Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xml-security for openSUSE:Factory checked in at 2021-12-18 20:30:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xml-security (Old) and /work/SRC/openSUSE:Factory/.xml-security.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xml-security" Sat Dec 18 20:30:06 2021 rev:2 rq:941287 version:2.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/xml-security/xml-security.changes 2020-07-15 15:03:51.455342020 +0200 +++ /work/SRC/openSUSE:Factory/.xml-security.new.2520/xml-security.changes 2021-12-18 20:30:48.918261512 +0100 @@ -1,0 +2,40 @@ +Fri Dec 17 18:37:54 UTC 2021 - Fridrich Strba <fst...@suse.com> + +- Upgrade to version 2.1.7 (bsc#1193879, CVE-2021-40690) +- Changes of 2.1.7 + * Improvement + + [SANTUARIO-572] - Disallow a KeyInfoReference to refer to a + RetrievalMethod + + [SANTUARIO-577] - Introduce a system property to control if + file/http references are allowed from an unsigned context +- Changes of 2.1.6 + * Bug + + [SANTUARIO-542] - SignatureProperties incorrectly gets sibling + nodes of the parent element, instead of the child elements + + [SANTUARIO-553] - JCE provider being resolved without key + causes wrong provider to be selected + + [SANTUARIO-556] - WeakHashMap cache cause infinite loop +- Changes of 2.1.5 + * Bug + + [SANTUARIO-508] - NPE in XMLSignatureInput + + [SANTUARIO-512] - security-config.xml is out of date + + [SANTUARIO-514] - XMLSignature processes KeyInfo elements + twice + + [SANTUARIO-515] - XMLSignature does not enforce structure of + the ds:Signature element + + [SANTUARIO-523] - XMLSecurityStreamReader ignores information + in XML document declaration + + [SANTUARIO-524] - Unable to pass Provider to HMAC + SignatureMethod + + [SANTUARIO-526] - XMLSecStartDocumentImpl returns null version + instead of default "1.0" +- Changes of 2.1.4 + * Fixes CVE-2019-12400: Apache Santuario potentially loads XML + parsing code from an untrusted source. + * Improvement + + [SANTUARIO-507] - Deprecate WeakObjectPool DocumentBuilder + cache + * Task + + [SANTUARIO-505] - Remove Doctypes from the streaming schemas + +------------------------------------------------------------------- Old: ---- xmlsec-2.1.3-source-release.zip New: ---- xmlsec-2.1.7-source-release.zip ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xml-security.spec ++++++ --- /var/tmp/diff_new_pack.I8N22J/_old 2021-12-18 20:30:49.662261925 +0100 +++ /var/tmp/diff_new_pack.I8N22J/_new 2021-12-18 20:30:49.666261927 +0100 @@ -1,7 +1,7 @@ # # spec file for package xml-security # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,14 +17,14 @@ %global oname xmlsec -%global _version 2_1_3 +%global _version 2_1_7 Name: xml-security -Version: 2.1.3 +Version: 2.1.7 Release: 0 Summary: Apache XML Security for Java License: Apache-2.0 Group: Development/Libraries/Java -URL: http://santuario.apache.org/ +URL: https://santuario.apache.org/ Source0: https://archive.apache.org/dist/santuario/java-library/%{_version}/%{oname}-%{version}-source-release.zip BuildRequires: fdupes BuildRequires: maven-local @@ -58,10 +58,8 @@ %pom_remove_plugin :maven-pmd-plugin %pom_remove_plugin :maven-source-plugin -%pom_remove_dep :plexus-compiler-javac-errorprone -%pom_remove_dep :error_prone_core -%pom_xpath_remove pom:plugin/pom:configuration/pom:compilerId -%pom_xpath_remove pom:plugin/pom:configuration/pom:forceJavacCompilerUse +%pom_xpath_remove pom:plugin/pom:configuration/pom:compilerArgs +%pom_xpath_remove pom:plugin/pom:configuration/pom:annotationProcessorPaths %pom_xpath_remove pom:profiles
