Accepting request 940776 from home:david.anes:branches:Java:packages

Update to 1.10.12 + CVEs/bugzilla mentioned in .changes files OBS-URL: https://build.opensuse.org/request/show/940776 OBS-URL: https://build.opensuse.org/package/show/Java:packages/ant?expand=0&rev=165
2021-12-15 18:05:14 +00:00 · 2021-12-15 18:05:14 +00:00 · 526a11bada
commit 526a11bada
parent 9a2562e308
12 changed files with 187 additions and 23 deletions
--- a/ant-antlr.changes
+++ b/ant-antlr.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Dec 15 16:19:12 UTC 2021 - David Anes <david.anes@suse.com>
+
+- Update to 1.10.12:
+ * The update includes fixes for the following CVEs:
+   CVE-2021-36374, bsc#1188469 
+      Excessive memory allocation when reading a specially 
+      crafted ZIP archive or a derived formats.
+   CVE-2021-36373, bsc#1188468
+      Excessive memory allocation when reading a specially 
+      crafted TAR archive.
+ * The http condition would follow redirects even when "followRedirects" attribute
+   was set to "false". This has now been fixed. Bugzilla Report 65489
+ * Made sure setting build.compiler to the fully qualified classname
+   that corresponds to extJavac or modern has the same effect as using
+   the shorter alias names. Bugzilla Report 65539
+ * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. 
+   Bugzilla Report 65424
+ * The implementation of AntClassLoader#findResources() has been changed to optimize 
+   it for potential performance issues, as those noted at https://issues.jenkins.io/browse/JENKINS-22310?focusedCommentId=197405&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-197405
+   Github Pull Request #151
+ * AntClassLoader now implements the ClassLoader#findResource(String) method.
+   Github Pull Request #150
+ * Ant tries to avoid file name canonicalization when possible.
+   Bugzilla Report 65499
+ * javadoc task will now look for warning messages in the STDERR stream too
+   when "failonwarning" is set to true to account for changes in JDK 17+
+ * The tar task now preserves symlinks of nested tarfilesets.
+   Github Pull Request #142
+
+- Changes from 1.10.11:
+ * a race condition could lead to NullPointerExceptions when running
+   tasks in parallel.
+   Bugzilla Report 65316
+ * fixed potential OutOfMemory errors when reading broken archives
+   using the tar or zip formats or formats derived from zip.
+ * org.apache.tools.ant.taskdefs.optional.junitlauncher.confined.JUnitLauncherTask now
+   has a new protected createExecuteWatchdog() method for allowing it to be overriden.
+   Github Pull Request #147
+ * Upgraded AntUnit to 1.4.1.
+
 -------------------------------------------------------------------
 Thu Jun  3 16:17:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

--- a/ant-antlr.spec
+++ b/ant-antlr.spec
@ -24,7 +24,7 @@
 %bcond_with junit5
 %bcond_without antlr
 Name:           ant-antlr
-Version:        1.10.10
+Version:        1.10.12
 Release:        0
 Summary:        Antlr Task for ant
 License:        Apache-2.0
--- a/ant-junit.changes
+++ b/ant-junit.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Dec 15 16:19:12 UTC 2021 - David Anes <david.anes@suse.com>
+
+- Update to 1.10.12:
+ * The update includes fixes for the following CVEs:
+   CVE-2021-36374, bsc#1188469 
+      Excessive memory allocation when reading a specially 
+      crafted ZIP archive or a derived formats.
+   CVE-2021-36373, bsc#1188468
+      Excessive memory allocation when reading a specially 
+      crafted TAR archive.
+ * The http condition would follow redirects even when "followRedirects" attribute
+   was set to "false". This has now been fixed. Bugzilla Report 65489
+ * Made sure setting build.compiler to the fully qualified classname
+   that corresponds to extJavac or modern has the same effect as using
+   the shorter alias names. Bugzilla Report 65539
+ * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. 
+   Bugzilla Report 65424
+ * The implementation of AntClassLoader#findResources() has been changed to optimize 
+   it for potential performance issues, as those noted at https://issues.jenkins.io/browse/JENKINS-22310?focusedCommentId=197405&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-197405
+   Github Pull Request #151
+ * AntClassLoader now implements the ClassLoader#findResource(String) method.
+   Github Pull Request #150
+ * Ant tries to avoid file name canonicalization when possible.
+   Bugzilla Report 65499
+ * javadoc task will now look for warning messages in the STDERR stream too
+   when "failonwarning" is set to true to account for changes in JDK 17+
+ * The tar task now preserves symlinks of nested tarfilesets.
+   Github Pull Request #142
+
+- Changes from 1.10.11:
+ * a race condition could lead to NullPointerExceptions when running
+   tasks in parallel.
+   Bugzilla Report 65316
+ * fixed potential OutOfMemory errors when reading broken archives
+   using the tar or zip formats or formats derived from zip.
+ * org.apache.tools.ant.taskdefs.optional.junitlauncher.confined.JUnitLauncherTask now
+   has a new protected createExecuteWatchdog() method for allowing it to be overriden.
+   Github Pull Request #147
+ * Upgraded AntUnit to 1.4.1.
+
 -------------------------------------------------------------------
 Thu Jun  3 16:17:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

