Timo Aaltonen pushed to branch master-3.0 at Debian Java Maintainers / resteasy
Commits: 22c5d54b by Timo Aaltonen at 2021-10-20T00:53:40+03:00 really add the cve fix - - - - - 0f36a4a9 by Timo Aaltonen at 2021-10-20T00:57:16+03:00 Drop dependency on liblog4j1.2-java, and fix classpath to use tomcat9-el-api.jar. - - - - - a87c079c by Timo Aaltonen at 2021-10-20T00:58:27+03:00 releasing package resteasy3.0 version 3.0.26-3 - - - - - 6 changed files: - debian/changelog - debian/control - debian/libresteasy3.0-java.classpath - debian/maven.ignoreRules - debian/maven.rules - + debian/patches/0001-RESTEASY-2559-Improper-validation-of-response-header.patch Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,10 @@ +resteasy3.0 (3.0.26-3) unstable; urgency=medium + + * Drop dependency on liblog4j1.2-java, and fix classpath to use + tomcat9-el-api.jar. + + -- Timo Aaltonen <tjaal...@debian.org> Wed, 20 Oct 2021 00:57:18 +0300 + resteasy3.0 (3.0.26-2) unstable; urgency=medium * control, maven.rules: Use tomcat for servlet & el-api, add ===================================== debian/control ===================================== @@ -23,7 +23,6 @@ Build-Depends-Indep: libjboss-logging-java, libjboss-logging-tools-java, libjettison-java, - liblog4j1.2-java (>= 1.2.17), libmaven-install-plugin-java, libslf4j-java, libtomcat9-java, @@ -36,7 +35,6 @@ Homepage: http://rest-easy.org Package: libresteasy3.0-java Architecture: all Depends: ${maven:Depends}, ${misc:Depends}, - liblog4j1.2-java Recommends: ${maven:OptionalDepends} Conflicts: libresteasy-java Replaces: libresteasy-java ===================================== debian/libresteasy3.0-java.classpath ===================================== @@ -1,4 +1,4 @@ -usr/share/java/resteasy-jaxrs.jar /usr/share/java/log4j-1.2.jar /usr/share/java/slf4j-api.jar /usr/share/java/httpclient.jar /usr/share/java/commons-io.jar /usr/share/java/geronimo-annotation-1.3-spec.jar /usr/share/java/el-api-3.0.jar +usr/share/java/resteasy-jaxrs.jar /usr/share/java/slf4j-api.jar /usr/share/java/httpclient.jar /usr/share/java/commons-io.jar /usr/share/java/geronimo-annotation-1.3-spec.jar /usr/share/java/tomcat9-el-api.jar usr/share/java/resteasy-jaxb-provider.jar /usr/share/java/jaxb-impl.jar usr/share/java/resteasy-jettison-provider.jar /usr/share/java/jettison.jar usr/share/java/resteasy-jackson-provider.jar /usr/share/java/jackson-core-asl.jar /usr/share/java/jackson-mapper-asl.jar /usr/share/java/jackson-jaxrs.jar /usr/share/java/jackson-xc.jar ===================================== debian/maven.ignoreRules ===================================== @@ -34,3 +34,4 @@ org.jboss.el jboss-el * * * * org.mortbay.jetty maven-jetty-plugin * * * * org.springframework spring-webmvc * * * * org.glassfish javax.el * * * * +log4j log4j * * * * ===================================== debian/maven.rules ===================================== @@ -11,7 +11,6 @@ org.codehaus.jettison jettison s/bundle/jar/ s/.*/debian/ * * org.yaml snakeyaml * s/.*/1.x/ * * com.sun.istack istack-commons-runtime * s/debian/2.17/ * * s/jboss/javassist/ javassist * s/.*/debian/ * * -log4j log4j * s/1\.2\..*/1.2.x/ * * s/org.jboss.spec.javax.annotation/org.apache.geronimo.specs/ s/jboss-annotations-api_1.2_spec/geronimo-annotation_1.3_spec/ * s/.*/debian/ * * s/org.jboss.spec.javax.servlet/org.apache.tomcat/ s/jboss-servlet-api_3.1_spec/tomcat-servlet-api/ * s/.*/9.x/ * * s/org.jboss.spec.javax.el/org.apache.tomcat/ s/jboss-el-api_3.0_spec/tomcat-el-api/ * s/.*/9.x/ * * ===================================== debian/patches/0001-RESTEASY-2559-Improper-validation-of-response-header.patch ===================================== @@ -0,0 +1,47 @@ +From f58a22382e31c0c4b92e519fa84f701a606981ac Mon Sep 17 00:00:00 2001 +From: Bartosz Spyrko-Smietanko <bspyr...@redhat.com> +Date: Thu, 16 Apr 2020 14:01:17 +0100 +Subject: [PATCH] [RESTEASY-2559] Improper validation of response header in + MediaTypeHeaderDelegate.java class + +--- + .../plugins/delegates/MediaTypeHeaderDelegate.java | 1 + + .../test/mediatype/MediaTypeHeaderTest.java | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + create mode 100644 testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java + +diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java +index db0b4d588..b31d4376e 100755 +--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java ++++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java +@@ -89,6 +89,7 @@ public class MediaTypeHeaderDelegate implements RuntimeDelegate.HeaderDelegate + case '[': + case ']': + case '=': ++ case '\n': + return false; + default: + break; +diff --git a/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java +new file mode 100644 +index 000000000..e46f018f7 +--- /dev/null ++++ b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java +@@ -0,0 +1,14 @@ ++package org.jboss.resteasy.test.mediatype; ++ ++import org.jboss.resteasy.plugins.delegates.MediaTypeHeaderDelegate; ++import org.junit.Test; ++ ++public class MediaTypeHeaderTest { ++ ++ @Test(expected = IllegalArgumentException.class) ++ public void testNewLineInHeaderValueIsRejected() { ++ MediaTypeHeaderDelegate delegate = new MediaTypeHeaderDelegate(); ++ ++ delegate.fromString("foo/bar\n"); ++ } ++} +-- +2.26.2 + View it on GitLab: https://salsa.debian.org/java-team/resteasy/-/compare/a30ec9463cbfb2a82b482f06affca19e46bd8398...a87c079cf75e8163dcd49c02bf06dcae4850a0c8 -- View it on GitLab: https://salsa.debian.org/java-team/resteasy/-/compare/a30ec9463cbfb2a82b482f06affca19e46bd8398...a87c079cf75e8163dcd49c02bf06dcae4850a0c8 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list pkg-java-comm...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits