[GitHub] [james-hupa] dependabot[bot] opened a new pull request, #5: Bump hibernate-validator from 4.2.0.Final to 4.3.2.Final in /hupa
dependabot[bot] opened a new pull request, #5: URL: https://github.com/apache/james-hupa/pull/5 Bumps [hibernate-validator](https://github.com/hibernate/hibernate-validator) from 4.2.0.Final to 4.3.2.Final. Changelog Sourced from https://github.com/hibernate/hibernate-validator/blob/4.3.2.Final/changelog.txt";>hibernate-validator's changelog. 4.3.2.Final (25.07.2014) ** Improvement * [HV-885] - Contention generated on runtime lookup for https://github.com/GroupSequence";>@GroupSequence annotation ** Task * [HV-912] - Improve integration with Java's security manager 4.3.1.Final (28.11.2012) ** Bug * [HV-591] - EmailValidator throws an IllegalArgumentException for long email addresses * [HV-601] - NPE w/ overloaded methods on class validated with MethodValidationInterceptor * [HV-607] - Email Validator producing error for large email addresses * [HV-609] - EmailValidator fails where email address is large * [HV-613] - email handles complete address as idn label and fails for valid longer addresses * [HV-622] - Assumes all getX/setX methods are bean properties and errors with "wrong number of arguments" * [HV-623] - Wrong constraint validator type resolution in case of constraint placed on parameterized type in class hierachy * [HV-625] - EmailValidator.isValid sometimes throws an exception instead of returning false * [HV-626] - AnnotationMetaDataProvider should use #getDeclaredAnnotations instead of #getAnnotations when reading metadata from class and members ** Task * [HV-639] - Evaluation of composed constraints should stops on first validation error when https://github.com/ReportAsSingleViolation";>@ReportAsSingleViolation is used 4.3.0.Final (09.05.2012) ** Improvement * [HV-568] - Perform a profiling of the annotation processor code and make use of caching where appropriate * [HV-577] - Include javadoc jar in Maven repo ** Task * [HV-578] - Remove remaining references to slf4j * [HV-580] - Remove deprecation of package org.hibernate.validator.group 4.3.0.CR1 (30.04.2012) ** Bug * [HV-572] - Ensure the docs directory gets properly included into the distribution * [HV-573] - Need graceful handling of return value constraint applied to method with void return type * [HV-574] - Annotations processing fails with 4.3.0 Beta1 * [HV-575] - NPE in annotation processor ConstraintHelper.getName() ** Improvement ... (truncated) Commits https://github.com/hibernate/hibernate-validator/commit/8a145568ce6a6a103be96d711fd24d83f444dc10";>8a14556 [maven-release-plugin] prepare release 4.3.2.Final https://github.com/hibernate/hibernate-validator/commit/17aef8890e6dff076c8b88cc9af400be2ac43b01";>17aef88 Changelog and readme updates prior to release 4.3.2.Final https://github.com/hibernate/hibernate-validator/commit/763feff5e7cc0c2fef8abb3836f94567f8943488";>763feff HV-843 Making sure non public annotation members are accessible. Unifying han... https://github.com/hibernate/hibernate-validator/commit/ab21ca98fd7814bd014e7d8e03de8640f2529352";>ab21ca9 HV-912 Not exposing accessible-made members https://github.com/hibernate/hibernate-validator/commit/ea88f45ead1b1586fe47c6fa03bea226143ec05a";>ea88f45 HV-912 Reducing accessibility of some classes and methods https://github.com/hibernate/hibernate-validator/commit/cc782d6f51e261999af61df053b062bdc9864ef5";>cc782d6 HV-912 Wrapping call to JAXBContext#newInstance() and Unmarshaller#unmarshal(... https://github.com/hibernate/hibernate-validator/commit/43936f83b10b93203801b6d63d8d0e14ead9e748";>43936f8 HV-912 Wrapping call to SchemaFactory#newSchema() into privileged action https://github.com/hibernate/hibernate-validator/commit/e59d080f55f23a208ffbf394a4096c5c43062b90";>e59d080 HV-912 Adding doPrivileged() block around ClassLoader#loadResource() call https://github.com/hibernate/hibernate-validator/commit/779650713a35f86f24064c99e2be0717e6235cd2";>7796507 HV-912 Removing methods from ReflectionHelper which make privileged operation... https://github.com/hibernate/hibernate-validator/commit/4628c499772a3109b9879330c61802fca5f1c141";>4628c49 HV-621 Treating Default group (which is probably most often used) special to ... Additional commits viewable in https://github.com/hibernate/hibernate-validator/compare/4.2.0.Final...4.3.2.Final";>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.hibernate:hibernate-validator&package-manager=maven&previous-version=4.2.0.Final&new-version=4.3.2.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@de
