Accepting request 907107 from Java:packages

bsc#1188438, CVE-2021-34429 OBS-URL: https://build.opensuse.org/request/show/907107 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/jetty-minimal?expand=0&rev=11
2021-07-20 13:39:14 +00:00 · 2021-07-20 13:39:14 +00:00 · c72c8ee15f
commit c72c8ee15f
parent d65994d7bc 76357fdd4c
8 changed files with 302 additions and 25 deletions
--- a/jetty-minimal.changes
+++ b/jetty-minimal.changes
@ -1,3 +1,22 @@
 -------------------------------------------------------------------
 Mon Jul 19 10:13:02 UTC 2021 - Fridrich Strba <fstrba@suse.com>
 - Splitting the jetty-unixsocket artifact into a separate spec file
  in order to avoid extra dependencies for the jetty-minimal
  package.
 -------------------------------------------------------------------
 Mon Jul 19 06:58:23 UTC 2021 - Fridrich Strba <fstrba@suse.com>
 - Update to version 9.4.43.v20210629
  * Fix: bsc#1188438, CVE-2021-34429
  * Changes:
    + Improve alias checking in PathResource
    + java.nio.ReadOnlyBufferException
    + Deprecate support for UTF16 encoding in URIs
    + Update to spifly 1.3.3
    + Update to asm 9.1
 -------------------------------------------------------------------
 Mon Jun 28 12:45:55 UTC 2021 - Anton Shvetz <shvetz.anton@gmail.com>
--- a/jetty-minimal.spec
+++ b/jetty-minimal.spec
@ -1,5 +1,5 @@
 #
-# spec file for package jetty-minimal
+# spec file
 #
 # Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
@ -18,10 +18,10 @@
 %global base_name jetty
-%global addver  .v20210604
+%global addver  .v20210629
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-minimal
-Version:        9.4.42
+Version:        9.4.43
 Release:        0
 Summary:        Java Webserver and Servlet Container
 License:        Apache-2.0 OR EPL-1.0
@ -30,17 +30,17 @@ URL:            https://www.eclipse.org/jetty/
 Source0:        https://github.com/eclipse/%{base_name}.project/archive/%{base_name}-%{version}%{addver}.tar.gz#/%{src_name}.tar.gz
 BuildRequires:  fdupes
 BuildRequires:  maven-local
 BuildRequires:  mvn(com.github.jnr:jnr-unixsocket)
 BuildRequires:  mvn(javax.annotation:javax.annotation-api)
 BuildRequires:  mvn(javax.servlet:javax.servlet-api)
 BuildRequires:  mvn(javax.transaction:javax.transaction-api)
 BuildRequires:  mvn(org.apache.ant:ant)
 BuildRequires:  mvn(org.apache.ant:ant-launcher)
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:  mvn(org.apache.maven.plugins:maven-antrun-plugin)
 BuildRequires:  mvn(org.apache.maven.plugins:maven-dependency-plugin)
 BuildRequires:  mvn(org.apache.maven.plugins:maven-shade-plugin)
 BuildRequires:  mvn(org.apache.tomcat:tomcat-jasper)
 BuildRequires:  mvn(org.apache.tomcat:tomcat-util-scan)
 BuildRequires:  mvn(org.codehaus.mojo:build-helper-maven-plugin)
 BuildRequires:  mvn(org.eclipse.jetty.orbit:javax.mail.glassfish)
 BuildRequires:  mvn(org.eclipse.jetty.toolchain:jetty-schemas)
 BuildRequires:  mvn(org.ow2.asm:asm)
 BuildRequires:  mvn(org.ow2.asm:asm-commons)
@ -207,7 +207,8 @@ Group:          Productivity/Networking/Web/Servers
 %package        -n %{base_name}-server
 Summary:        The server module for Jetty
-Group:          Productivity/Networking/Web/Servers
+# FIXME: use correct group or remove it, see "https://en.opensuse.org/openSUSE:Package_group_guidelines"
 Group:          Productivity/Neorg.apache.maven.plugins:maven-dependency-plugintworking/Web/Servers
 %description    -n %{base_name}-server
 %{extdesc} %{summary}.
@ -233,13 +234,6 @@ Group:          Productivity/Networking/Web/Servers
 %description    -n %{base_name}-start
 %{extdesc} %{summary}.
 %package        -n %{base_name}-unixsocket
 Summary:        The unixsocket module for Jetty
 Group:          Productivity/Networking/Web/Servers
 %description    -n %{base_name}-unixsocket
 %{extdesc} %{summary}.
