[Git][java-team/resteasy][master-3.0] 5 commits: patches: Drop Log4jLogger. (Closes: #1028854)
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Sat Jan 21 09:57:06 GMT 2023
Timo Aaltonen pushed to branch master-3.0 at Debian Java Maintainers / resteasy
Commits:
619d24bf by Timo Aaltonen at 2023-01-21T11:12:27+02:00
patches: Drop Log4jLogger. (Closes: #1028854)
- - - - -
8a95bf48 by Timo Aaltonen at 2023-01-21T11:12:35+02:00
Drop all modules that dogtag-pki doesn't need.
- - - - -
4b993b89 by Timo Aaltonen at 2023-01-21T11:44:20+02:00
RESTEASY-2519-fix-CVE-2020-10688.diff: Fix an XSS flaw. (Closes: #1015001)
* RESTEASY-2519-fix-CVE-2020-10688.diff: Fix an XSS flaw. (Closes:
#1015001)
- CVE-2020-10688
- - - - -
8deb1b40 by Timo Aaltonen at 2023-01-21T11:55:52+02:00
Restore activation api, add libjakarta-activation-java to build- depends.
- - - - -
e98f5002 by Timo Aaltonen at 2023-01-21T11:56:03+02:00
releasing package resteasy3.0 version 3.0.26-4
- - - - -
9 changed files:
- debian/changelog
- debian/control
- debian/libresteasy3.0-java.classpath
- debian/libresteasy3.0-java.poms
- debian/maven.ignoreRules
- debian/maven.rules
- + debian/patches/0001-Remove-Log4jLogger.patch
- + debian/patches/RESTEASY-2519-fix-CVE-2020-10688.diff
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+resteasy3.0 (3.0.26-4) unstable; urgency=medium
+
+ * patches: Drop Log4jLogger. (Closes: #1028854)
+ * Drop all modules that dogtag-pki doesn't need.
+ * RESTEASY-2519-fix-CVE-2020-10688.diff: Fix an XSS flaw. (Closes:
+ #1015001)
+ - CVE-2020-10688
+ * Restore activation api, add libjakarta-activation-java to build-
+ depends.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Sat, 21 Jan 2023 11:55:52 +0200
+
resteasy3.0 (3.0.26-3) unstable; urgency=medium
* Drop dependency on liblog4j1.2-java, and fix classpath to use
=====================================
debian/control
=====================================
@@ -12,21 +12,18 @@ Build-Depends-Indep:
libcommons-io-java,
libgeronimo-annotation-1.3-spec-java,
libhttpclient-java,
- libjackson-json-java,
libjackson2-core-java,
libjackson2-databind-java,
libjackson2-jaxrs-providers-java,
libjackson2-module-jaxb-annotations-java,
- libjaxb-java,
+ libjakarta-activation-java,
libjaxb-api-java,
libjaxrs-api-java (>= 2.1),
libjboss-logging-java,
libjboss-logging-tools-java,
- libjettison-java,
libmaven-install-plugin-java,
libslf4j-java,
libtomcat9-java,
- libyaml-snake-java
Standards-Version: 4.5.1
Vcs-Git: https://salsa.debian.org/java-team/resteasy.git
Vcs-Browser: https://salsa.debian.org/java-team/resteasy
=====================================
debian/libresteasy3.0-java.classpath
=====================================
@@ -1,7 +1,2 @@
-usr/share/java/resteasy-jaxrs.jar /usr/share/java/slf4j-api.jar /usr/share/java/httpclient.jar /usr/share/java/commons-io.jar /usr/share/java/geronimo-annotation-1.3-spec.jar /usr/share/java/tomcat9-el-api.jar
-usr/share/java/resteasy-jaxb-provider.jar /usr/share/java/jaxb-impl.jar
-usr/share/java/resteasy-jettison-provider.jar /usr/share/java/jettison.jar
-usr/share/java/resteasy-jackson-provider.jar /usr/share/java/jackson-core-asl.jar /usr/share/java/jackson-mapper-asl.jar /usr/share/java/jackson-jaxrs.jar /usr/share/java/jackson-xc.jar
+usr/share/java/resteasy-jaxrs.jar /usr/share/java/slf4j-api.jar /usr/share/java/httpclient.jar /usr/share/java/commons-io.jar /usr/share/java/geronimo-annotation-1.3-spec.jar /usr/share/java/tomcat9-el-api.jar /usr/share/java/jakarta-activation.jar
