[Git][java-team/velocity][master] 4 commits: Update Vcs URLs to point to Salsa
Tony Mancill
gitlab at salsa.debian.org
Wed Mar 17 04:53:39 GMT 2021
Tony Mancill pushed to branch master at Debian Java Maintainers / velocity
Commits:
765693d6 by tony mancill at 2021-03-16T20:37:42-07:00
Update Vcs URLs to point to Salsa
- - - - -
8ca516ee by tony mancill at 2021-03-16T20:55:02-07:00
Patch for CVE-2020-13936 (Closes: #985220)
- - - - -
adc1b0d3 by tony mancill at 2021-03-16T21:07:54-07:00
Ship Apache NOTICE file with package
- - - - -
1eb28765 by tony mancill at 2021-03-16T21:08:19-07:00
prepare changelog for upload to unstable
- - - - -
5 changed files:
- debian/changelog
- debian/control
- + debian/patches/CVE-2020-13936.patch
- debian/patches/series
- + debian/velocity.docs
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+velocity (1.7-6) unstable; urgency=high
+
+ * Team upload.
+ * Update Vcs URLs to point to Salsa
+ * Patch for CVE-2020-13936 (Closes: #985220)
+ * Ship Apache NOTICE file with package
+
+ -- tony mancill <tmancill at debian.org> Tue, 16 Mar 2021 21:07:58 -0700
+
velocity (1.7-5.1) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
=====================================
debian/control
=====================================
@@ -26,8 +26,8 @@ Build-Depends-Indep: ant,
libservlet3.1-java,
libwerken.xpath-java
Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/velocity.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/velocity.git
+Vcs-Git: https://salsa.debian.org/java-team/velocity.git
+Vcs-Browser: https://salsa.debian.org/java-team/velocity
Homepage: http://velocity.apache.org/
Package: velocity
=====================================
debian/patches/CVE-2020-13936.patch
=====================================
@@ -0,0 +1,48 @@
+Description: patch for CVE-2020-13936; disallow ClassLoader, Thread, and subclasses
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985220
+Source: https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485
+Comment: patch adapted to apply against Velocity 1.7
+
+--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+@@ -121,6 +121,15 @@
+ return true;
+ }
+
++ /**
++ * Always disallow ClassLoader, Thread and subclasses
++ */
++ if (ClassLoader.class.isAssignableFrom(clazz) ||
++ Thread.class.isAssignableFrom(clazz))
++ {
++ return false;
++ }
++
+ /**
+ * check the classname (minus any array info)
+ * whether it matches disallowed classes or packages
+--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+@@ -247,13 +247,9 @@
+
+ introspector.restrict.packages = java.lang.reflect
+
+-# The two most dangerous classes
++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+
+ introspector.restrict.classes = java.lang.Class
+-introspector.restrict.classes = java.lang.ClassLoader
+-
+-# Restrict these for extra safety
+-
+ introspector.restrict.classes = java.lang.Compiler
+ introspector.restrict.classes = java.lang.InheritableThreadLocal
+ introspector.restrict.classes = java.lang.Package
+@@ -262,7 +258,6 @@
+ introspector.restrict.classes = java.lang.RuntimePermission
+ introspector.restrict.classes = java.lang.SecurityManager
+ introspector.restrict.classes = java.lang.System
+-introspector.restrict.classes = java.lang.Thread
+ introspector.restrict.classes = java.lang.ThreadGroup
+ introspector.restrict.classes = java.lang.ThreadLocal
+
=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
0001-fix-example-scripts.patch
+CVE-2020-13936.patch
=====================================
debian/velocity.docs
=====================================
@@ -0,0 +1 @@
+NOTICE
View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/2d759d4219119074defc31e93f93310cb63a417e...1eb28765705512a868fd6507b06ca51e5e5208cb
--
View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/2d759d4219119074defc31e93f93310cb63a417e...1eb28765705512a868fd6507b06ca51e5e5208cb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210317/fa2ac94c/attachment.htm>
More information about the pkg-java-commits
mailing list