--- a/ant-junit.spec
+++ b/ant-junit.spec
@ -24,7 +24,7 @@
 %bcond_with junit5
 %bcond_with antlr
 Name:           ant-junit
-Version:        1.10.10
+Version:        1.10.12
 Release:        0
 Summary:        Optional junit tasks for ant
 License:        Apache-2.0
--- a/ant-junit5.changes
+++ b/ant-junit5.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Dec 15 16:19:12 UTC 2021 - David Anes <david.anes@suse.com>
+
+- Update to 1.10.12:
+ * The update includes fixes for the following CVEs:
+   CVE-2021-36374, bsc#1188469 
+      Excessive memory allocation when reading a specially 
+      crafted ZIP archive or a derived formats.
+   CVE-2021-36373, bsc#1188468
+      Excessive memory allocation when reading a specially 
+      crafted TAR archive.
+ * The http condition would follow redirects even when "followRedirects" attribute
+   was set to "false". This has now been fixed. Bugzilla Report 65489
+ * Made sure setting build.compiler to the fully qualified classname
+   that corresponds to extJavac or modern has the same effect as using
+   the shorter alias names. Bugzilla Report 65539
+ * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. 
+   Bugzilla Report 65424
+ * The implementation of AntClassLoader#findResources() has been changed to optimize 
+   it for potential performance issues, as those noted at https://issues.jenkins.io/browse/JENKINS-22310?focusedCommentId=197405&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-197405
+   Github Pull Request #151
+ * AntClassLoader now implements the ClassLoader#findResource(String) method.
+   Github Pull Request #150
+ * Ant tries to avoid file name canonicalization when possible.
+   Bugzilla Report 65499
+ * javadoc task will now look for warning messages in the STDERR stream too
+   when "failonwarning" is set to true to account for changes in JDK 17+
+ * The tar task now preserves symlinks of nested tarfilesets.
+   Github Pull Request #142
+
+- Changes from 1.10.11:
+ * a race condition could lead to NullPointerExceptions when running
+   tasks in parallel.
+   Bugzilla Report 65316
+ * fixed potential OutOfMemory errors when reading broken archives
+   using the tar or zip formats or formats derived from zip.
+ * org.apache.tools.ant.taskdefs.optional.junitlauncher.confined.JUnitLauncherTask now
+   has a new protected createExecuteWatchdog() method for allowing it to be overriden.
+   Github Pull Request #147
+ * Upgraded AntUnit to 1.4.1.
+
 -------------------------------------------------------------------
 Thu Jun  3 16:17:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

--- a/ant-junit5.spec
+++ b/ant-junit5.spec
@ -24,7 +24,7 @@
 %bcond_without junit5
 %bcond_with antlr
 Name:           ant-junit5
-Version:        1.10.10
+Version:        1.10.12
 Release:        0
 Summary:        Optional junit tasks for ant
 License:        Apache-2.0
--- a/ant.changes
+++ b/ant.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Dec 15 16:19:12 UTC 2021 - David Anes <david.anes@suse.com>
+
+- Update to 1.10.12:
+ * The update includes fixes for the following CVEs:
+   CVE-2021-36374, bsc#1188469 
+      Excessive memory allocation when reading a specially 
+      crafted ZIP archive or a derived formats.
+   CVE-2021-36373, bsc#1188468
+      Excessive memory allocation when reading a specially 
+      crafted TAR archive.
+ * The http condition would follow redirects even when "followRedirects" attribute
+   was set to "false". This has now been fixed. Bugzilla Report 65489
+ * Made sure setting build.compiler to the fully qualified classname
+   that corresponds to extJavac or modern has the same effect as using
+   the shorter alias names. Bugzilla Report 65539
+ * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. 
+   Bugzilla Report 65424
+ * The implementation of AntClassLoader#findResources() has been changed to optimize 
+   it for potential performance issues, as those noted at https://issues.jenkins.io/browse/JENKINS-22310?focusedCommentId=197405&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-197405
+   Github Pull Request #151
+ * AntClassLoader now implements the ClassLoader#findResource(String) method.
+   Github Pull Request #150
+ * Ant tries to avoid file name canonicalization when possible.
+   Bugzilla Report 65499
+ * javadoc task will now look for warning messages in the STDERR stream too
+   when "failonwarning" is set to true to account for changes in JDK 17+
+ * The tar task now preserves symlinks of nested tarfilesets.
+   Github Pull Request #142
+
+- Changes from 1.10.11:
+ * a race condition could lead to NullPointerExceptions when running
+   tasks in parallel.
+   Bugzilla Report 65316
+ * fixed potential OutOfMemory errors when reading broken archives
+   using the tar or zip formats or formats derived from zip.
+ * org.apache.tools.ant.taskdefs.optional.junitlauncher.confined.JUnitLauncherTask now
+   has a new protected createExecuteWatchdog() method for allowing it to be overriden.
+   Github Pull Request #147
+ * Upgraded AntUnit to 1.4.1.
+
 -------------------------------------------------------------------
 Thu Jun  3 16:17:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

