diff --git a/build.xml.tar.bz2 b/build.xml.tar.bz2 index 8b8bd96..bd7791a 100644 --- a/build.xml.tar.bz2 +++ b/build.xml.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:47fcab9d522d847ae071f634544b08f3067c577873d20968443e9058878100ce -size 9111 +oid sha256:ddae17d67e1bbaf7f22546acc6e1005694ab067a36f5d8f26a67953d10c85e95 +size 9162 diff --git a/slf4j-Disallow-EventData-deserialization-by-default.patch b/slf4j-Disallow-EventData-deserialization-by-default.patch deleted file mode 100644 index f732d5d..0000000 --- a/slf4j-Disallow-EventData-deserialization-by-default.patch +++ /dev/null @@ -1,39 +0,0 @@ -Index: slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -=================================================================== ---- slf4j-1.7.12.orig/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -+++ slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -@@ -76,12 +76,21 @@ public class EventData implements Serial - */ - @SuppressWarnings("unchecked") - public EventData(String xml) { -- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -- try { -- XMLDecoder decoder = new XMLDecoder(bais); -- this.eventData = (Map) decoder.readObject(); -- } catch (Exception e) { -- throw new EventException("Error decoding " + xml, e); -+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { -+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -+ try { -+ XMLDecoder decoder = new XMLDecoder(bais); -+ this.eventData = (Map) decoder.readObject(); -+ } catch (Exception e) { -+ throw new EventException("Error decoding " + xml, e); -+ } -+ } else { -+ throw new UnsupportedOperationException( -+ "Constructing EventData from XML is vulnerable to remote " + -+ "excution and is not allowed by default. If you're " + -+ "completely sure the source data is trusted, you can enable " + -+ "it by setting org.slf4j.ext.allowInsecureDeserialization " + -+ "JVM property to 1"); - } - } - -@@ -302,4 +311,4 @@ public class EventData implements Serial - public int hashCode() { - return this.eventData.hashCode(); - } --} -\ No newline at end of file -+} diff --git a/slf4j-sources.changes b/slf4j-sources.changes index 0b75624..5caea88 100644 --- a/slf4j-sources.changes +++ b/slf4j-sources.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Feb 26 12:40:57 UTC 2020 - Fridrich Strba + +- Upgrade to upstream version 1.7.30 +- Removed patch: + * slf4j-Disallow-EventData-deserialization-by-default.patch + + not needed any more + ------------------------------------------------------------------- Wed Dec 18 09:09:30 UTC 2019 - Fridrich Strba diff --git a/slf4j-sources.spec b/slf4j-sources.spec index 3e2eae1..56c6b8e 100644 --- a/slf4j-sources.spec +++ b/slf4j-sources.spec @@ -1,7 +1,7 @@ # # spec file for package slf4j-sources # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -19,7 +19,7 @@ %global base_name slf4j Name: %{base_name}-sources -Version: 1.7.25 +Version: 1.7.30 Release: 0 Summary: SLF4J Source JARs # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT @@ -29,7 +29,6 @@ URL: http://www.slf4j.org/ Source0: https://github.com/qos-ch/%{base_name}/archive/v_%{version}.tar.gz Source1: http://www.apache.org/licenses/LICENSE-2.0.txt Patch2: slf4j-commons-lang3.patch -Patch3: slf4j-Disallow-EventData-deserialization-by-default.patch BuildRequires: javapackages-local BuildRequires: xmvn-install BuildRequires: xmvn-resolve @@ -44,7 +43,6 @@ SLF4J Source JARs. %prep %setup -q -n %{base_name}-v_%{version} %patch2 -p1 -%patch3 -p1 find . -name "*.jar" | xargs rm cp -p %{SOURCE1} APACHE-LICENSE diff --git a/slf4j.changes b/slf4j.changes index 0b75624..5caea88 100644 --- a/slf4j.changes +++ b/slf4j.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Feb 26 12:40:57 UTC 2020 - Fridrich Strba + +- Upgrade to upstream version 1.7.30 +- Removed patch: + * slf4j-Disallow-EventData-deserialization-by-default.patch + + not needed any more + ------------------------------------------------------------------- Wed Dec 18 09:09:30 UTC 2019 - Fridrich Strba diff --git a/slf4j.spec b/slf4j.spec index c7b3211..7071dcd 100644 --- a/slf4j.spec +++ b/slf4j.spec @@ -1,7 +1,7 @@ # # spec file for package slf4j # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: slf4j -Version: 1.7.25 +Version: 1.7.30 Release: 0 Summary: Simple Logging Facade for Java # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT @@ -30,7 +30,6 @@ Source1: http://www.apache.org/licenses/LICENSE-2.0.txt Source2: build.xml.tar.bz2 Patch1: build-remove-slf4j_api-binder.patch Patch2: slf4j-commons-lang3.patch -Patch3: slf4j-Disallow-EventData-deserialization-by-default.patch BuildRequires: ant >= 1.6.5 BuildRequires: ant-junit >= 1.6.5 BuildRequires: apache-commons-lang3 @@ -136,7 +135,6 @@ JUL to SLF4J bridge. %setup -q -n %{name}-v_%{version} -a2 %patch1 -p1 %patch2 -p1 -%patch3 -p1 find . -name "*.jar" | xargs rm cp -p %{SOURCE1} APACHE-LICENSE diff --git a/v_1.7.25.tar.gz b/v_1.7.25.tar.gz deleted file mode 100644 index 48bee62..0000000 --- a/v_1.7.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2a55d290775d6621fdac0e3b21e257707f8870dbc78c6ea3712ed6e68536ea51 -size 2273375 diff --git a/v_1.7.30.tar.gz b/v_1.7.30.tar.gz new file mode 100644 index 0000000..95aa88c --- /dev/null +++ b/v_1.7.30.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:217519588d0dd1f85cee2357ca31afdd7c0a1a8a6963953b3bf455cf5174633e +size 2272772