[jira] [Assigned] (KARAF-4239) Upgrade to Pax-Logging 1.8.5
[ https://issues.apache.org/jira/browse/KARAF-4239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré reassigned KARAF-4239: --- Assignee: Jean-Baptiste Onofré (was: Achim Nierbeck) > Upgrade to Pax-Logging 1.8.5 > > > Key: KARAF-4239 > URL: https://issues.apache.org/jira/browse/KARAF-4239 > Project: Karaf > Issue Type: Dependency upgrade > Components: karaf-core >Affects Versions: 4.0.3 >Reporter: Achim Nierbeck >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.4 > > > Pax-Logging 1.8.5 does also export the log4j 2 apis, therefore an upgrade to > this version is needed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4239) Upgrade to Pax-Logging 1.8.5
[ https://issues.apache.org/jira/browse/KARAF-4239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072219#comment-15072219 ] Jean-Baptiste Onofré commented on KARAF-4239: - I'm dealing with couple of fixes in pax-logging. I will do the release and update in Karaf. > Upgrade to Pax-Logging 1.8.5 > > > Key: KARAF-4239 > URL: https://issues.apache.org/jira/browse/KARAF-4239 > Project: Karaf > Issue Type: Dependency upgrade > Components: karaf-core >Affects Versions: 4.0.3 >Reporter: Achim Nierbeck >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.4 > > > Pax-Logging 1.8.5 does also export the log4j 2 apis, therefore an upgrade to > this version is needed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4239) Upgrade to Pax-Logging 1.8.5
[ https://issues.apache.org/jira/browse/KARAF-4239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072203#comment-15072203 ] Achim Nierbeck commented on KARAF-4239: --- updated to 1.8.5-Snapshot version ... pax-logging 1.8.5 still needs a release > Upgrade to Pax-Logging 1.8.5 > > > Key: KARAF-4239 > URL: https://issues.apache.org/jira/browse/KARAF-4239 > Project: Karaf > Issue Type: Dependency upgrade > Components: karaf-core >Affects Versions: 4.0.3 >Reporter: Achim Nierbeck >Assignee: Achim Nierbeck > Fix For: 4.0.4 > > > Pax-Logging 1.8.5 does also export the log4j 2 apis, therefore an upgrade to > this version is needed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Work started] (KARAF-4239) Upgrade to Pax-Logging 1.8.5
[ https://issues.apache.org/jira/browse/KARAF-4239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KARAF-4239 started by Achim Nierbeck. - > Upgrade to Pax-Logging 1.8.5 > > > Key: KARAF-4239 > URL: https://issues.apache.org/jira/browse/KARAF-4239 > Project: Karaf > Issue Type: Dependency upgrade > Components: karaf-core >Affects Versions: 4.0.3 >Reporter: Achim Nierbeck >Assignee: Achim Nierbeck > Fix For: 4.0.4 > > > Pax-Logging 1.8.5 does also export the log4j 2 apis, therefore an upgrade to > this version is needed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (KARAF-4239) Upgrade to Pax-Logging 1.8.5
Achim Nierbeck created KARAF-4239: - Summary: Upgrade to Pax-Logging 1.8.5 Key: KARAF-4239 URL: https://issues.apache.org/jira/browse/KARAF-4239 Project: Karaf Issue Type: Dependency upgrade Components: karaf-core Affects Versions: 4.0.3 Reporter: Achim Nierbeck Assignee: Achim Nierbeck Fix For: 4.0.4 Pax-Logging 1.8.5 does also export the log4j 2 apis, therefore an upgrade to this version is needed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4239) Upgrade to Pax-Logging 1.8.5
[ https://issues.apache.org/jira/browse/KARAF-4239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072202#comment-15072202 ] ASF subversion and git services commented on KARAF-4239: Commit 28f09e75b130fea6f16755910e946d1d9bba5969 in karaf's branch refs/heads/master from [~achim_nierbeck] [ https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=28f09e7 ] [KARAF-4239] - Upgrade to Pax-Logging 1.8.5 > Upgrade to Pax-Logging 1.8.5 > > > Key: KARAF-4239 > URL: https://issues.apache.org/jira/browse/KARAF-4239 > Project: Karaf > Issue Type: Dependency upgrade > Components: karaf-core >Affects Versions: 4.0.3 >Reporter: Achim Nierbeck >Assignee: Achim Nierbeck > Fix For: 4.0.4 > > > Pax-Logging 1.8.5 does also export the log4j 2 apis, therefore an upgrade to > this version is needed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4222) Add a flag to add-features-to-repo and install-kar to include conditions
[ https://issues.apache.org/jira/browse/KARAF-4222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072176#comment-15072176 ] Amichai Rothman commented on KARAF-4222: Note that while there is a workaround of using karaf-maven-plugin to create a custom feature and manually add the missing bundles to it for offline deployment, this doesn't always work. For example, the transaction feature specifies org.apache.aries.transaction.blueprint with both versions 1.1.1 and 2.0.0. Attempting to add these to the custom feature results in only one of them being added, and the other still has to be copied manually to the distribution folder. The solution to this issue should handle this properly and add multiple versions of the same bundle to the offline repo. > Add a flag to add-features-to-repo and install-kar to include conditions > > > Key: KARAF-4222 > URL: https://issues.apache.org/jira/browse/KARAF-4222 > Project: Karaf > Issue Type: Improvement > Components: karaf-tooling >Reporter: Jean-Baptiste Onofré >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.4 > > > Right now, the add-features-to-repo goal (and depending of the config, the > install-kar one) doesn't include the conditional artifacts in the resulting > system folder. > It may cause issue to create an offline-ready distribution. > I will add a flag in the add-features-to-repo and install-kar goals to > include all conditional resources. