Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package log4j12 for openSUSE:Factory checked in at 2022-01-21 01:25:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/log4j12 (Old) and /work/SRC/openSUSE:Factory/.log4j12.new.1938 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "log4j12" Fri Jan 21 01:25:14 2022 rev:7 rq:947662 version:1.2.17 Changes: -------- --- /work/SRC/openSUSE:Factory/log4j12/log4j12.changes 2022-01-07 12:45:04.815791254 +0100 +++ /work/SRC/openSUSE:Factory/.log4j12.new.1938/log4j12.changes 2022-01-21 01:25:37.902500180 +0100 @@ -1,0 +2,15 @@ +Wed Jan 19 10:24:21 UTC 2022 - Fridrich Strba <fst...@suse.com> + +- Remove the chainsaw sub-package (bsc#1194844, CVE-2022-23307) +- Remove src/main/java/org/apache/log4j/jdbc/JDBCAppender.java from + the build to mitigate bsc#1194843, CVE-2022-23305 +- Remove src/main/java/org/apache/log4j/net/JMSSink.java from the + build to mitigate bsc#1194842, CVE-2022-23302 +- Obsolete chainsaw < 2.1 by the log4j12 package +- Added patch: + * log4j12-missingmodules.patch + + do not package org.apache.log4j.chainsaw classes + + package org.apache.log4j.pattern classes that will be needed + by apache-log4j-extras which is a dependency of chainsaw 2.x + +------------------------------------------------------------------- Old: ---- log4j-chainsaw.desktop log4j-chainsaw.png log4j-chainsaw.sh New: ---- log4j12-missingmodules.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ log4j12.spec ++++++ --- /var/tmp/diff_new_pack.nASoxm/_old 2022-01-21 01:25:38.378496917 +0100 +++ /var/tmp/diff_new_pack.nASoxm/_new 2022-01-21 01:25:38.386496862 +0100 @@ -26,8 +26,8 @@ Version: 1.2.17 Release: 0 Summary: Java logging tool -Group: Development/Libraries/Java License: Apache-2.0 +Group: Development/Libraries/Java URL: https://logging.apache.org/log4j/ Source0: http://www.apache.org/dist/logging/log4j/%{version}/log4j-%{version}.tar.gz # Converted from src/java/org/apache/log4j/lf5/viewer/images/lf5_small_icon.gif @@ -35,9 +35,6 @@ Source2: log4j-logfactor5.sh Source3: log4j-logfactor5.desktop # Converted from docs/images/logo.jpg -Source4: log4j-chainsaw.png -Source5: log4j-chainsaw.sh -Source6: log4j-chainsaw.desktop Source7: log4j.catalog Patch0: log4j-logfactor5-userdir.patch Patch1: log4j-javadoc-xlink.patch @@ -48,6 +45,7 @@ Patch4: log4j-CVE-2019-17571.patch # PATCH-FIX-OPENSUSE -- add bundle manifest Patch5: log4j12-bundle_manifest.patch +Patch6: log4j12-missingmodules.patch BuildRequires: ant BuildRequires: fdupes BuildRequires: java-devel >= 1.8 @@ -59,6 +57,7 @@ Requires: jaxp_parser_impl Requires: xml-apis Requires(pre): coreutils +Obsoletes: chainsaw < 2.1 Obsoletes: log4j < 1.3 Obsoletes: log4j-mini < 1.3 BuildArch: noarch @@ -98,18 +97,9 @@ %description javadoc Documentation javadoc for Java logging tool log4j. -%package -n chainsaw -Group: Development/Tools/Navigators -URL: https://logging.apache.org/chainsaw/ -Summary: Log Viewer GUI -Requires: log4j12 - -%description -n chainsaw -A GUI-based Log viewer mainly for use with log4j. - %package -n logfactor5 -Group: Development/Tools/Navigators Summary: Log Viewer GUI +Group: Development/Tools/Navigators %description -n logfactor5 LogFactor5 is a Swing based GUI to view log4j logs. @@ -125,6 +115,7 @@ %if %{without bootstrap} %patch5 -p1 %endif +%patch6 -p1 sed -i 's/\r//g' LICENSE NOTICE src/site/resources/css/*.css @@ -138,7 +129,12 @@ mv new "$i" done -rm -f src/main/java/org/apache/log4j/net/JMSAppender.java +# Avoid exploits CVE-2021-4104 [bsc#1193662], +# CVE-2022-23302 [bsc#1194842] and CVE-2022-23305 [bsc#1194843] +rm -f \ + src/main/java/org/apache/log4j/net/JMSAppender.java \ + src/main/java/org/apache/log4j/net/JMSSink.java \ + src/main/java/org/apache/log4j/jdbc/JDBCAppender.java %build %{ant} \ @@ -178,21 +174,15 @@ # scripts mkdir -p %{buildroot}%{_bindir} install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/logfactor5 -install -p -m 755 %{SOURCE5} %{buildroot}%{_bindir}/chainsaw # freedesktop.org menu entries and icons mkdir -p %{buildroot}%{_datadir}/{applications,pixmaps} cp -a %{SOURCE1} \ %{buildroot}%{_datadir}/pixmaps/logfactor5.png cp -a %{SOURCE3} \ %{buildroot}%{_datadir}/applications/jpackage-logfactor5.desktop -cp -a %{SOURCE4} \ - %{buildroot}%{_datadir}/pixmaps/chainsaw.png -cp -a %{SOURCE6} \ - %{buildroot}%{_datadir}/applications/jpackage-chainsaw.desktop # fix perl location perl -p -i -e 's|/opt/perl5/bin/perl|perl|' \ contribs/KitchingSimon/udpserver.pl -%suse_update_desktop_file jpackage-chainsaw Development Debugger %suse_update_desktop_file jpackage-logfactor5 Development Debugger %endif @@ -248,11 +238,6 @@ %dir %{_javadocdir}/%{name} %{_javadocdir}/%{name}/* -%files -n chainsaw -%{_bindir}/chainsaw -%{_datadir}/applications/jpackage-chainsaw.desktop -%{_datadir}/pixmaps/chainsaw.png - %files -n logfactor5 %{_bindir}/logfactor5 %{_datadir}/applications/jpackage-logfactor5.desktop ++++++ log4j-logfactor5.sh ++++++ --- /var/tmp/diff_new_pack.nASoxm/_old 2022-01-21 01:25:38.446496451 +0100 +++ /var/tmp/diff_new_pack.nASoxm/_new 2022-01-21 01:25:38.450496423 +0100 @@ -15,7 +15,7 @@ # Configuration MAIN_CLASS=org.apache.log4j.lf5.StartLogFactor5 -BASE_JARS="log4j xml-commons-apis jaxp_parser_impl" +BASE_JARS="log4j12 xml-commons-apis jaxp_parser_impl" # Set parameters set_jvm ++++++ log4j12-missingmodules.patch ++++++ --- apache-log4j-1.2.17.orig/build.xml 2022-01-19 09:50:55.505497157 +0100 +++ apache-log4j-1.2.17/build.xml 2022-01-19 09:52:22.382027825 +0100 @@ -420,7 +420,7 @@ ${stem}/net/*.class, ${stem}/jdbc/*.class, ${stem}/varia/*.class, - ${stem}/chainsaw/*.class, + ${stem}/pattern/*.class, ${stem}/lf5/**/*.class, ${stem}/lf5/**/*.properties, ${stem}/lf5/**/*.gif, @@ -490,7 +490,7 @@ org.apache.log4j.performance, org.apache.log4j.spi, org.apache.log4j.varia, - org.apache.log4j.chainsaw, + org.apache.log4j.pattern, org.apache.log4j.xml, org.apache.log4j.xml.examples" version="true"
