From be3a89a19524984948d684be705fd19c93f6513dfe5f5ce83c235fe2835f0f22 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 22 Aug 2019 06:45:06 +0000 Subject: [PATCH] Accepting request 725107 from home:pmonrealgonzalez:branches:Java:packages - Update to 1.9.4 * BEANUTILS-520: BeanUtils mitigate CVE-2014-0114 - Security fix: [bsc#1146657, CVE-2019-10086] * PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class level property access by default, thus protecting against CVE-2014-0114. - Fix build version in build.xml * Added apache-commons-beanutils-fix-build-version.patch OBS-URL: https://build.opensuse.org/request/show/725107 OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-commons-beanutils?expand=0&rev=20 --- apache-commons-beanutils-fix-build-version.patch | 13 +++++++++++++ apache-commons-beanutils.changes | 11 +++++++++++ apache-commons-beanutils.spec | 8 +++++--- commons-beanutils-1.9.3-src.tar.gz | 3 --- commons-beanutils-1.9.3-src.tar.gz.asc | 7 ------- commons-beanutils-1.9.4-src.tar.gz | 3 +++ commons-beanutils-1.9.4-src.tar.gz.asc | 16 ++++++++++++++++ 7 files changed, 48 insertions(+), 13 deletions(-) create mode 100644 apache-commons-beanutils-fix-build-version.patch delete mode 100644 commons-beanutils-1.9.3-src.tar.gz delete mode 100644 commons-beanutils-1.9.3-src.tar.gz.asc create mode 100644 commons-beanutils-1.9.4-src.tar.gz create mode 100644 commons-beanutils-1.9.4-src.tar.gz.asc diff --git a/apache-commons-beanutils-fix-build-version.patch b/apache-commons-beanutils-fix-build-version.patch new file mode 100644 index 0000000..d6e23c3 --- /dev/null +++ b/apache-commons-beanutils-fix-build-version.patch @@ -0,0 +1,13 @@ +Index: commons-beanutils-1.9.4-src/build.xml +=================================================================== +--- commons-beanutils-1.9.4-src.orig/build.xml ++++ commons-beanutils-1.9.4-src/build.xml +@@ -43,7 +43,7 @@ + + + +- ++ + + + diff --git a/apache-commons-beanutils.changes b/apache-commons-beanutils.changes index dc1f2e6..827c903 100644 --- a/apache-commons-beanutils.changes +++ b/apache-commons-beanutils.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Aug 21 14:56:26 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 1.9.4 + * BEANUTILS-520: BeanUtils mitigate CVE-2014-0114 +- Security fix: [bsc#1146657, CVE-2019-10086] + * PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class + level property access by default, thus protecting against CVE-2014-0114. +- Fix build version in build.xml + * Added apache-commons-beanutils-fix-build-version.patch + ------------------------------------------------------------------- Tue Oct 23 17:30:33 UTC 2018 - Fridrich Strba diff --git a/apache-commons-beanutils.spec b/apache-commons-beanutils.spec index 848f65d..e5eab58 100644 --- a/apache-commons-beanutils.spec +++ b/apache-commons-beanutils.spec @@ -1,7 +1,7 @@ # # spec file for package apache-commons-beanutils # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define base_name beanutils %define short_name commons-%{base_name} Name: apache-commons-beanutils -Version: 1.9.3 +Version: 1.9.4 Release: 0 Summary: Utility methods for accessing and modifying the properties of JavaBeans License: Apache-2.0 @@ -28,6 +28,7 @@ URL: http://commons.apache.org/beanutils Source0: http://www.