[GitHub] [ws-axiom] dependabot[bot] opened a new pull request #126: Bump commons-io from 2.8.0 to 2.9.0
dependabot[bot] opened a new pull request #126: URL: https://github.com/apache/ws-axiom/pull/126 Bumps commons-io from 2.8.0 to 2.9.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org
[GitHub] [ws-axiom] dependabot[bot] opened a new pull request #125: Bump truth from 1.1.2 to 1.1.3
dependabot[bot] opened a new pull request #125: URL: https://github.com/apache/ws-axiom/pull/125 Bumps [truth](https://github.com/google/truth) from 1.1.2 to 1.1.3. Release notes Sourced from https://github.com/google/truth/releases;>truth's releases. 1.1.3 Fixed a bug in how comparingExpectedFieldsOnly() handles oneof fields. (f27208428) Improved comparingExpectedFieldsOnly to work when required fields are absent. (f27208428) Changed Subject.toString() to throw UnsupportedOperationException. (fa4c7b512) Commits See full diff in https://github.com/google/truth/commits;>compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org
Re: Axis2 needs an Axiom release
Bump. The situation here is that Axis2 is getting a lot of community requests for a release due to security scanners showing outdated jars - rightly or wrongly. We are getting several Jira issues related to security opened per month. I'd be willing to become a committer to help push an Axiom release forward. Furthermore, Axis needs to file a quarterly report to the Apache board next week. Project chairs are required to subscribe to the board list, and my take is that a large portion of what the board does is roll calls on low activity projects. Moving projects to the attic happens every month. I mention that because I don't want to have to put things in the Axis board report such as "we are awaiting an Axiom release but got no response on their dev list". Regards, Robert On Fri, May 14, 2021 at 10:44 AM robertlazarski wrote: > Hello Web Services project, > > I am the current chair of Axis, and the Axis2 Java project is preparing > for an upcoming release of 1.8. > > Axis2 requires snapshots builds of these Web Services projects below. > Ideally, Axis2 wouldn't release with snapshots since the source of the > release would compile with changing dependencies. > > neethi: 3.1.2-SNAPSHOT > woden.version: 1.0M11-SNAPSHOT > axiom.version: 1.3.0-SNAPSHOT > > Axis2 builds ok with neethi 3.1.1 and woden.version 1.0M10; so really we > just need an Axiom release. > > BTW, I am trying to upgrade Axis2 to the current Glassfish release, 3.0.1. > Concerning Axiom, the problem is that one of our Axis2 classes extends the > Axiom DataHandlerWrapper class. > > I got stuck on the xjc tests, so I created AXIOM-506 that lists the steps > I took. > > Thanks, > Robert >
[jira] [Closed] (WSS-685) Signature before timestamp results in signing after encryption
[ https://issues.apache.org/jira/browse/WSS-685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh closed WSS-685. --- > Signature before timestamp results in signing after encryption > -- > > Key: WSS-685 > URL: https://issues.apache.org/jira/browse/WSS-685 > Project: WSS4J > Issue Type: Bug >Affects Versions: 2.2.4 >Reporter: Michael Nørskov >Assignee: Colm O hEigeartaigh >Priority: Minor > Fix For: 2.3.2 > > > Having the following actions for securement "Signature Timstamp Encryption" > will result in signing after encryption when Timestamp is specified in > signature parts. > > Due to the implementation in WSHandler.java where signingActions is removed > from actionsToPerform and readded when timestamp needs to be signed, signing > will be performed after encryption. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org
Re: [VOTE] - Release Apache WSS4J 2.3.2
With 3 binding +1 votes, and no other votes, this vote passes - I'll do the release. Colm. On Mon, May 24, 2021 at 10:05 AM Alessio Soldano wrote: > > +1 > > Thanks! > > On Tue, May 18, 2021 at 10:41 AM Colm O hEigeartaigh > wrote: >> >> This is a vote to release Apache WSS4J 2.3.2. It only fixes a single >> bug >> (https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12349519), >> but it contains OpenSAML and Apache Santuario upgrades, as well as a >> security fix for Guava, and an update for Joda-Time. >> >> Artifacts: >> https://repository.apache.org/content/repositories/orgapachews-1077/ >> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.3.2 >> >> +1 from me. >> >> Colm. >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org >> For additional commands, e-mail: dev-h...@ws.apache.org >> - To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org