usr/share/java/resteasy-jackson2-provider.jar /usr/share/java/jackson-core.jar /usr/share/java/jackson-databind.jar /usr/share/java/jackson-jaxrs-base.jar /usr/share/java/jackson-jaxrs-json-provider.jar /usr/share/java/jackson-module-jaxb-annotations.jar
-usr/share/java/resteasy-atom-provider.jar /usr/share/java/jaxb-impl.jar
-usr/share/java/resteasy-yaml-provider.jar /usr/share/java/snakeyaml.jar
=====================================
debian/libresteasy3.0-java.poms
=====================================
@@ -32,28 +32,29 @@ jboss-modules/pom.xml --ignore
profiling-tests/pom.xml --ignore
providers/pom.xml --has-package-version
providers/fastinfoset/pom.xml --ignore
-providers/jaxb/pom.xml --has-package-version
-providers/jettison/pom.xml --has-package-version
-providers/jackson/pom.xml --has-package-version
+providers/jaxb/pom.xml --ignore
+providers/jackson/pom.xml --ignore
providers/jackson2/pom.xml --has-package-version
+providers/jettison/pom.xml --ignore
providers/json-p-ee7/pom.xml --ignore
providers/multipart/pom.xml --ignore
-providers/resteasy-atom/pom.xml --has-package-version
-providers/resteasy-html/pom.xml --has-package-version
+providers/resteasy-atom/pom.xml --ignore
+providers/resteasy-html/pom.xml --ignore
providers/resteasy-validator-provider-11/pom.xml --ignore
-providers/yaml/pom.xml --has-package-version
+providers/yaml/pom.xml --ignore
resteasy-bom/pom.xml --ignore
resteasy-cache/pom.xml --ignore
resteasy-cdi/pom.xml --ignore
resteasy-client/pom.xml --has-package-version
-resteasy-dependencies-bom/pom.xml --no-parent
+resteasy-dependencies-bom/pom.xml --ignore
resteasy-guice/pom.xml --ignore
resteasy-jaxrs/pom.xml --has-package-version
resteasy-jaxrs-testsuite/pom.xml --ignore
resteasy-jsapi/pom.xml --ignore
+resteasy-jsapi-testing/pom.xml --ignore
resteasy-links/pom.xml --ignore
-resteasy-spring/pom.xml --ignore
resteasy-servlet-initializer/pom.xml --ignore
+resteasy-spring/pom.xml --ignore
resteasy-wadl/pom.xml --ignore
resteasy-wadl-undertow-connector/pom.xml --ignore
security/pom.xml --ignore
=====================================
debian/maven.ignoreRules
=====================================
@@ -5,9 +5,12 @@ org.jboss.resteasy http-adapter-pom pom * * *
org.jboss.resteasy profiling-tests jar * * *
org.jboss.resteasy resteasy-cache-pom pom * * *
org.jboss.resteasy resteasy-cdi jar * * *
+org.jboss.resteasy resteasy-dependencies pom * * *
org.jboss.resteasy resteasy-guice jar * * *
org.jboss.resteasy resteasy-hibernatevalidator-provider jar * * *
+org.jboss.resteasy resteasy-jaxb jar * * *
org.jboss.resteasy resteasy-jaxrs-testsuite jar * * *
+org.jboss.resteasy resteasy-jettison-provider jar * * *
org.jboss.resteasy resteasy-jsapi jar * * *
org.jboss.resteasy resteasy-spring jar * * *
org.jboss.resteasy resteasy-test-data jar * * *
@@ -21,7 +24,6 @@ org.jboss.resteasy testable-examples-pom pom * * *
org.jboss.resteasy.test war-tests-pom pom * * *
org.jboss.resteasy tjws * * * *
com.atlassian.maven.plugins maven-clover2-plugin * * * *
-javax.activation activation * * * *
javax.el javax.el-api * * * *
net.jcip jcip-annotations * * * *
org.apache.maven.plugins maven-deploy-plugin * * * *
=====================================
debian/maven.rules
=====================================
@@ -15,3 +15,4 @@ s/org.jboss.spec.javax.annotation/org.apache.geronimo.specs/ s/jboss-annotations
s/org.jboss.spec.javax.servlet/org.apache.tomcat/ s/jboss-servlet-api_3.1_spec/tomcat-servlet-api/ * s/.*/9.x/ * *
s/org.jboss.spec.javax.el/org.apache.tomcat/ s/jboss-el-api_3.0_spec/tomcat-el-api/ * s/.*/9.x/ * *
s/org.jboss.spec.javax.ws.rs/javax.ws.rs/ s/jboss-jaxrs-api_2.0_spec/javax.ws.rs-api/ * s/.*/debian/ * *