 %package        -n %{base_name}-util
 Summary:        The util module for Jetty
 Group:          Productivity/Networking/Web/Servers
@ -373,7 +367,7 @@ rm -fr examples/embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors
 # the default location is not allowed by SELinux
 sed -i '/<SystemProperty name="jetty.state"/d' \
-    jetty-home/src/main/resources/etc/jetty-started.xml
+    jetty-home/src/main/resources%{_sysconfdir}/jetty-started.xml
 # remote-resources only copies about.html
 %pom_remove_plugin :maven-remote-resources-plugin
@ -394,7 +388,7 @@ sed -i '/<SystemProperty name="jetty.state"/d' \
 %pom_disable_module examples
 %pom_disable_module jetty-distribution
 %pom_disable_module jetty-runner
-#%%pom_disable_module jetty-http-spi
+%pom_disable_module jetty-unixsocket
 %pom_disable_module jetty-alpn
 %pom_disable_module jetty-home
@ -503,8 +497,6 @@ ln -s %{_javadir}/%{base_name}/%{base_name}-ant.jar %{buildroot}%{_datadir}/ant/
 %files -n %{base_name}-servlets -f .mfiles-jetty-servlets
 %files -n %{base_name}-unixsocket -f .mfiles-jetty-unixsocket
 %files javadoc -f .mfiles-javadoc
 %license LICENSE NOTICE.txt
--- a/jetty-unixsocket.changes
+++ b/jetty-unixsocket.changes
@ -0,0 +1,5 @@
 -------------------------------------------------------------------
 Mon Jul 19 10:11:08 UTC 2021 - Fridrich Strba <fstrba@suse.com>
 - Splitting jetty-unixsocket 9.4.43.v20210629 into a separate spec
  file
--- a/jetty-unixsocket.spec
+++ b/jetty-unixsocket.spec
@ -0,0 +1,249 @@
 #
 # spec file
 #
 # Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 %global base_name jetty
 %global addver  .v20210629
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-unixsocket
 Version:        9.4.43
 Release:        0
 Summary:        The unixsocket modules for Jetty
 License:        Apache-2.0 OR EPL-1.0
 URL:            https://www.eclipse.org/jetty/
 Source0:        https://github.com/eclipse/%{base_name}.project/archive/%{base_name}-%{version}%{addver}.tar.gz#/%{src_name}.tar.gz
 BuildRequires:  fdupes
 BuildRequires:  maven-local
 BuildRequires:  mvn(com.github.jnr:jnr-unixsocket)
 BuildRequires:  mvn(org.apache.ant:ant)
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:  mvn(org.apache.maven.plugins:maven-antrun-plugin)
 BuildRequires:  mvn(org.apache.maven.plugins:maven-dependency-plugin)
 BuildRequires:  mvn(org.codehaus.mojo:build-helper-maven-plugin)
 BuildRequires:  mvn(org.eclipse.jetty:jetty-client) >= %{version}
 BuildRequires:  mvn(org.eclipse.jetty:jetty-server) >= %{version}
 BuildArch:      noarch
 %description
 Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\
 do not need to configure and run a separate web server (like Apache) in order\
 to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\
 featured web server for static and dynamic content. Unlike separate\
 server/container solutions, this means that your web server and web\
 application run in the same process, without interconnection overheads\
 and complications. Furthermore, as a pure java component, Jetty can be simply\
 included in your application for demonstration, distribution or deployment.\
 Jetty is available on all Java supported platforms.
 This package contains the unixsocket module for Jetty
 %package        javadoc
 Summary:        Javadoc for %{name}
 %description    javadoc
 %{summary}.
