date:20220719

Build failed in Jenkins: ManifoldCF » ManifoldCF-ant #58

2022-07-19 Thread Apache Jenkins Server

See 


Changes:

[Julien Massiera] CONNECTORS-1721: Confluence v6 does not distinguish 404 errors


--
[...truncated 620.63 KB...]

webapp-api-service:

war-api-service:

compile-less-compiler:

less-compiler-invocation:

compile-crawler-ui:

webapp-crawler-ui:
 [copy] Copying 2 files to 


war-crawler-ui:
  [war] Building war: 


compile-combined-service:

webapp-combined-service:
 [copy] Copying 2 files to 


war-combined-service:
  [war] Building war: 


wars:
 [copy] Copying 2 files to 


webapp-authority-service-proprietary:
 [copy] Copying 3 files to 


war-authority-service-proprietary:
  [war] Building war: 


webapp-api-service-proprietary:
 [copy] Copying 3 files to 


war-api-service-proprietary:
  [war] Building war: 


webapp-crawler-ui-proprietary:
 [copy] Copying 3 files to 

 [copy] Copying 2 files to 


war-crawler-ui-proprietary:
  [war] Building war: 


webapp-combined-service-proprietary:
 [copy] Copying 3 files to 


war-combined-service-proprietary:
  [war] Building war: 


wars-proprietary:
 [copy] Copying 4 files to 


compile-connector-common:

jar-connector-common:

connector-common-lib:

example-common:

script-engine:

preclean-engine-processes:
   [delete] Deleting: 

   [delete] Deleting: 


scripts-common:

scripts-engine:
 [copy] Copying 2 files to 


compile-core:

jar-core:

compile-ui-core:

jar-ui-core:

compile-agents:

jar-agents:

compile-pull-agent:

jar-pull-agent:

compile-jetty-runner:

jar-jetty-runner:

compile-script-engine:

jar-script-engine:

lib:

engine-lib-classpath:

setup-engine-processes:

general-set-engine-classpath:

obfuscation-utility:

preclean-obfuscate-processes:
   [delete] Deleting: 

   [delete] Deleting: 


scripts-common:

scripts-obfuscate:
 [copy] Copying 2 files to 


compile-core:

jar-core:

compile-ui-core:

jar-ui-core:

compile-agents:

jar-agents:

compile-pull-agent:

jar-pull-agent:

compile-jetty-runner:

jar-jetty-runner:

compile-script-engine:

jar-script-engine:

lib:

obfuscate-lib-classpath:

setup-obfuscate-processes:

general-set-obfuscate-classpath:

file-resources:

buildfiles:

compile-core-tests:

jar-core-tests:

compile-agents-tests:

jar-agents-tests:

compile-pull-agent-tests:

jar-pull-agent-tests:

compile-script-engine-tests:

jar-script-engine-tests:

jar-tests:

test-lib:

build:

deliver-framework:
 [copy] Copying 2 files to

[jira] [Commented] (CONNECTORS-1722) remove xalan dependency due to it being end of life

2022-07-19 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17568746#comment-17568746
 ] 

Karl Wright commented on CONNECTORS-1722:
-

Xalan is a downstream dependency of many libraries referenced by ManifoldCF 
connectors.  Try mvn dependency:tree to see these.

If the java runtime contains it as stated, please suggest a TESTED patch for 
changing the necessary build.xml downloads and references.



> remove xalan dependency due to it being end of life
> ---
>
> Key: CONNECTORS-1722
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1722
> Project: ManifoldCF
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> Xalan is no longer supported.
> https://lists.apache.org/thread/s8kjny5270ssfcp46v0fl39lk98987w7
> It is better to use JAXP TransformerFactory than using xalan directly. If you 
> add xalan dependency just to ensure that you have a JAXP compliant 
> transformer on the classpath, this is unnecessary - the Java runtime has a 
> built-in implementation.
> See https://github.com/apache/manifoldcf/pull/130



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (CONNECTORS-1722) remove xalan dependency due to it being end of life

2022-07-19 Thread PJ Fanning (Jira)

PJ Fanning created CONNECTORS-1722:
--

 Summary: remove xalan dependency due to it being end of life
 Key: CONNECTORS-1722
 URL: https://issues.apache.org/jira/browse/CONNECTORS-1722
 Project: ManifoldCF
  Issue Type: Improvement
Reporter: PJ Fanning


Xalan is no longer supported.

https://lists.apache.org/thread/s8kjny5270ssfcp46v0fl39lk98987w7

It is better to use JAXP TransformerFactory than using xalan directly. If you 
add xalan dependency just to ensure that you have a JAXP compliant transformer 
on the classpath, this is unnecessary - the Java runtime has a built-in 
implementation.