+s/javax.activation/jakarta.activation/ s/activation/jakarta.activation-api/ * s/.*/debian/ * *
=====================================
debian/patches/0001-Remove-Log4jLogger.patch
=====================================
@@ -0,0 +1,163 @@
+From d9ad1ff80c45333922fb51e454ee6036b389faa4 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata at redhat.com>
+Date: Wed, 2 Jun 2021 19:34:16 -0500
+Subject: [PATCH] Remove Log4jLogger
+
+---
+ .../resteasy/logging/impl/Log4jLogger.java | 144 ------------------
+ 1 file changed, 144 deletions(-)
+ delete mode 100644 resteasy-jaxrs/src/main/java/org/jboss/resteasy/logging/impl/Log4jLogger.java
+
+diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/logging/impl/Log4jLogger.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/logging/impl/Log4jLogger.java
+deleted file mode 100644
+index 6cf43d251..000000000
+--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/logging/impl/Log4jLogger.java
++++ /dev/null
+@@ -1,144 +0,0 @@
+-package org.jboss.resteasy.logging.impl;
+-
+-import org.apache.log4j.Logger;
+-
+-import java.text.MessageFormat;
+-
+-/**
+- * @author <a href="mailto:bill at burkecentral.com">Bill Burke</a>
+- * @version $Revision: 1 $
+- */
+-public class Log4jLogger extends org.jboss.resteasy.logging.Logger
+-{
+- private transient Logger delegate;
+- private String classname;
+-
+- public Log4jLogger(String classname)
+- {
+- this.classname = classname;
+- delegate = Logger.getLogger(classname);
+- }
+-
+- @Override
+- public boolean isTraceEnabled()
+- {
+- return delegate.isTraceEnabled();
+- }
+-
+- @Override
+- public void trace(String message)
+- {
+- if (!delegate.isTraceEnabled()) return;
+- delegate.trace(message);
+- }
+-
+- @Override
+- public void trace(String message, Object... params)
+- {
+- if (!delegate.isTraceEnabled()) return;
+- String msg = MessageFormat.format(message, params);
+- delegate.trace(msg);
+- }
+-
+- @Override
+- public void trace(String message, Throwable error)
+- {
+- if (!delegate.isTraceEnabled()) return;
+- delegate.trace(message, error);
+- }
+-
+- @Override
+- public boolean isDebugEnabled()
+- {
+- return delegate.isDebugEnabled();
+- }
+-
+- @Override
+- public void debug(String message)
+- {
+- if (!delegate.isDebugEnabled()) return;
+- delegate.debug(message);
+- }
+-
+- @Override
+- public void debug(String message, Object... params)
+- {
+- if (!delegate.isDebugEnabled()) return;
+- String msg = MessageFormat.format(message, params);
+- delegate.debug(msg);
+- }
+-
+- @Override
+- public void debug(String message, Throwable error)
+- {
+- if (!isDebugEnabled()) return;
+- delegate.debug(message, error);
+- }
+-
+- @Override
+- public void info(String message)
+- {
+- if (!(delegate.isInfoEnabled())) return;
+- delegate.info(message);
+- }
+-
+- @Override
+- public void info(String message, Object... params)
+- {
+- if (!delegate.isInfoEnabled()) return;
+- String msg = MessageFormat.format(message, params);
+- delegate.info(msg);
+- }
+-
+- @Override
+- public void info(String message, Throwable error)
+- {
+- if (!delegate.isInfoEnabled()) return;
+- delegate.info(message, error);
+- }
+-
+- @Override
+- public void warn(String message)
+- {
+- delegate.warn(message);
+- }
+-
+- @Override
+- public void warn(String message, Object... params)
+- {
+- String msg = MessageFormat.format(message, params);
+- delegate.warn(msg);
+- }
+-
+- @Override
+- public void warn(String message, Throwable error)
+- {
+- delegate.warn(message, error);
+- }
+-
+- @Override
+- public void error(String message)
+- {
+- delegate.warn(message);
+- }
+-