 %prep
 %setup -q -n %{src_name}
 find . -name "*.?ar" -exec rm {} \;
 find . -name "*.class" -exec rm {} \;
 # Plugins irrelevant or harmful to building the package
 %pom_remove_plugin -r :maven-checkstyle-plugin
 %pom_remove_plugin -r :maven-enforcer-plugin
 %pom_remove_plugin -r :maven-eclipse-plugin
 %pom_remove_plugin -r :license-maven-plugin
 %pom_remove_plugin -r :maven-site-plugin
 %pom_remove_plugin -r :maven-source-plugin
 %pom_remove_plugin -r :maven-deploy-plugin
 %pom_remove_plugin -r :jacoco-maven-plugin
 %pom_remove_plugin -r :maven-release-plugin
 %pom_remove_plugin -r :buildnumber-maven-plugin
 %pom_remove_plugin -r :h2spec-maven-plugin
 # Unnecessary pom flattening can be skipped
 %pom_remove_plugin -r :flatten-maven-plugin jetty-bom
 %pom_disable_module aggregates/jetty-all
 %pom_remove_dep "com.sun.net.httpserver:http" jetty-http-spi
 %pom_change_dep -r org.mortbay.jasper:apache-jsp org.apache.tomcat:tomcat-jasper
 %pom_add_dep 'org.junit.jupiter:junit-jupiter-engine:${junit.version}' tests/test-sessions/test-sessions-common
 # provided by glassfish-jsp-api that has newer version
 %pom_change_dep -r javax.servlet.jsp:jsp-api javax.servlet.jsp:javax.servlet.jsp-api
 # txt artifact - not installable
 %pom_remove_plugin ":jetty-version-maven-plugin"
 %pom_xpath_remove "pom:artifactItem[pom:classifier='version']" jetty-home
 # Disable building source release
 %pom_xpath_remove 'pom:execution[pom:id="sources"]' jetty-home
 # Unwanted JS in javadoc
 sed -i '/^\s*\*.*<script>/d' jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java
 # only used for integration tests
 %pom_remove_plugin :maven-invoker-plugin jetty-jspc-maven-plugin
 # These bundles have a dep on Eclipse that is not available on every arch
 %pom_disable_module jetty-osgi
 # We don't have asciidoctor-maven-plugin
 %pom_disable_module jetty-documentation
 %pom_remove_dep -r :jetty-documentation
 %pom_xpath_remove 'pom:execution[pom:id="unpack-documentation"]' jetty-distribution
 %pom_xpath_remove 'pom:artifactItem[pom:artifactId="libsetuid-osx"]' jetty-home/pom.xml
 # TODO remove when jetty-setuid is packaged
 %pom_xpath_remove "pom:execution[pom:id[text()='copy-setuid-deps']]" jetty-home/pom.xml
 # We don't have gcloud-java-datastore
 %pom_disable_module jetty-gcloud
 %pom_disable_module test-gcloud-sessions tests/test-sessions
 %pom_remove_dep :jetty-gcloud-session-manager jetty-home
 # we don't have com.googlecode.xmemcached:xmemcached yet
 %pom_disable_module jetty-memcached
 %pom_disable_module test-memcached-sessions tests/test-sessions
 %pom_remove_dep :jetty-memcached-sessions jetty-home
 # We don't have hazelcast
 %pom_disable_module jetty-hazelcast
 %pom_disable_module test-hazelcast-sessions tests/test-sessions
 %pom_remove_dep :jetty-hazelcast jetty-home
 # We don't have infinispan
 %pom_disable_module jetty-infinispan
 %pom_disable_module test-infinispan-sessions tests/test-sessions
 %pom_remove_dep :infinispan-embedded jetty-home
 %pom_remove_dep :infinispan-embedded-query jetty-home
 %pom_remove_dep :infinispan-remote jetty-home
 %pom_remove_dep :infinispan-remote-query jetty-home
 %pom_xpath_remove "pom:execution[pom:id='unpack-infinispan-config']" jetty-home
 # Not currently able to build tests, so can't build benchmarks
 %pom_disable_module jetty-jmh
 # Distribution tests require internet access, so disable
 %pom_disable_module test-distribution tests
 # missing conscrypt
 %pom_disable_module jetty-alpn-conscrypt-server jetty-alpn
 %pom_disable_module jetty-alpn-conscrypt-client jetty-alpn
 %pom_remove_dep -r :jetty-alpn-conscrypt-server
 %pom_remove_dep -r :jetty-alpn-conscrypt-client
 rm -fr examples/embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java
 # the default location is not allowed by SELinux
 sed -i '/<SystemProperty name="jetty.state"/d' \
    jetty-home/src/main/resources%{_sysconfdir}/jetty-started.xml
 # remote-resources only copies about.html
 %pom_remove_plugin :maven-remote-resources-plugin
 # packages module configs, we don't need those in minimal
 %pom_remove_plugin -r :maven-assembly-plugin
 # only useful when tests are enabled (copies test deps)
 %pom_remove_plugin :maven-dependency-plugin jetty-client
 # all modules besides the current jetty-unixsocket
 %pom_disable_module jetty-ant
