[Git][java-team/derby][master] 3 commits: Add patch for CVE-2022-46337 (Closes: #1056755)
Tony Mancill (@tmancill)
gitlab at salsa.debian.org
Sun Nov 26 05:38:11 GMT 2023
Tony Mancill pushed to branch master at Debian Java Maintainers / derby
Commits:
49c33ccb by tony mancill at 2023-11-25T20:11:01-08:00
Add patch for CVE-2022-46337 (Closes: #1056755)
- - - - -
d03031ea by tony mancill at 2023-11-25T21:28:27-08:00
Update lintian-overrides for derby source package
- - - - -
890648ca by tony mancill at 2023-11-25T21:28:27-08:00
Prepare changelog for upload
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/06-CVE-2022-46337.patch
- debian/patches/series
- debian/source/lintian-overrides
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+derby (10.14.2.0-3) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch for CVE-2022-46337 (Closes: #1056755)
+ * Update lintian-overrides for derby source package
+
+ -- tony mancill <tmancill at debian.org> Sat, 25 Nov 2023 21:25:10 -0800
+
derby (10.14.2.0-2) unstable; urgency=medium
* Team upload
=====================================
debian/patches/06-CVE-2022-46337.patch
=====================================
@@ -0,0 +1,159 @@
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1905586
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056755
+Forwarded: not-needed
+
+--
+--- a/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
++++ b/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
+@@ -191,6 +191,54 @@
+
+
+ /**
++ * Given an LDAP search string, returns the string with certain characters
++ * escaped according to RFC 2254 guidelines. Cribbed from org.apache.catalina.realm.JNDIRealm.
++ *
++ * The character mapping is as follows:
++ * char -> Replacement
++ * ---------------------------
++ * * -> \2a
++ * ( -> \28
++ * ) -> \29
++ * \ -> \5c
++ * \0 -> \00
++ *
++ * @param inString string to escape according to RFC 2254 guidelines
++ *
++ * @return String the escaped/encoded result
++ */
++ protected String doFilterEscaping(String inString) {
++ if (inString == null) {
++ return null;
++ }
++ StringBuilder buf = new StringBuilder(inString.length());
++ for (int i = 0; i < inString.length(); i++) {
++ char c = inString.charAt(i);
++ switch (c) {
++ case '\\':
++ buf.append("\\5c");
++ break;
++ case '*':
++ buf.append("\\2a");
++ break;
++ case '(':
++ buf.append("\\28");
++ break;
++ case ')':
++ buf.append("\\29");
++ break;
++ case '\0':
++ buf.append("\\00");
++ break;
++ default:
++ buf.append(c);
++ break;
++ }
++ }
++ return buf.toString();
++ }
++
++ /**
+ * Call new InitialDirContext in a privilege block
+ * @param env environment used to create the initial DirContext. Null indicates an empty environment.
+ * @return an initial DirContext using the supplied environment.
+@@ -411,7 +459,10 @@
+ private String getDNFromUID(String uid)
+ throws javax.naming.NamingException
+ {
+- //
++ // Escape the uid as a defense against LDAP injection. See DERBY-7147.
++ uid = doFilterEscaping(uid);
++
++ //
+ // We bind to the LDAP server here
+ // Note that this bind might be anonymous (if anonymous searches
+ // are allowed in the LDAP server, or authenticated if we were
+--- /dev/null
++++ b/tools/release/notices/tomcat.txt
+@@ -0,0 +1,72 @@
++Derby uses the org.apache.catalina.realm.JNDIRealm.doFilterEscaping()
++routine from the Apache Tomcat project. The following notice covers
++the Tomcat sources:
++
++Apache Tomcat
++Copyright 1999-2022 The Apache Software Foundation
++
++This product includes software developed at
++The Apache Software Foundation (https://www.apache.org/).
++
++This software contains code derived from netty-native
++developed by the Netty project
++(https://netty.io, https://github.com/netty/netty-tcnative/)
++and from finagle-native developed at Twitter
++(https://github.com/twitter/finagle).
