (which includes a version of Axis2). That report didn't mention
Axis2 at all and the Axis2 project only recently became aware (thanks to Devesh Bhatt and Nishant
Agarwala) that the issue affects Apache Axis2 as well.

The admin console now has a CSRF prevention mechanism and all known XSS vulnerabilities as well as
two non-security bugs in the admin console ([AXIS2-4764][] and [AXIS2-5716][]) have been fixed.
Users of the Axis2 WAR distribution are encouraged to upgrade to 1.7.3 to take advantage of these
improvements.

This release also fixes a regression in the HTTP client code that is triggered by the presence of
certain types of cookies in HTTP responses (see [AXIS2-5772][]).

[CVE-2010-3981]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3981
[AXIS2-4764]: https://issues.apache.org/jira/browse/AXIS2-4764
[AXIS2-5716]: https://issues.apache.org/jira/browse/AXIS2-5716
[AXIS2-5772]: https://issues.apache.org/jira/browse/AXIS2-5772