 %pom_disable_module jetty-http2
 %pom_disable_module jetty-fcgi
 %pom_disable_module jetty-servlets
 %pom_disable_module apache-jstl
 %pom_disable_module jetty-maven-plugin
 %pom_disable_module jetty-jspc-maven-plugin
 %pom_disable_module jetty-deploy
 %pom_disable_module jetty-start
 %pom_disable_module jetty-cdi
 %pom_disable_module jetty-spring
 %pom_disable_module jetty-jaspi
 %pom_disable_module jetty-rewrite
 %pom_disable_module jetty-nosql
 %pom_disable_module tests
 %pom_disable_module examples
 %pom_disable_module jetty-quickstart
 %pom_disable_module jetty-distribution
 %pom_disable_module jetty-runner
 %pom_disable_module jetty-http-spi
 %pom_disable_module jetty-alpn
 %pom_disable_module jetty-home
 %pom_disable_module jetty-websocket
 # minimal modules built in jetty-minimal package
 %pom_disable_module jetty-annotations
 %pom_disable_module jetty-client
 %pom_disable_module jetty-continuation
 %pom_disable_module jetty-http
 %pom_disable_module jetty-io
 %pom_disable_module jetty-jaas
 %pom_disable_module jetty-jmx
 %pom_disable_module jetty-jndi
 %pom_disable_module apache-jsp
 %pom_disable_module jetty-openid
 %pom_disable_module jetty-plus
 %pom_disable_module jetty-proxy
 %pom_disable_module jetty-security
 %pom_disable_module jetty-server
 %pom_disable_module jetty-servlet
 %pom_disable_module jetty-util
 %pom_disable_module jetty-util-ajax
 %pom_disable_module jetty-xml
 %pom_disable_module jetty-webapp
 %{mvn_file} :{*} %{base_name}/@1
 %build
 %{mvn_package} :jetty-home __noinstall
 %{mvn_package} :jetty-distribution __noinstall
 # Separate package for POMs
 %{mvn_package} ':*-project' __noinstall
 %{mvn_package} ':*-parent' __noinstall
 %{mvn_package} ':*-bom' __noinstall
 # artifact used by demo
 %{mvn_package} :test-mock-resources
 %{mvn_package} ':test-*' __noinstall
 %{mvn_package} ':*-tests' __noinstall
 %{mvn_package} ':*-it' __noinstall
 %{mvn_package} ':example-*' __noinstall
 %{mvn_package} org.eclipse.jetty.tests: __noinstall
 %{mvn_package} ::war: __noinstall
 %{mvn_package} :jetty-runner __noinstall
 %{mvn_package} :build-resources __noinstall
 %{mvn_build} -f
 %install
 %mvn_install
 %fdupes -s %{buildroot}%{_javadocdir}
 %files -f .mfiles
 %files javadoc -f .mfiles-javadoc
 %license LICENSE NOTICE.txt
 %changelog
--- a/jetty-websocket.changes
+++ b/jetty-websocket.changes
@ -1,3 +1,15 @@
 -------------------------------------------------------------------
 Mon Jul 19 06:58:23 UTC 2021 - Fridrich Strba <fstrba@suse.com>
 - Update to version 9.4.43.v20210629
  * Fix: bsc#1188438, CVE-2021-34429
  * Changes:
    + Improve alias checking in PathResource
    + java.nio.ReadOnlyBufferException
    + Deprecate support for UTF16 encoding in URIs
    + Update to spifly 1.3.3
    + Update to asm 9.1
 -------------------------------------------------------------------
 Wed Jun  9 14:07:47 UTC 2021 - Fridrich Strba <fstrba@suse.com>
--- a/jetty-websocket.spec
+++ b/jetty-websocket.spec
@ -1,5 +1,5 @@
 #
-# spec file for package jetty-websocket
+# spec file
 #
 # Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
@ -18,10 +18,10 @@
 %global base_name jetty
-%global addver  .v20210604
+%global addver  .v20210629
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-websocket
-Version:        9.4.42
+Version:        9.4.43
 Release:        0
 Summary:        The websocket modules for Jetty
 License:        Apache-2.0 OR EPL-1.0
@ -209,7 +209,7 @@ rm -fr examples/embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors
 # the default location is not allowed by SELinux
 sed -i '/<SystemProperty name="jetty.state"/d' \
-    jetty-home/src/main/resources/etc/jetty-started.xml
+    jetty-home/src/main/resources%{_sysconfdir}/jetty-started.xml
 # remote-resources only copies about.html
 %pom_remove_plugin :maven-remote-resources-plugin
--- a/jetty.project-jetty-9.4.42.v20210604.tar.gz
+++ b/jetty.project-jetty-9.4.42.v20210604.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2f3c093fc83c7ddd45272e09e6a0a7f3101399f86d336d6840a0981c712f5cfe
 size 19268823
--- a/jetty.project-jetty-9.4.43.v20210629.tar.gz
+++ b/jetty.project-jetty-9.4.43.v20210629.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:dc9ec605947b5cd0c4038a4e85b321408fd6992f99bda920cdf98d67d4a1e086
 size 19275305