Markus Koschany pushed to branch master at Debian Java Maintainers / lucene-solr
Commits: 00ec95ec by Markus Koschany at 2018-05-01T22:12:52+02:00 Fix FTBFS with Ant 1.10. Closes: #895797 - - - - - 73e05481 by Markus Koschany at 2018-05-01T23:11:52+02:00 Fix CVE-2018-1308 - - - - - 5b94faae by Markus Koschany at 2018-05-01T23:33:48+02:00 Declare compliance with Debian Policy 4.1.4. - - - - - 1adb3376 by Markus Koschany at 2018-05-01T23:36:32+02:00 Update changelog - - - - - f0eed5c6 by Markus Koschany at 2018-05-02T00:00:07+02:00 Fix the import path to EmptyEntityResolver - - - - - 5 changed files: - debian/changelog - debian/control - + debian/patches/CVE-2018-1308.patch - + debian/patches/ant-1.10.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +lucene-solr (3.6.2+dfsg-12) unstable; urgency=high + + * Team upload. + * Fix FTBFS with Ant 1.10. (Closes: #895797) + * Fix CVE-2018-1308. (Closes: #896604) + * Declare compliance with Debian Policy 4.1.4. + + -- Markus Koschany <a...@debian.org> Tue, 01 May 2018 23:35:41 +0200 + lucene-solr (3.6.2+dfsg-11) unstable; urgency=medium * Team upload. ===================================== debian/control ===================================== --- a/debian/control +++ b/debian/control @@ -46,7 +46,7 @@ Build-Depends: libxml-commons-resolver1.1-java, maven-repo-helper (>= 1.5~), po-debconf -Standards-Version: 4.1.3 +Standards-Version: 4.1.4 Vcs-Git: https://anonscm.debian.org/git/pkg-java/lucene-solr.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/lucene-solr.git Homepage: http://lucene.apache.org ===================================== debian/patches/CVE-2018-1308.patch ===================================== --- /dev/null +++ b/debian/patches/CVE-2018-1308.patch @@ -0,0 +1,89 @@ +From: Markus Koschany <a...@debian.org> +Date: Tue, 1 May 2018 23:11:09 +0200 +Subject: CVE-2018-1308 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896604 +Origin: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/02c693f3 +--- + .../apache/solr/handler/dataimport/DataImporter.java | 13 +++++++++++-- + .../solr/handler/dataimport/TestErrorHandling.java | 20 ++++++++++++++++++++ + 2 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java +index 4a69220..02912f0 100644 +--- a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java ++++ b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java +@@ -17,6 +17,7 @@ + + package org.apache.solr.handler.dataimport; + ++import org.apache.solr.util.EmptyEntityResolver; + import org.apache.solr.common.SolrException; + import org.apache.solr.common.SolrInputDocument; + import org.apache.solr.core.SolrConfig; +@@ -196,8 +197,10 @@ public class DataImporter { + + try { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); ++ dbf.setValidating(false); + +- // only enable xinclude, if a a SolrCore and SystemId is present (makes no sense otherwise) ++ // only enable xinclude, if XML is coming from safe source (local file) ++ // and a a SolrCore and SystemId is present (makes no sense otherwise): + if (core != null && configFile.getSystemId() != null) { + try { + dbf.setXIncludeAware(true); +@@ -208,8 +211,14 @@ public class DataImporter { + } + + DocumentBuilder builder = dbf.newDocumentBuilder(); +- if (core != null) ++ // only enable xinclude / external entities, if XML is coming from ++ // safe source (local file) and a a SolrCore and SystemId is present: ++ if (core != null && configFile.getSystemId() != null) { + builder.setEntityResolver(new SystemIdResolver(core.getResourceLoader())); ++ } else { ++ // Don't allow external entities without having a system ID: ++ builder.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE); ++ } + builder.setErrorHandler(XMLLOG); + Document document; + try { +diff --git a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java +index 64f58df..c75e07c 100644 +--- a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java ++++ b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java +@@ -76,6 +76,13 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase { + assertQ(req("*:*"), "//*[@numFound='3']"); + } + ++ public void testExternalEntity() throws Exception { ++ StringDataSource.xml = wellformedXml; ++ // This should not fail as external entities are replaced by an empty string during parsing: ++ runFullImport(dataConfigWithEntity); ++ assertQ(req("*:*"), "//*[@numFound='3']"); ++ } ++ + public static class StringDataSource extends DataSource<Reader> { + public static String xml = ""; + +@@ -144,6 +151,19 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase { + " </document>\n" + + "</dataConfig>"; + ++ private String dataConfigWithEntity = "<!DOCTYPE dataConfig [\n" + ++ " <!ENTITY internalTerm \"node\">\n" + ++ " <!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + ++ "]><dataConfig>\n" + ++ " <dataSource name=\"str\" type=\"TestErrorHandling$StringDataSource\" />" + ++ " <document>\n" + ++ " <entity name=\"&internalTerm;\" dataSource=\"str\" processor=\"XPathEntityProcessor\" url=\"test\" forEach=\"/root/node\" onError=\"skip\">\n" + ++ " <field column=\"id\" xpath=\"/root/node/id\">&externalTerm;</field>\n" + ++ " <field column=\"desc\" xpath=\"/root/node/desc\" />\n" + ++ " </entity>\n" + ++ " </document>\n" + ++ "</dataConfig>"; ++ + private String malformedXml = "<root>\n" + + " <node>\n" + + " <id>1</id>\n" + ===================================== debian/patches/ant-1.10.patch ===================================== --- /dev/null +++ b/debian/patches/ant-1.10.patch @@ -0,0 +1,32 @@ +From: Markus Koschany <a...@debian.org> +Date: Tue, 1 May 2018 22:12:27 +0200 +Subject: ant 1.10 + +--- + .../java/org/apache/lucene/util/LuceneJUnitDividingSelector.java | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java b/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java +index 5a9509c..beecebe 100644 +--- a/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java ++++ b/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java +@@ -21,6 +21,7 @@ import java.io.File; + import org.apache.tools.ant.BuildException; + import org.apache.tools.ant.types.Parameter; + import org.apache.tools.ant.types.selectors.BaseExtendSelector; ++import org.apache.tools.ant.types.Resource; + + /** Divides filesets into equal groups */ + public class LuceneJUnitDividingSelector extends BaseExtendSelector { +@@ -30,6 +31,11 @@ public class LuceneJUnitDividingSelector extends BaseExtendSelector { + /** Current part to accept. */ + private int part; + ++ @Override ++ public boolean isSelected(Resource r) { ++ return false; ++ } ++ + @Override + public void setParameters(Parameter[] pParameters) { + super.setParameters(pParameters); ===================================== debian/patches/series ===================================== --- a/debian/patches/series +++ b/debian/patches/series @@ -14,3 +14,5 @@ java8-compatibility.patch CVE-2017-12629.patch remove-RunExecutableListener.patch CVE-2017-3163.patch +ant-1.10.patch +CVE-2018-1308.patch View it on GitLab: https://salsa.debian.org/java-team/lucene-solr/compare/52e6fc0e18861a28a211db793891c6ef1f83e9c5...f0eed5c6abc8816fea34b68db2d546befcd72c6a --- View it on GitLab: https://salsa.debian.org/java-team/lucene-solr/compare/52e6fc0e18861a28a211db793891c6ef1f83e9c5...f0eed5c6abc8816fea34b68db2d546befcd72c6a You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list pkg-java-comm...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits