[Git][java-team/resteasy][master-3.0] 3 commits: really add the cve fix
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Tue Oct 19 22:59:13 BST 2021
Timo Aaltonen pushed to branch master-3.0 at Debian Java Maintainers / resteasy
Commits:
22c5d54b by Timo Aaltonen at 2021-10-20T00:53:40+03:00
really add the cve fix
- - - - -
0f36a4a9 by Timo Aaltonen at 2021-10-20T00:57:16+03:00
Drop dependency on liblog4j1.2-java, and fix classpath to use tomcat9-el-api.jar.
- - - - -
a87c079c by Timo Aaltonen at 2021-10-20T00:58:27+03:00
releasing package resteasy3.0 version 3.0.26-3
- - - - -
6 changed files:
- debian/changelog
- debian/control
- debian/libresteasy3.0-java.classpath
- debian/maven.ignoreRules
- debian/maven.rules
- + debian/patches/0001-RESTEASY-2559-Improper-validation-of-response-header.patch
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+resteasy3.0 (3.0.26-3) unstable; urgency=medium
+
+ * Drop dependency on liblog4j1.2-java, and fix classpath to use
+ tomcat9-el-api.jar.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 20 Oct 2021 00:57:18 +0300
+
resteasy3.0 (3.0.26-2) unstable; urgency=medium
* control, maven.rules: Use tomcat for servlet & el-api, add
=====================================
debian/control
=====================================
@@ -23,7 +23,6 @@ Build-Depends-Indep:
libjboss-logging-java,
libjboss-logging-tools-java,
libjettison-java,
- liblog4j1.2-java (>= 1.2.17),
libmaven-install-plugin-java,
libslf4j-java,
libtomcat9-java,
@@ -36,7 +35,6 @@ Homepage: http://rest-easy.org
Package: libresteasy3.0-java
Architecture: all
Depends: ${maven:Depends}, ${misc:Depends},
- liblog4j1.2-java
Recommends: ${maven:OptionalDepends}
Conflicts: libresteasy-java
Replaces: libresteasy-java
=====================================
debian/libresteasy3.0-java.classpath
=====================================
@@ -1,4 +1,4 @@
-usr/share/java/resteasy-jaxrs.jar /usr/share/java/log4j-1.2.jar /usr/share/java/slf4j-api.jar /usr/share/java/httpclient.jar /usr/share/java/commons-io.jar /usr/share/java/geronimo-annotation-1.3-spec.jar /usr/share/java/el-api-3.0.jar
+usr/share/java/resteasy-jaxrs.jar /usr/share/java/slf4j-api.jar /usr/share/java/httpclient.jar /usr/share/java/commons-io.jar /usr/share/java/geronimo-annotation-1.3-spec.jar /usr/share/java/tomcat9-el-api.jar
usr/share/java/resteasy-jaxb-provider.jar /usr/share/java/jaxb-impl.jar
usr/share/java/resteasy-jettison-provider.jar /usr/share/java/jettison.jar
usr/share/java/resteasy-jackson-provider.jar /usr/share/java/jackson-core-asl.jar /usr/share/java/jackson-mapper-asl.jar /usr/share/java/jackson-jaxrs.jar /usr/share/java/jackson-xc.jar
=====================================
debian/maven.ignoreRules
=====================================
@@ -34,3 +34,4 @@ org.jboss.el jboss-el * * * *
org.mortbay.jetty maven-jetty-plugin * * * *
org.springframework spring-webmvc * * * *
org.glassfish javax.el * * * *
+log4j log4j * * * *
=====================================
debian/maven.rules
=====================================
@@ -11,7 +11,6 @@ org.codehaus.jettison jettison s/bundle/jar/ s/.*/debian/ * *
org.yaml snakeyaml * s/.*/1.x/ * *
com.sun.istack istack-commons-runtime * s/debian/2.17/ * *
s/jboss/javassist/ javassist * s/.*/debian/ * *
-log4j log4j * s/1\.2\..*/1.2.x/ * *
s/org.jboss.spec.javax.annotation/org.apache.geronimo.specs/ s/jboss-annotations-api_1.2_spec/geronimo-annotation_1.3_spec/ * s/.*/debian/ * *
s/org.jboss.spec.javax.servlet/org.apache.tomcat/ s/jboss-servlet-api_3.1_spec/tomcat-servlet-api/ * s/.*/9.x/ * *
s/org.jboss.spec.javax.el/org.apache.tomcat/ s/jboss-el-api_3.0_spec/tomcat-el-api/ * s/.*/9.x/ * *
=====================================
debian/patches/0001-RESTEASY-2559-Improper-validation-of-response-header.patch
=====================================
@@ -0,0 +1,47 @@
+From f58a22382e31c0c4b92e519fa84f701a606981ac Mon Sep 17 00:00:00 2001
+From: Bartosz Spyrko-Smietanko <bspyrkos at redhat.com>
+Date: Thu, 16 Apr 2020 14:01:17 +0100
+Subject: [PATCH] [RESTEASY-2559] Improper validation of response header in
+ MediaTypeHeaderDelegate.java class
+
+---
+ .../plugins/delegates/MediaTypeHeaderDelegate.java | 1 +
+ .../test/mediatype/MediaTypeHeaderTest.java | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+ create mode 100644 testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+
+diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
+index db0b4d588..b31d4376e 100755
+--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
++++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
+@@ -89,6 +89,7 @@ public class MediaTypeHeaderDelegate implements RuntimeDelegate.HeaderDelegate
+ case '[':
+ case ']':
+ case '=':
++ case '\n':
+ return false;
+ default:
+ break;
+diff --git a/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+new file mode 100644
+index 000000000..e46f018f7
+--- /dev/null
++++ b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+@@ -0,0 +1,14 @@
++package org.jboss.resteasy.test.mediatype;
++
++import org.jboss.resteasy.plugins.delegates.MediaTypeHeaderDelegate;
++import org.junit.Test;
++
++public class MediaTypeHeaderTest {
++
++ @Test(expected = IllegalArgumentException.class)
++ public void testNewLineInHeaderValueIsRejected() {
++ MediaTypeHeaderDelegate delegate = new MediaTypeHeaderDelegate();
++
++ delegate.fromString("foo/bar\n");
++ }
++}
+--
+2.26.2
+
View it on GitLab: https://salsa.debian.org/java-team/resteasy/-/compare/a30ec9463cbfb2a82b482f06affca19e46bd8398...a87c079cf75e8163dcd49c02bf06dcae4850a0c8
--
View it on GitLab: https://salsa.debian.org/java-team/resteasy/-/compare/a30ec9463cbfb2a82b482f06affca19e46bd8398...a87c079cf75e8163dcd49c02bf06dcae4850a0c8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20211019/2345c6d4/attachment.htm>
More information about the pkg-java-commits
mailing list