--- a/ant.spec
+++ b/ant.spec
@ -23,7 +23,7 @@
 %bcond_with junit5
 %bcond_with antlr
 Name:           ant
-Version:        1.10.10
+Version:        1.10.12
 Release:        0
 Summary:        Java-based build tool
 License:        Apache-2.0
--- a/apache-ant-1.10.10-src.tar.xz
+++ b/apache-ant-1.10.10-src.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c8ab046eaca09d2c3fa0cdf1a681740e31f8afad0ad6bc346fe51d16fdc6d92d
-size 4530288
--- a/apache-ant-1.10.10-src.tar.xz.asc
+++ b/apache-ant-1.10.10-src.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEjacMAN968bDS+dx03bzBJwop0IEFAmBzv6cACgkQ3bzBJwop
-0IFIJg//TGQ6nt0Y7A3AHA0FTaNILyx1dPHWOU2k5OJWuFUYmWn8w123cU2oFsWM
-jswdArCNOOYOGgQks2ALiuAKrMs37K+osuCOJzXbOxffuE3mpIXFdf5oz916qg93
-fg4FxBWEkkQQECgosLs2KDdf26ODz5pJH7beJsVLujRnO3Y1qpU8WiUqj8VWEy8t
-mLKKZUgO2+mKSHKCKNw2aXHypHfQSm2UImi85hzxsaBHIo4hK8MEeFVmKBLWjf5q
-8qeaZufqjdV/6T+tlcoMw2ARAuBMeiEv4j/3gyUiGnnh+sAs353sG7z3MFSvDgax
-RwmsfoBCGBlWAcHwWiW1HiJtNViRBnlvtzyAklyAnNIpyBy2n3vn+Oh+uEQjAH7G
-1zBNzj47K4e9IfR7Ryb/FtexuaPieny+CwCZi77zjWv69I2+pqEJe+h+pgLfXe5h
-/8DcYGoskyfhuuNxX7YLDWkTPyo8MZr074QBKHjL8nhwN8vcBJkqvWduqER5YFUL
-pgTXAGOOONNHOqSsyqUaePB7dk7PTy/cGdRJ48QBfiI+LMCEsm9hP9iRaHBqw3Z7
-frS256po21czzqyWBhhF7E/eVOBdFaKJuL4xGc+/0tfoavQycONuPDjkqUAMxetr
-K4cMUzcosoxs1FLf/EOenbiRXD4KjXNtbtE3R5FN6T6h0R7rcAM=
-=PX25
-----END PGP SIGNATURE-----
--- a/apache-ant-1.10.12-src.tar.xz
+++ b/apache-ant-1.10.12-src.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7629bb10285c5de609df56ae9bc968332f3d34d6cd5c0a5dffe24078e09e98b3
+size 3869920
--- a/apache-ant-1.10.12-src.tar.xz.asc
+++ b/apache-ant-1.10.12-src.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEjacMAN968bDS+dx03bzBJwop0IEFAmFmZaoACgkQ3bzBJwop
+0IEqSg/8Dt6ZUTesNXjZNFQQC6EgSU7lzxb6rfeAZoV3BZ8b+HuyBGp6xun//U0m
+SBmKqFzL6DfRO6Y1oivuO6704jmywioZfm5dJlRQO09GOIYCYK5qBCbEi29Tvvkx
+xMLgQTdu83hzCvPwMSGhzoRmEaPucSSFxszSdG6/Z0dhWqKk3qSd06A5I4A98rGA
+ERyJXY6MVCHXrmea/V/k4M03sl4bfaJcePtktE/wXWBSq36nrC6G7HSVLIuBAGXF
+IsX4M9RaCoqJ72e83cvEhPKpPMVPKQxHO4RMirFfrADKeBW9zBMf81RwsHGMrfnq
+/wyyf5LzRUfE0GUL1kqmYsvbicN5HIMZ4yg5vH3XhcGApH00Gv2a6eyPhdnBKik8
+JVnIyJHV8MIy8kLtxt4poUufCbasxNMrzhzlDzmzqfVTBLDg/4h//Xy+ifYu19al
+eJopmud/AEo1JaT+7ZRaZ4V6UjajUhrKqF5/Pm9YMMD1YTjfrbe+k43k1tiOWLyJ
+4KKLcif1evfWWToeeHw+znpi/fnv7/2c7TYGXxqc1oyHwP3gUkMt5fARqyz3pNsl
+KBbvNC6MlwW0noaV4z3dl9qwYAODgary4CAkFCcfoghy7b9qig6USsuNIDMXOoK1
+YhVj3B4wpn8xZ1aqZSc/1PO6t197mMdcq54Vho7JLxfBlNesLr4=
+=fI16
+-----END PGP SIGNATURE-----