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz Source1: http://www.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz.asc Patch0: jdk9.patch +Patch1: apache-commons-beanutils-fix-build-version.patch BuildRequires: ant BuildRequires: commons-collections BuildRequires: commons-logging @@ -65,6 +66,7 @@ BeanUtils Package. %prep %setup -q -n %{short_name}-%{version}-src %patch0 -p1 +%patch1 -p1 sed -i 's/\r//' *.txt # bug in ant build touch README.txt @@ -76,7 +78,7 @@ ant -Dbuild.sysclasspath=first dist %install # jars install -d -m 755 %{buildroot}%{_javadir} -install -m 644 dist/%{short_name}-%{version}-SNAPSHOT.jar %{buildroot}%{_javadir}/%{name}-%{version}.jar +install -m 644 dist/%{short_name}-%{version}.jar %{buildroot}%{_javadir}/%{name}-%{version}.jar pushd %{buildroot}%{_javadir} ln -s %{name}-%{version}.jar %{name}.jar diff --git a/commons-beanutils-1.9.3-src.tar.gz b/commons-beanutils-1.9.3-src.tar.gz deleted file mode 100644 index 48ad30b..0000000 --- a/commons-beanutils-1.9.3-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:139fa584321bab198a68a3ed99ed3804268b9cc5e3257f0f6b3a503df0029a0d -size 414517 diff --git a/commons-beanutils-1.9.3-src.tar.gz.asc b/commons-beanutils-1.9.3-src.tar.gz.asc deleted file mode 100644 index 816415f..0000000 --- a/commons-beanutils-1.9.3-src.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iD8DBQBX4rOHQRBjo6D/0RkRApT1AJ9NGUGJzFi59vlrWvDzFKdROKXMvgCbBhL1 -/oUw+UyHw8Gh5YAeSN4PnuI= -=v7kQ ------END PGP SIGNATURE----- diff --git a/commons-beanutils-1.9.4-src.tar.gz b/commons-beanutils-1.9.4-src.tar.gz new file mode 100644 index 0000000..db5a5ca --- /dev/null +++ b/commons-beanutils-1.9.4-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d46a5ac37000cad57ed338dbc5a0ae08cb924471afb5b3d4cff084afa0c728e +size 412606 diff --git a/commons-beanutils-1.9.4-src.tar.gz.asc b/commons-beanutils-1.9.4-src.tar.gz.asc new file mode 100644 index 0000000..95fd666 --- /dev/null +++ b/commons-beanutils-1.9.4-src.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEtuc9hOpPzEcWYIclP6rSzV7LsxQFAl0+HtQACgkQP6rSzV7L +sxSeOA//WJ8qCJV5F3UGky4Ycp8Ihdb9j3ixZt68dLhcC0URw/aIwprn6F03/UFh +8MFbXrjZtqa2CBJ4G+Af0H7l0ZjQ6bG4VY/tALHhUUdq+jKAHD7nZq61UTkR5wDo +qDYPcazlfpjI+9pZnxe6JeoKL5O5ph3n9uzWnrt0JP56kzY8OU0Y4tNFzSFqCu1H +tKyYBFbCJAAtwMBT5dFF48ExjMGLkIGPveBnef6UtMNoGlT7TH8ixb6NmktZfj8l +oIdRI8Hk+zGpP/xiqTIhs7Z3uZ/kZJXOn6dPWTKsR3tEK8uqA+NCHVtPGMs0/trU +kcyQGtKKoHWk6W5xuEq0BJK+BEdWtEdnvwLFVkow5+i/Y/ezfvnE7bWL1MeYDrYM +pbvuuCGGRkk/XKSCkb81+6W3+ID3lF+4JS85Ny+zPfMH4CqUYNmeYJ5qE8qpRC0M +rxiA0s+nMBWsNVt3PUE36zep1JDnCwacMryITj6g88wsRY8Mo3TU5TLTkoYne4At +9PdCgdDrYMCYJlo5OPPy3k7mrbLBy8J4IfTPjAPzHXpXqvidPHLVGVg/T/QsXJAh +nNG0/2CQhPplJtm0fLQRkLYHA8kp4qvjACQGGu7zW8HliZNYeDdJy9M2LNdWstn6 +xMWPp7UxgvFly8u4WEEk0Yox/EVT4O1Lc8kQgJF2RdU0KOQGaD4= +=yvPn +-----END PGP SIGNATURE-----