[
https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16779324#comment-16779324
]
James E. King III commented on THRIFT-4506:
-------------------------------------------
All I did was take 0.9.3 and apply 7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23 for
SASL, and apply the following diff, and follow the instructions I posted above
for getting it to publish to maven central.
{noformat}
jking@ubuntu:~/0.9.3.1$ git diff HEAD
diff --git a/configure.ac b/configure.ac
index 18e32334..316fb3d1 100755
--- a/configure.ac
+++ b/configure.ac
@@ -553,20 +553,6 @@ AC_CHECK_LIB(rt, clock_gettime)
AC_CHECK_LIB(socket, setsockopt)
if test "$have_cpp" = "yes" ; then
-# mingw toolchain used to build "Thrift Compiler for Windows"
-# does not support libcrypto, so we just check if we building the cpp library
-AC_CHECK_LIB(crypto,
- BN_init,
- [AC_CHECK_LIB(ssl,
- SSL_ctrl,
- [LIBS="-lssl -lcrypto $LIBS"],
- [AC_MSG_ERROR(["Error: libssl required"])],
- -lcrypto
- )],
- [AC_MSG_ERROR(["Error: libcrypto required."])]
-)
-fi
-
AC_TYPE_INT16_T
AC_TYPE_INT32_T
AC_TYPE_INT64_T
diff --git a/lib/java/build.properties b/lib/java/build.properties
index abe1c10d..2eef66b4 100644
--- a/lib/java/build.properties
+++ b/lib/java/build.properties
@@ -1,10 +1,7 @@
-thrift.version=0.9.3
+thrift.version=0.9.3-1
thrift.groupid=org.apache.thrift
release=true
-# Jar Versions
-mvn.ant.task.version=2.1.3
-
# Local Install paths
install.path=/usr/local/lib
install.javadoc.path=${install.path}
diff --git a/lib/java/build.xml b/lib/java/build.xml
index 679142e9..24628df9 100755
--- a/lib/java/build.xml
+++ b/lib/java/build.xml
@@ -325,10 +325,10 @@
<remoteRepository refid="central"/>
<remoteRepository refid="apache"/>
<license name="The Apache Software License, Version 2.0" url="${license}"/>
- <scm connection="scm:git:https://git-wip-us.apache.org/repos/asf/thrift.git";
-
developerConnection="scm:git:https://git-wip-us.apache.org/repos/asf/thrift.git";
- url="https://git-wip-us.apache.org/repos/asf?p=thrift.git";
- />
+ <scm connection="scm:git:https://github.com/apache/thrift.git";
+ developerConnection="scm:git:https://github.com/apache/thrift.git";
+ url="https://github.com/apache/thrift"; />
+
<!-- Thrift Developers -->
<developer id="mcslee" name="Mark Slee"/>
<developer id="dreiss" name="David Reiss"/>
@@ -390,7 +390,8 @@
<attribute name="packaging" default="jar"/>
<attribute name="pom" default=""/>
<sequential>
- <artifact:mvn fork="true">
+ <artifact:mvn fork="true" mavenHome="/usr/local/apache-maven-3.6.0">
+ <jvmarg
value="-Dmaven.multiModuleProjectDirectory=/usr/local/apache-maven-3.6.0"/>
<arg
value="org.apache.maven.plugins:maven-gpg-plugin:1.6:sign-and-deploy-file"/>
<arg value="-DrepositoryId=${maven-repository-id}"/>
<arg value="-Durl=${maven-repository-url}"/>
@@ -403,7 +404,7 @@
</sequential>
</macrodef>
- <target name="publish" depends="clean,init,test,dist,javadoc,pack.src">
+ <target name="publish" depends="clean,init,compile,dist,javadoc,pack.src">
<!-- Compile, package, test and then send release to apache maven repo -->
<!-- run with: ant -Drelease=true publish-->
<signAndDeploy file="${pom.xml}" packaging="pom" classifier=""
pom="${pom.xml}"/>
{noformat}
> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in
> release builds
> ------------------------------------------------------------------------------------------
>
> Key: THRIFT-4506
> URL: https://issues.apache.org/jira/browse/THRIFT-4506
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.5
> Reporter: James E. King III
> Assignee: James E. King III
> Priority: Minor
> Labels: SASL, security
> Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be
> processed in debug builds, at
> https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
> The preceeding while loop can be changed to guarantee this assertion in all
> builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