++
++This software contains code derived from jgroups-kubernetes
++developed by the JGroups project (http://www.jgroups.org/).
++
++The Windows Installer is built with the Nullsoft
++Scriptable Install System (NSIS), which is
++open source software. The original software and
++related information is available at
++http://nsis.sourceforge.net.
++
++Java compilation software for JSP pages is provided by the Eclipse
++JDT Core Batch Compiler component, which is open source software.
++The original software and related information is available at
++https://www.eclipse.org/jdt/core/.
++
++org.apache.tomcat.util.json.JSONParser.jj is a public domain javacc grammar
++for JSON written by Robert Fischer.
++https://github.com/RobertFischer/json-parser
++
++For portions of the Tomcat JNI OpenSSL API and the OpenSSL JSSE integration
++The org.apache.tomcat.jni and the org.apache.tomcat.net.openssl packages
++are derivative work originating from the Netty project and the finagle-native
++project developed at Twitter
++* Copyright 2014 The Netty Project
++* Copyright 2014 Twitter
++
++For portions of the Tomcat cloud support
++The org.apache.catalina.tribes.membership.cloud package contains derivative
++work originating from the jgroups project.
++https://github.com/jgroups-extras/jgroups-kubernetes
++Copyright 2002-2018 Red Hat Inc.
++
++The original XML Schemas for Java EE Deployment Descriptors:
++ - javaee_5.xsd
++ - javaee_web_services_1_2.xsd
++ - javaee_web_services_client_1_2.xsd
++ - javaee_6.xsd
++ - javaee_web_services_1_3.xsd
++ - javaee_web_services_client_1_3.xsd
++ - jsp_2_2.xsd
++ - web-app_3_0.xsd
++ - web-common_3_0.xsd
++ - web-fragment_3_0.xsd
++ - javaee_7.xsd
++ - javaee_web_services_1_4.xsd
++ - javaee_web_services_client_1_4.xsd
++ - jsp_2_3.xsd
++ - web-app_3_1.xsd
++ - web-common_3_1.xsd
++ - web-fragment_3_1.xsd
++ - javaee_8.xsd
++ - web-app_4_0.xsd
++ - web-common_4_0.xsd
++ - web-fragment_4_0.xsd
++
++may be obtained from:
++http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html
+--- a/build.xml
++++ b/build.xml
+@@ -2022,6 +2022,7 @@
+ <antcall target="appendnotice"><param name="sourcefile" value="felix.txt"/></antcall>
+ <antcall target="appendnotice"><param name="sourcefile" value="lucene.txt"/></antcall>
+ <antcall target="appendnotice"><param name="sourcefile" value="simpleJson.txt"/></antcall>
++ <antcall target="appendnotice"><param name="sourcefile" value="tomcat.txt"/></antcall>
+
+ <antcall target="checkinfile">
+ <param name="checkinComment" value="Check in NOTICE as part of building a release."/>
=====================================
debian/patches/series
=====================================
@@ -3,3 +3,4 @@
03-offline-package-list.patch
04-java10-compatibility.patch
json-simple-3.patch
+06-CVE-2022-46337.patch
=====================================
debian/source/lintian-overrides
=====================================
@@ -1 +1,3 @@
derby source: source-contains-prebuilt-java-object java/testing/*
+# source contains long lines
+derby source: source-is-missing [java/demo/nserverdemo/readme.html]
View it on GitLab: https://salsa.debian.org/java-team/derby/-/compare/83378a9957e98bbe9e3ba66c71988c4a04073bc5...890648caa826dffd50dafdfd6d96f46a5f04e40e
--
View it on GitLab: https://salsa.debian.org/java-team/derby/-/compare/83378a9957e98bbe9e3ba66c71988c4a04073bc5...890648caa826dffd50dafdfd6d96f46a5f04e40e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231126/77ab7311/attachment.htm>
More information about the pkg-java-commits
mailing list