[ https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16779324#comment-16779324 ]
James E. King III commented on THRIFT-4506: ------------------------------------------- All I did was take 0.9.3 and apply 7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23 for SASL, and apply the following diff, and follow the instructions I posted above for getting it to publish to maven central. {noformat} jking@ubuntu:~/0.9.3.1$ git diff HEAD diff --git a/configure.ac b/configure.ac index 18e32334..316fb3d1 100755 --- a/configure.ac +++ b/configure.ac @@ -553,20 +553,6 @@ AC_CHECK_LIB(rt, clock_gettime) AC_CHECK_LIB(socket, setsockopt) if test "$have_cpp" = "yes" ; then -# mingw toolchain used to build "Thrift Compiler for Windows" -# does not support libcrypto, so we just check if we building the cpp library -AC_CHECK_LIB(crypto, - BN_init, - [AC_CHECK_LIB(ssl, - SSL_ctrl, - [LIBS="-lssl -lcrypto $LIBS"], - [AC_MSG_ERROR(["Error: libssl required"])], - -lcrypto - )], - [AC_MSG_ERROR(["Error: libcrypto required."])] -) -fi - AC_TYPE_INT16_T AC_TYPE_INT32_T AC_TYPE_INT64_T diff --git a/lib/java/build.properties b/lib/java/build.properties index abe1c10d..2eef66b4 100644 --- a/lib/java/build.properties +++ b/lib/java/build.properties @@ -1,10 +1,7 @@ -thrift.version=0.9.3 +thrift.version=0.9.3-1 thrift.groupid=org.apache.thrift release=true -# Jar Versions -mvn.ant.task.version=2.1.3 - # Local Install paths install.path=/usr/local/lib install.javadoc.path=${install.path} diff --git a/lib/java/build.xml b/lib/java/build.xml index 679142e9..24628df9 100755 --- a/lib/java/build.xml +++ b/lib/java/build.xml @@ -325,10 +325,10 @@ <remoteRepository refid="central"/> <remoteRepository refid="apache"/> <license name="The Apache Software License, Version 2.0" url="${license}"/> - <scm connection="scm:git:https://git-wip-us.apache.org/repos/asf/thrift.git" - developerConnection="scm:git:https://git-wip-us.apache.org/repos/asf/thrift.git" - url="https://git-wip-us.apache.org/repos/asf?p=thrift.git" - /> + <scm connection="scm:git:https://github.com/apache/thrift.git" + developerConnection="scm:git:https://github.com/apache/thrift.git" + url="https://github.com/apache/thrift" /> + <!-- Thrift Developers --> <developer id="mcslee" name="Mark Slee"/> <developer id="dreiss" name="David Reiss"/> @@ -390,7 +390,8 @@ <attribute name="packaging" default="jar"/> <attribute name="pom" default=""/> <sequential> - <artifact:mvn fork="true"> + <artifact:mvn fork="true" mavenHome="/usr/local/apache-maven-3.6.0"> + <jvmarg value="-Dmaven.multiModuleProjectDirectory=/usr/local/apache-maven-3.6.0"/> <arg value="org.apache.maven.plugins:maven-gpg-plugin:1.6:sign-and-deploy-file"/> <arg value="-DrepositoryId=${maven-repository-id}"/> <arg value="-Durl=${maven-repository-url}"/> @@ -403,7 +404,7 @@ </sequential> </macrodef> - <target name="publish" depends="clean,init,test,dist,javadoc,pack.src"> + <target name="publish" depends="clean,init,compile,dist,javadoc,pack.src"> <!-- Compile, package, test and then send release to apache maven repo --> <!-- run with: ant -Drelease=true publish--> <signAndDeploy file="${pom.xml}" packaging="pom" classifier="" pom="${pom.xml}"/> {noformat} > [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in > release builds > ------------------------------------------------------------------------------------------ > > Key: THRIFT-4506 > URL: https://issues.apache.org/jira/browse/THRIFT-4506 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.5 > Reporter: James E. King III > Assignee: James E. King III > Priority: Minor > Labels: SASL, security > Fix For: 0.12.0 > > > There is an assertion in the SASL transport for Java that will only be > processed in debug builds, at > https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298. > The preceeding while loop can be changed to guarantee this assertion in all > builds. > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320 -- This message was sent by Atlassian JIRA (v7.6.3#76005)