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4156) [karaf-3.0.x] set 'karaf.clean.all' as true will cause data folder cleaned while checking status
[ https://issues.apache.org/jira/browse/KARAF-4156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072160#comment-15072160 ] Andrea Cosentino commented on KARAF-4156: - PR submitted: https://github.com/apache/karaf/pull/124 > [karaf-3.0.x] set 'karaf.clean.all' as true will cause data folder cleaned > while checking status > > > Key: KARAF-4156 > URL: https://issues.apache.org/jira/browse/KARAF-4156 > Project: Karaf > Issue Type: Bug >Affects Versions: 3.0.5 > Environment: Running on Mac OS X 10.11 >Reporter: Jerry Meng >Priority: Critical > Fix For: 3.0.6 > > > Scenario > === > In etc/system.properties, it describes > \# Deletes the entire karaf.data directory at every start > karaf.clean.all = false > When I set the property as true, I expect it will clean data folder ONLY at > karaf start; however it also causes the command 'stop' and 'status' to delete > data folder so that the command complains "shutdown port file doesn't exist. > The container is not running." > Root Cause > = > The class 'org.apache.karaf.main.ConfigProperties' checks the property > 'karaf.clean.all' in the constructor and deletes the data folder if it's set > as true. > In 'org.apache.karaf.main.Stop' and 'org.apache.karaf.main.Status', they > will instantiate ConfigProperties at the very beginning. They will never get > port file correctly in this case and even cause working directory being > deleted. > It seams that to delete data folder in the constructor of ConfigProperties > does not make sense to me. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4156) [karaf-3.0.x] set 'karaf.clean.all' as true will cause data folder cleaned while checking status
[ https://issues.apache.org/jira/browse/KARAF-4156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072159#comment-15072159 ] ASF GitHub Bot commented on KARAF-4156: --- GitHub user oscerd opened a pull request: https://github.com/apache/karaf/pull/124 [KARAF-4156] [karaf-3.0.x] set 'karaf.clean.all' as true will cause d… …ata folder cleaned while checking status Hi all, This PR is related to: https://issues.apache.org/jira/browse/KARAF-4156 I hope it is better than the last one :-) I think it has to be merged on karaf-3.0.x branch too. Andrea You can merge this pull request into a Git repository by running: $ git pull https://github.com/oscerd/karaf KARAF-4156 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/karaf/pull/124.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #124 commit 6ad6a2a817fb57dc3e2e2a52227679617f76adcf Author: Andrea Cosentino Date: 2015-12-27T14:36:02Z [KARAF-4156] [karaf-3.0.x] set 'karaf.clean.all' as true will cause data folder cleaned while checking status > [karaf-3.0.x] set 'karaf.clean.all' as true will cause data folder cleaned > while checking status > > > Key: KARAF-4156 > URL: https://issues.apache.org/jira/browse/KARAF-4156 > Project: Karaf > Issue Type: Bug >Affects Versions: 3.0.5 > Environment: Running on Mac OS X 10.11 >Reporter: Jerry Meng >Priority: Critical > Fix For: 3.0.6 > > > Scenario > === > In etc/system.properties, it describes > \# Deletes the entire karaf.data directory at every start > karaf.clean.all = false > When I set the property as true, I expect it will clean data folder ONLY at > karaf start; however it also causes the command 'stop' and 'status' to delete > data folder so that the command complains "shutdown port file doesn't exist. > The container is not running." > Root Cause > = > The class 'org.apache.karaf.main.ConfigProperties' checks the property > 'karaf.clean.all' in the constructor and deletes the data folder if it's set > as true. > In 'org.apache.karaf.main.Stop' and 'org.apache.karaf.main.Status', they > will instantiate ConfigProperties at the very beginning. They will never get > port file correctly in this case and even cause working directory being > deleted. > It seams that to delete data folder in the constructor of ConfigProperties > does not make sense to me. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KARAF-4199) Privacy Violation: Heap Inspection
[
https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072147#comment-15072147
]
Andrea Cosentino commented on KARAF-4199:
-
Sorry about this.
