[jira] [Commented] (JXPATH-199) OSS-Fuzz Integration of JXPath
[ https://issues.apache.org/jira/browse/JXPATH-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616742#comment-17616742 ] ChenYuwang commented on JXPATH-199: --- Looking forward to the community to fix this vulnerability as soon as possible > OSS-Fuzz Integration of JXPath > -- > > Key: JXPATH-199 > URL: https://issues.apache.org/jira/browse/JXPATH-199 > Project: Commons JXPath > Issue Type: Improvement >Reporter: Roman Wagner >Priority: Major > > Hi all, > I have prepared the initial integration > [https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/77378631c5593c7538193ecbff4f6edf8338ffe8] > of JXPath into [google oss-fuzz|https://github.com/google/oss-fuzz]. This > will enable continuous fuzzing of this project, which will be conducted by > Google. Bugs that will be found by fuzzing will be reported to you. After the > initial integration of this project into oss-fuzz, I will continue to add > additional fuzz tests to improve the code coverage over time. > The integration requires a primary contact, someone to deal with the bug > reports submitted by oss-fuzz. The email address needs to belong to an > established project committer and be associated with a Google account as per > [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/]. > When a bug is found, you will receive an email that will provide you with > access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 > person can be included. Please let me know who I should include, if anyone. > [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] is used for > fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for > the JVM platform developed by Code Intelligence. It is based on libFuzzer and > brings many of its instrumentation-powered mutation features to the JVM. > Jazzer has already found several bugs in JVM applications: [Jazzer > Findings|https://github.com/CodeIntelligenceTesting/jazzer#findings] > Please let me know if you have any questions regarding fuzzing or the > oss-fuzz integration. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (JXPATH-200) CVE-2022-41852 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
[
https://issues.apache.org/jira/browse/JXPATH-200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616741#comment-17616741
]
ChenYuwang commented on JXPATH-200:
---
Looking forward to the community to fix this vulnerability as soon as possible
> CVE-2022-41852 Use of Externally-Controlled Input to Select Classes or Code
> ('Unsafe Reflection')
> -
>
> Key: JXPATH-200
> URL: https://issues.apache.org/jira/browse/JXPATH-200
> Project: Commons JXPath
> Issue Type: Bug
>Affects Versions: 1.3
>Reporter: Nicolò Mendola
>Priority: Blocker
> Fix For: 1.4
>
>
> There is a CVE detected in jxpath 1.3. and prior. Could you take a look?
> Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
> Reflection')
> [https://avd.aquasec.com/nvd/2022/cve-2022-41852/]
> Best Regards
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (DBCP-587) DBCP and Transparent Application Continuity
[ https://issues.apache.org/jira/browse/DBCP-587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616735#comment-17616735 ] Gary D. Gregory commented on DBCP-587: -- Hi [~cptkirkh] What is the full stack trace? > DBCP and Transparent Application Continuity > --- > > Key: DBCP-587 > URL: https://issues.apache.org/jira/browse/DBCP-587 > Project: Commons DBCP > Issue Type: Bug >Affects Versions: 2.9.0 >Reporter: Kirk Hill >Priority: Major > > Oracle databases have a high-availability setup that uses an item called > Transparent Application Continuity. It requires using the following driver > class name for "oracle.jdbc.replay.OracleDataSourceImpl" When I attempt to > use this driver I get the following error message. > SQLException occurred : Cannot create JDBC driver of class > 'oracle.jdbc.replay.OracleDataSourceImpl' > Having this as a way to create connection pools would greatly enhance your > product. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [commons-scxml] dependabot[bot] opened a new pull request, #76: Bump jackson-databind from 2.13.4 to 2.13.4.1
dependabot[bot] opened a new pull request, #76: URL: https://github.com/apache/commons-scxml/pull/76 Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.13.4 to 2.13.4.1. Commits See full diff in https://github.com/FasterXML/jackson/commits;>compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (DBCP-587) DBCP and Transparent Application Continuity
[
https://issues.apache.org/jira/browse/DBCP-587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616703#comment-17616703
]
Kirk Hill commented on DBCP-587:
{code:java}
// code placeholder
import org.apache.commons.dbcp2.BasicDataSource;
import java.io.PrintStream;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;public class BasicDB{