+- @Override
+- public void error(String message, Object... params)
+- {
+- String msg = MessageFormat.format(message, params);
+- delegate.error(msg);
+- }
+-
+- @Override
+- public void error(String message, Throwable error)
+- {
+- delegate.warn(message, error);
+- }
+-
+- @Override
+- public boolean isWarnEnabled()
+- {
+- return true;
+- }
+-
+-}
+--
+2.31.1
+
=====================================
debian/patches/RESTEASY-2519-fix-CVE-2020-10688.diff
=====================================
@@ -0,0 +1,82 @@
+--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
++++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+@@ -13,6 +13,7 @@ import javax.ws.rs.HeaderParam;
+ import javax.ws.rs.WebApplicationException;
+ import javax.ws.rs.ext.ParamConverter;
+ import javax.ws.rs.ext.RuntimeDelegate;
++import java.io.UnsupportedEncodingException;
+
+ import java.lang.annotation.Annotation;
+ import java.lang.reflect.AccessibleObject;
+@@ -23,6 +24,8 @@ import java.lang.reflect.Method;
+ import java.lang.reflect.Modifier;
+ import java.lang.reflect.ParameterizedType;
+ import java.lang.reflect.Type;
++import java.net.URLEncoder;
++import java.nio.charset.StandardCharsets;
+ import java.util.ArrayList;
+ import java.util.Collection;
+ import java.util.Collections;
+@@ -322,7 +325,7 @@ public class StringParameterInjector
+ }
+ catch (Exception e)
+ {
+- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal), target), e);
+ }
+ if (paramConverter != null)
+ {
+@@ -348,11 +351,11 @@ public class StringParameterInjector
+ }
+ catch (InstantiationException e)
+ {
+- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal), target), e);
+ }
+ catch (IllegalAccessException e)
+ {
+- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal), target), e);
+ }
+ catch (InvocationTargetException e)
+ {
+@@ -361,7 +364,7 @@ public class StringParameterInjector
+ {
+ throw ((WebApplicationException)targetException);
+ }
+- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal), target), targetException);
+ }
+ }
+ else if (valueOf != null)
+@@ -372,7 +375,7 @@ public class StringParameterInjector
+ }
+ catch (IllegalAccessException e)
+ {
+- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal), target), e);
+ }
+ catch (InvocationTargetException e)
+ {
+@@ -381,7 +384,7 @@ public class StringParameterInjector
+ {
+ throw ((WebApplicationException)targetException);
+ }
+- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
++ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal), target), targetException);
+ }
+ }
+ return null;
+@@ -391,4 +394,12 @@ public class StringParameterInjector
+ {
+ throw new BadRequestException(message, cause);
+ }
++
++ private String _encode(String strVal) {
++ try {
++ return URLEncoder.encode(strVal, StandardCharsets.UTF_8.name());
++ } catch (UnsupportedEncodingException e) {
++ throw new RuntimeException(e);
++ }
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,5 @@
+0001-Remove-Log4jLogger.patch
03-jaxrs-api-compatibility.patch
jaxb-api-compatibility.diff
0001-RESTEASY-2559-Improper-validation-of-response-header.patch
+RESTEASY-2519-fix-CVE-2020-10688.diff
View it on GitLab: https://salsa.debian.org/java-team/resteasy/-/compare/a87c079cf75e8163dcd49c02bf06dcae4850a0c8...e98f5002371d9dea0bea5520c1a63525a08347f4
--
View it on GitLab: https://salsa.debian.org/java-team/resteasy/-/compare/a87c079cf75e8163dcd49c02bf06dcae4850a0c8...e98f5002371d9dea0bea5520c1a63525a08347f4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230121/890d4444/attachment.htm>
More information about the pkg-java-commits
mailing list