> Privacy Violation: Heap Inspection
> --
>
> Key: KARAF-4199
> URL: https://issues.apache.org/jira/browse/KARAF-4199
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The method interactive() in Main.java stores sensitive data in a String
> object on line 127, making it impossible to reliably purge the data from
> memory.
> Main.java, lines 120-137:
> {code}
> 120 public String[] interactive(String destination, String name, String
> instruction, String[] prompt, boolean[] echo) {
> 121 String[] answers = new String[prompt.length];
> 122 try {
> 123 for (int i = 0; i < prompt.length; i++) {
> 124 if (echo[i]) {
> 125 answers[i] = console.readLine(prompt[i] + " ");
> 126 } else {
> 127 answers[i] = new String(console.readPassword(prompt[i] +
> " "));
> 128 }
> 129 if (answers[i] == null) {
> 130 return null;
> 131 }
> 132 }
> 133 return answers;
> 134 } catch (IOError e) {
> 135 return null;
> 136 }
> 137 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (KARAF-4199) Privacy Violation: Heap Inspection
[
https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072146#comment-15072146
]
Andrea Cosentino commented on KARAF-4199:
-
Closed the PR.
I've used a stupid approach and I went back to the starting situation.
> Privacy Violation: Heap Inspection
> --
>
> Key: KARAF-4199
> URL: https://issues.apache.org/jira/browse/KARAF-4199
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The method interactive() in Main.java stores sensitive data in a String
> object on line 127, making it impossible to reliably purge the data from
> memory.
> Main.java, lines 120-137:
> {code}
> 120 public String[] interactive(String destination, String name, String
> instruction, String[] prompt, boolean[] echo) {
> 121 String[] answers = new String[prompt.length];
> 122 try {
> 123 for (int i = 0; i < prompt.length; i++) {
> 124 if (echo[i]) {
> 125 answers[i] = console.readLine(prompt[i] + " ");
> 126 } else {
> 127 answers[i] = new String(console.readPassword(prompt[i] +
> " "));
> 128 }
> 129 if (answers[i] == null) {
> 130 return null;
> 131 }
> 132 }
> 133 return answers;
> 134 } catch (IOError e) {
> 135 return null;
> 136 }
> 137 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (KARAF-4199) Privacy Violation: Heap Inspection
[
https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072145#comment-15072145
]
ASF GitHub Bot commented on KARAF-4199:
---
Github user oscerd closed the pull request at:
https://github.com/apache/karaf/pull/123
> Privacy Violation: Heap Inspection
> --
>
> Key: KARAF-4199
> URL: https://issues.apache.org/jira/browse/KARAF-4199
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The method interactive() in Main.java stores sensitive data in a String
> object on line 127, making it impossible to reliably purge the data from
> memory.
> Main.java, lines 120-137:
> {code}
> 120 public String[] interactive(String destination, String name, String
> instruction, String[] prompt, boolean[] echo) {
> 121 String[] answers = new String[prompt.length];
> 122 try {
> 123 for (int i = 0; i < prompt.length; i++) {
> 124 if (echo[i]) {
> 125 answers[i] = console.readLine(prompt[i] + " ");
> 126 } else {
> 127 answers[i] = new String(console.readPassword(prompt[i] +
> " "));
> 128 }
> 129 if (answers[i] == null) {
> 130 return null;
> 131 }
> 132 }
> 133 return answers;
> 134 } catch (IOError e) {
> 135 return null;
> 136 }
> 137 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (KARAF-4199) Privacy Violation: Heap Inspection
[
https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072136#comment-15072136
]
Fabian Lange commented on KARAF-4199:
-
The PR is insufficient, as I noted in the PR.