private static BasicDataSource dataSource; private static
BasicDataSource getDataSource() { { if (dataSource == null)
{
BasicDataSource ds = new BasicDataSource();
ds.setUrl("jdbc:oracle:thin:@pdb_tac");
ds.setUsername("hr");
ds.setPassword("my_password");
//ds.setDriverClassName("oracle.jdbc.driver.OracleDriver");
ds.setDriverClassName("oracle.jdbc.replay.OracleDataSourceImpl");
//ds.setDriverClass("oracle.jdbc.replay.OracleDataSourceImpl");
ds.setDefaultAutoCommit(false);
ds.setInitialSize(5);
ds.setMinIdle(5);
ds.setMaxIdle(10);
ds.setMaxOpenPreparedStatements(100); dataSource
= ds;
}
return dataSource;
} } final static String ORACLE_WALLET= "c:/my_wallet";
private void pressAnyKeyToContinue()
{
System.out.print("Press any key to continue...");
try { System.in.read(); }
catch(Exception e) { e.printStackTrace(); }
}
public String getInstanceName(Connection conn) throws SQLException {
PreparedStatement pstmt = conn.prepareStatement("select instance_name
from v$instance");
String r = new String(); for(ResultSet result =
pstmt.executeQuery(); result.next(); r = result.getString("instance_name")) {
} pstmt.close();
return r;
} public String getStatValue(Connection conn, String statName) throws
SQLException {
String q = "select value from v$statname sn, v$sesstat ss where
sn.statistic#=ss.statistic# and sn.name=? and
ss.sid=SYS_CONTEXT('USERENV','SID')";
String r = null;
PreparedStatement pstmt = conn.prepareStatement(q);
pstmt.setString(1, statName); for(ResultSet rs =
pstmt.executeQuery(); rs.next(); r = rs.getString("value")) {
} pstmt.close();
return r;
} private void doTx(Connection c, int numValue) throws SQLException {
String updsql = "UPDATE test SET v=UPPER(v) WHERE id=?";
PreparedStatement pstmt = null;
pstmt = c.prepareStatement(updsql);
c.setAutoCommit(false); for(int i = 0; i < numValue; ++i) {
pstmt.setInt(1, i);
pstmt.executeUpdate();
} c.commit();
pstmt.close();
}
public static void main(String[] args) throws SQLException {
//Connection conn = null;
BasicDB self = new BasicDB();
int numValue = 5000; String statname = "CPU used by this
session"; try {
System.setProperty("oracle.net.tns_admin",
"C:/oracle/product/19.0.0/client_1/network/admin");
System.setProperty("oracle.net.wallet_location",
"(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=${ORACLE_WALLET})))");
BasicDataSource dataSource = BasicDB.getDataSource();
Connection conn = dataSource.getConnection();
PrintStream var1 = System.out;
String var10001 = self.getInstanceName(conn);
var1.println("Instance Name = " + var10001);
System.out.println("Performing transactions");
self.pressAnyKeyToContinue();
self.doTx(conn, numValue); var10001 =
self.getInstanceName(conn);
var1.println("Instance Name = " + var10001); } catch
(SQLException e) {
System.out.println("BasicDB - " + "SQLException occurred : "
+ e.getMessage());
} }
} {code}
The above is a copy of my testing code. If I use the driver
oracle.jdbc.driver.OracleDriver I can connect but the minute I test the
Transparent Application Continuity on a two node Oracle RAC with the app
connected to the SCAN listener I should be able to shutdown the node that the
app is connected to and my Oracle SCAN listener should simply switch the app
over to the other node. This doesn't work using DBCP to create the connection
pools. If we could use the oracle.jdbc.replay.OracleDataSourceImpl driver then
it would allow this to function properly.
> DBCP and Transparent Application Continuity
> ---
>
> Key: DBCP-587
> URL: https://issues.apache.org/jira/browse/DBCP-587
> Project: Commons DBCP
> Issue Type: Bug
>Affects Versions: 2.9.0
>Reporter: Kirk
[jira] [Created] (DBCP-587) DBCP and Transparent Application Continuity
Kirk Hill created DBCP-587: -- Summary: DBCP and Transparent Application Continuity Key: DBCP-587 URL: https://issues.apache.org/jira/browse/DBCP-587 Project: Commons DBCP Issue Type: Bug Affects Versions: 2.9.0 Reporter: Kirk Hill Oracle databases have a high-availability setup that uses an item called Transparent Application Continuity. It requires using the following driver class name for "oracle.jdbc.replay.OracleDataSourceImpl" When I attempt to use this driver I get the following error message. SQLException occurred : Cannot create JDBC driver of class 'oracle.jdbc.replay.OracleDataSourceImpl' Having this as a way to create connection pools would greatly enhance your product. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [commons-text] garydgregory commented on pull request #368: Fix formatting.
garydgregory commented on PR #368: URL: https://github.com/apache/commons-text/pull/368#issuecomment-1276054013 @arturobernalg @kinow TY both -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-text] garydgregory merged pull request #368: Fix formatting.