See https://github.com/apache/manifoldcf/pull/130



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (CONNECTORS-1721) Confluence v6 does not distinguish 404 errors

2022-07-19 Thread Julien Massiera (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1721?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julien Massiera resolved CONNECTORS-1721.
-
Fix Version/s: ManifoldCF 2.23
   Resolution: Fixed

r1902854

> Confluence v6 does not distinguish 404 errors
> -
>
> Key: CONNECTORS-1721
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1721
> Project: ManifoldCF
>  Issue Type: Improvement
>  Components: Confluence connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Julien Massiera
>Assignee: Julien Massiera
>Priority: Major
> Fix For: ManifoldCF 2.23
>
>
> The ConfluenceV6 connector does not distinguish 404 errors from others. It is 
> problematic concerning the authority because the 404 error corresponds to a 
> "user not found" response instead of a "dead authority"
> The connector must correctly handle the 404 errors



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (CONNECTORS-1721) Confluence v6 does not distinguish 404 errors

2022-07-19 Thread Julien Massiera (Jira)

Julien Massiera created CONNECTORS-1721:
---

 Summary: Confluence v6 does not distinguish 404 errors
 Key: CONNECTORS-1721
 URL: https://issues.apache.org/jira/browse/CONNECTORS-1721
 Project: ManifoldCF
  Issue Type: Improvement
  Components: Confluence connector
Affects Versions: ManifoldCF 2.22
Reporter: Julien Massiera
Assignee: Julien Massiera


The ConfluenceV6 connector does not distinguish 404 errors from others. It is 
problematic concerning the authority because the 404 error corresponds to a 
"user not found" response instead of a "dead authority"

The connector must correctly handle the 404 errors



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Vulnerable log4j Versions

2022-07-19 Thread Karl Wright

We updated log4j four times in December/January.  The first two times
seemed warranted, although limited even then because the UI and API for an
ManifoldCF instance are not ever available on the open internet.  The last
two were a stretch to think they could cause any problems in our
environment, but we upgraded anyway.

We will be updating log4j on every release for the next few years because
logging systems are now under quite a microscope and we get asked this
question all the time.  We also get told that many of our library
dependencies have critical CVEs, e.g. Axis, but once again the scenarios in
these CVEs cannot occur in our environment, and furthermore, there is no
Axis upgrade possible.  So it is up to individual users to decide whether
the existence of a CVE is meaningful to them.

Karl

On Tue, Jul 19, 2022 at 6:21 AM Wolfinger Uwe  wrote:

> We just started an upgrade to version 2.22.1 and noticed, that still
> vulnerable log4j version are present in the distribution package, e.g.:
>
> apache-manifoldcf-2.22.1\lib\log4j-api-2.15.0.jar
>
> apache-manifoldcf-2.22.1\web\war\mcf-authority-service\WEB-INF\lib\log4j-api-2.15.0.jar
>
>
> According to this issue:
> https://issues.apache.org/jira/browse/CONNECTORS-1683
> we expected, that the log4j problem was already solved.
>
> Is this a known problem, or do we have upgrade the log4j version manually?
>
> Kind regards,
> Uwe Wolfinger
>

Vulnerable log4j Versions

2022-07-19 Thread Wolfinger Uwe

We just started an upgrade to version 2.22.1 and noticed, that still vulnerable 
log4j version are present in the distribution package, e.g.:

apache-manifoldcf-2.22.1\lib\log4j-api-2.15.0.jar
apache-manifoldcf-2.22.1\web\war\mcf-authority-service\WEB-INF\lib\log4j-api-2.15.0.jar


According to this issue:
https://issues.apache.org/jira/browse/CONNECTORS-1683
we expected, that the log4j problem was already solved.

Is this a known problem, or do we have upgrade the log4j version manually?

Kind regards,
Uwe Wolfinger

Build failed in Jenkins: ManifoldCF » ManifoldCF-ant #58

[jira] [Commented] (CONNECTORS-1722) remove xalan dependency due to it being end of life

[jira] [Created] (CONNECTORS-1722) remove xalan dependency due to it being end of life

[jira] [Resolved] (CONNECTORS-1721) Confluence v6 does not distinguish 404 errors

[jira] [Created] (CONNECTORS-1721) Confluence v6 does not distinguish 404 errors

Re: Vulnerable log4j Versions

Vulnerable log4j Versions

7 matches

Site Navigation

Mail list logo

Footer information