The problem is not (only) in Karaf, but the whole Apache Mina sshd
UserAuthKeyboardInteractive is broken (if you consider this a valid attack)
A proper fix would be to rewrite Mina sshd to work with byte char arrays
instead of Strings.
A hot fix could be to to use reflection to remove the backing array after
session.auth() (but this will break in java9 with compact strings)
> Privacy Violation: Heap Inspection
> --
>
> Key: KARAF-4199
> URL: https://issues.apache.org/jira/browse/KARAF-4199
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The method interactive() in Main.java stores sensitive data in a String
> object on line 127, making it impossible to reliably purge the data from
> memory.
> Main.java, lines 120-137:
> {code}
> 120 public String[] interactive(String destination, String name, String
> instruction, String[] prompt, boolean[] echo) {
> 121 String[] answers = new String[prompt.length];
> 122 try {
> 123 for (int i = 0; i < prompt.length; i++) {
> 124 if (echo[i]) {
> 125 answers[i] = console.readLine(prompt[i] + " ");
> 126 } else {
> 127 answers[i] = new String(console.readPassword(prompt[i] +
> " "));
> 128 }
> 129 if (answers[i] == null) {
> 130 return null;
> 131 }
> 132 }
> 133 return answers;
> 134 } catch (IOError e) {
> 135 return null;
> 136 }
> 137 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (KARAF-4199) Privacy Violation: Heap Inspection
[
https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072124#comment-15072124
]
Andrea Cosentino commented on KARAF-4199:
-
PR submitted:
https://github.com/apache/karaf/pull/123
> Privacy Violation: Heap Inspection
> --
>
> Key: KARAF-4199
> URL: https://issues.apache.org/jira/browse/KARAF-4199
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The method interactive() in Main.java stores sensitive data in a String
> object on line 127, making it impossible to reliably purge the data from
> memory.
> Main.java, lines 120-137:
> {code}
> 120 public String[] interactive(String destination, String name, String
> instruction, String[] prompt, boolean[] echo) {
> 121 String[] answers = new String[prompt.length];
> 122 try {
> 123 for (int i = 0; i < prompt.length; i++) {
> 124 if (echo[i]) {
> 125 answers[i] = console.readLine(prompt[i] + " ");
> 126 } else {
> 127 answers[i] = new String(console.readPassword(prompt[i] +
> " "));
> 128 }
> 129 if (answers[i] == null) {
> 130 return null;
> 131 }
> 132 }
> 133 return answers;
> 134 } catch (IOError e) {
> 135 return null;
> 136 }
> 137 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (KARAF-4199) Privacy Violation: Heap Inspection
[
https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15072123#comment-15072123
]
ASF GitHub Bot commented on KARAF-4199:
---
GitHub user oscerd opened a pull request:
https://github.com/apache/karaf/pull/123
[KARAF-4199] Privacy Violation: Heap Inspection
Hi all,
This PR is related to:
https://issues.apache.org/jira/browse/KARAF-4199
Andrea
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/oscerd/karaf KARAF-4199
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/karaf/pull/123.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #123
commit 0cf9ed85d31f9f7fc4d5c4e1a9eff1fc50f188e7
Author: Andrea Cosentino
Date: 2015-12-27T11:41:34Z
[KARAF-4199] Privacy Violation: Heap Inspection
> Privacy Violation: Heap Inspection
> --
>
> Key: KARAF-4199
> URL: https://issues.apache.org/jira/browse/KARAF-4199
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The method interactive() in Main.java stores sensitive data in a String
> object on line 127, making it impossible to reliably purge the data from
> memory.
> Main.java, lines 120-137:
> {code}
> 120 public String[] interactive(String destination, String name, String
> instruction, String[] prompt, boolean[] echo) {
> 121 String[] answers = new String[prompt.length];
> 122 try {
> 123 for (int i = 0; i < prompt.length; i++) {
> 124 if (echo[i]) {
> 125 answers[i] = console.readLine(prompt[i] + " ");
> 126 } else {
> 127 answers[i] = new String(console.readPassword(prompt[i] +
> " "));
> 128 }
> 129 if (answers[i] == null) {
> 130 return null;
> 131 }
> 132 }
> 133 return answers;
> 134 } catch (IOError e) {
> 135 return null;
> 136 }
> 137 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