garydgregory merged PR #368: URL: https://github.com/apache/commons-text/pull/368 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (FILEUPLOAD-309) Release version 2.0.0
[ https://issues.apache.org/jira/browse/FILEUPLOAD-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616382#comment-17616382 ] Mark Thomas commented on FILEUPLOAD-309: Another option would be to run the current JAR through the Tomcat Migration Tool for Jakarta EE (other migration tools are available) and then publish the migrated JAR as 1.4.0-jakarta (or similar). > Release version 2.0.0 > - > > Key: FILEUPLOAD-309 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-309 > Project: Commons FileUpload > Issue Type: Wish >Reporter: Thiago Henrique Hupner >Priority: Major > > At Piranha, we've migrated to use the new Jakarta namespace. > One of our dependencies is the Commons File Upload, but the latest version > available is 1.4. > Looking around at the source code, I've found that the code is already > prepared for the new Jakarta namespace. > So, I want to know if there's a plan to release a new version soon. Or at > least a 2.0.0 milestone. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FILEUPLOAD-309) Release version 2.0.0
[ https://issues.apache.org/jira/browse/FILEUPLOAD-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616378#comment-17616378 ] Andy Seaborne commented on FILEUPLOAD-309: -- (( This whole jakarta thing is "no gain, and a bit of a pain". )) The [Jakarta 9 release plan](https://eclipse-ee4j.github.io/jakartaee-platform/jakartaee9/JakartaEE9ReleasePlan) specifically says that the idea is no changes except namespaces with an exception if referring to spec not transferring. Would not Fileupload v3.0 with changes be better, and give the 3.x space for considered changes? A release of 1.4/Jakarta as 2.0 would help smooth this transition as it is significant for many projects. Or advise copying the code and changing it locally which is practical for fileupload. > Release version 2.0.0 > - > > Key: FILEUPLOAD-309 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-309 > Project: Commons FileUpload > Issue Type: Wish >Reporter: Thiago Henrique Hupner >Priority: Major > > At Piranha, we've migrated to use the new Jakarta namespace. > One of our dependencies is the Commons File Upload, but the latest version > available is 1.4. > Looking around at the source code, I've found that the code is already > prepared for the new Jakarta namespace. > So, I want to know if there's a plan to release a new version soon. Or at > least a 2.0.0 milestone. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FILEUPLOAD-309) Release version 2.0.0
[ https://issues.apache.org/jira/browse/FILEUPLOAD-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616368#comment-17616368 ] Gary D. Gregory commented on FILEUPLOAD-309: Let's not shoot from the hip on a major release, please. We have a rare opportunity with a major release to make sure the API is the best it can be since it will be set in stone once 2.0 is released. With that in mind IMO, we should review all public and protected APIs, as well as class hierarchies. Hi [~joc...@apache.org] : If you are looking to release a component this weekend, there are many other components that could use a release but that are not major releases (except Commons Collection which has new APIs still being worked out). > Release version 2.0.0 > - > > Key: FILEUPLOAD-309 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-309 > Project: Commons FileUpload > Issue Type: Wish >Reporter: Thiago Henrique Hupner >Priority: Major > > At Piranha, we've migrated to use the new Jakarta namespace. > One of our dependencies is the Commons File Upload, but the latest version > available is 1.4. > Looking around at the source code, I've found that the code is already > prepared for the new Jakarta namespace. > So, I want to know if there's a plan to release a new version soon. Or at > least a 2.0.0 milestone. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FILEUPLOAD-309) Release version 2.0.0
[ https://issues.apache.org/jira/browse/FILEUPLOAD-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616306#comment-17616306 ] Jochen Wiedmann commented on FILEUPLOAD-309: Will give it a try this weekend. (Didn't do a release for quite some time, so no guarantees, that I am getting it done.) > Release version 2.0.0 > - > > Key: FILEUPLOAD-309 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-309 > Project: Commons FileUpload > Issue Type: Wish >Reporter: Thiago Henrique Hupner >Priority: Major > > At Piranha, we've migrated to use the new Jakarta namespace. > One of our dependencies is the Commons File Upload, but the latest version > available is 1.4. > Looking around at the source code, I've found that the code is already > prepared for the new Jakarta namespace. > So, I want to know if there's a plan to release a new version soon. Or at > least a 2.0.0 milestone. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [commons-fileupload] jochenw merged pull request #172: Bump spotbugs-maven-plugin from 4.7.2.0 to 4.7.2.1
jochenw merged PR #172: URL: https://github.com/apache/commons-fileupload/pull/172 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (FILEUPLOAD-309) Release version 2.0.0
[ https://issues.apache.org/jira/browse/FILEUPLOAD-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616275#comment-17616275 ] Mikhail Shabarov commented on FILEUPLOAD-309: - [~ggregory] we are migrating Vaadin framework to Jakarta EE 9 / Servlet 5.0 namespaces and we also need the pre-release / final version. Would really appreciate it. Thanks! > Release version 2.0.0 > - > > Key: FILEUPLOAD-309 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-309 > Project: Commons FileUpload > Issue Type: Wish >Reporter: Thiago Henrique Hupner >Priority: Major > > At Piranha, we've migrated to use the new Jakarta namespace. > One of our dependencies is the Commons File Upload, but the latest version > available is 1.4. > Looking around at the source code, I've found that the code is already > prepared for the new Jakarta namespace. > So, I want to know if there's a plan to release a new version soon. Or at > least a 2.0.0 milestone. -- This message was sent by Atlassian Jira (v8.20.10#820010)