[GitHub] [james-hupa] dependabot[bot] opened a new pull request, #4: Bump hibernate-validator from 4.2.0.Final to 4.3.2.Final in /client
dependabot[bot] opened a new pull request, #4: URL: https://github.com/apache/james-hupa/pull/4 Bumps [hibernate-validator](https://github.com/hibernate/hibernate-validator) from 4.2.0.Final to 4.3.2.Final. Changelog Sourced from https://github.com/hibernate/hibernate-validator/blob/4.3.2.Final/changelog.txt";>hibernate-validator's changelog. 4.3.2.Final (25.07.2014) ** Improvement * [HV-885] - Contention generated on runtime lookup for https://github.com/GroupSequence";>@GroupSequence annotation ** Task * [HV-912] - Improve integration with Java's security manager 4.3.1.Final (28.11.2012) ** Bug * [HV-591] - EmailValidator throws an IllegalArgumentException for long email addresses * [HV-601] - NPE w/ overloaded methods on class validated with MethodValidationInterceptor * [HV-607] - Email Validator producing error for large email addresses * [HV-609] - EmailValidator fails where email address is large * [HV-613] - email handles complete address as idn label and fails for valid longer addresses * [HV-622] - Assumes all getX/setX methods are bean properties and errors with "wrong number of arguments" * [HV-623] - Wrong constraint validator type resolution in case of constraint placed on parameterized type in class hierachy * [HV-625] - EmailValidator.isValid sometimes throws an exception instead of returning false * [HV-626] - AnnotationMetaDataProvider should use #getDeclaredAnnotations instead of #getAnnotations when reading metadata from class and members ** Task * [HV-639] - Evaluation of composed constraints should stops on first validation error when https://github.com/ReportAsSingleViolation";>@ReportAsSingleViolation is used 4.3.0.Final (09.05.2012) ** Improvement * [HV-568] - Perform a profiling of the annotation processor code and make use of caching where appropriate * [HV-577] - Include javadoc jar in Maven repo ** Task * [HV-578] - Remove remaining references to slf4j * [HV-580] - Remove deprecation of package org.hibernate.validator.group 4.3.0.CR1 (30.04.2012) ** Bug * [HV-572] - Ensure the docs directory gets properly included into the distribution * [HV-573] - Need graceful handling of return value constraint applied to method with void return type * [HV-574] - Annotations processing fails with 4.3.0 Beta1 * [HV-575] - NPE in annotation processor ConstraintHelper.getName() ** Improvement ... (truncated) Commits https://github.com/hibernate/hibernate-validator/commit/8a145568ce6a6a103be96d711fd24d83f444dc10";>8a14556 [maven-release-plugin] prepare release 4.3.2.Final https://github.com/hibernate/hibernate-validator/commit/17aef8890e6dff076c8b88cc9af400be2ac43b01";>17aef88 Changelog and readme updates prior to release 4.3.2.Final https://github.com/hibernate/hibernate-validator/commit/763feff5e7cc0c2fef8abb3836f94567f8943488";>763feff HV-843 Making sure non public annotation members are accessible. Unifying han... https://github.com/hibernate/hibernate-validator/commit/ab21ca98fd7814bd014e7d8e03de8640f2529352";>ab21ca9 HV-912 Not exposing accessible-made members https://github.com/hibernate/hibernate-validator/commit/ea88f45ead1b1586fe47c6fa03bea226143ec05a";>ea88f45 HV-912 Reducing accessibility of some classes and methods https://github.com/hibernate/hibernate-validator/commit/cc782d6f51e261999af61df053b062bdc9864ef5";>cc782d6 HV-912 Wrapping call to JAXBContext#newInstance() and Unmarshaller#unmarshal(... https://github.com/hibernate/hibernate-validator/commit/43936f83b10b93203801b6d63d8d0e14ead9e748";>43936f8 HV-912 Wrapping call to SchemaFactory#newSchema() into privileged action https://github.com/hibernate/hibernate-validator/commit/e59d080f55f23a208ffbf394a4096c5c43062b90";>e59d080 HV-912 Adding doPrivileged() block around ClassLoader#loadResource() call https://github.com/hibernate/hibernate-validator/commit/779650713a35f86f24064c99e2be0717e6235cd2";>7796507 HV-912 Removing methods from ReflectionHelper which make privileged operation... https://github.com/hibernate/hibernate-validator/commit/4628c499772a3109b9879330c61802fca5f1c141";>4628c49 HV-621 Treating Default group (which is probably most often used) special to ... Additional commits viewable in https://github.com/hibernate/hibernate-validator/compare/4.2.0.Final...4.3.2.Final";>compare view [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.hibernate:hibernate-validator&package-manager=maven&previous-version=4.2.0.Final&new-version=4.3.2.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@de
[GitHub] [james-hupa] dependabot[bot] opened a new pull request, #3: Bump jetty-server from 8.1.15.v20140411 to 10.0.10
dependabot[bot] opened a new pull request, #3: URL: https://github.com/apache/james-hupa/pull/3 Bumps [jetty-server](https://github.com/eclipse/jetty.project) from 8.1.15.v20140411 to 10.0.10. Release notes Sourced from https://github.com/eclipse/jetty.project/releases";>jetty-server's releases. 10.0.10 Special Thanks to the following Eclipse Jetty community members https://github.com/jianglai";>@jianglai (Lai Jiang) https://github.com/markslater";>@markslater (markslater) https://github.com/prenagha";>@prenagha (Padraic Renaghan) Changelog https://github-redirect.dependabot.com/eclipse/jetty.project/issues/8136";>#8136 - Cherry-pick of Improvements to PathSpec for Jetty 10.0.x https://github-redirect.dependabot.com/eclipse/jetty.project/issues/8134";>#8134 - Improve cleanup of deflater/inflater pools for PerMessageDeflateExtension https://github-redirect.dependabot.com/eclipse/jetty.project/issues/8088";>#8088 - Add option to configure exitVm on ShutdownMonitor from System properties https://github-redirect.dependabot.com/eclipse/jetty.project/issues/8067";>#8067 - Wall time usage in DoSFilter RateTracker results in false positive alert https://github-redirect.dependabot.com/eclipse/jetty.project/issues/8057";>#8057 - Support Http Response 103 (Early Hints) https://github-redirect.dependabot.com/eclipse/jetty.project/issues/8014";>#8014 - Review HttpRequest URI construction https://github-redirect.dependabot.com/eclipse/jetty.project/issues/8008";>#8008 - Add compliance mode for LEGACY multipart parser in Jetty 10+ https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7994";>#7994 - Ability to construct a detached client Request https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7981";>#7981 - Add TRANSFER_ENCODING violation for MultiPart RFC7578 parser. (https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7976";>#7976) https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7977";>#7977 - UpgradeHttpServletRequest.setAttribute & UpgradeHttpServletRequest.removeAttribute can throw NullPointerException https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7975";>#7975 - ForwardedRequestCustomizer setters do not clear existing handlers https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7953";>#7953 - Fix StatisticsHandler in the case a Handler throws exception. https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7935";>#7935 - Review HTTP/2 error handling https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7929";>#7929 - Correct requestlog formatString commented default (https://github.com/prenagha";>@prenagha) https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7924";>#7924 - Fix a typo in Javadoc (https://github.com/jianglai";>@jianglai) https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7918";>#7918 - PathMappings.asPathSpec does not allow root ServletPathSpec https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7891";>#7891 - Better Servlet PathMappings for Regex https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7880";>#7880 - DefaultServlet should not overwrite programmatically configured precompressed formats with defaults (https://github.com/markslater";>@markslater) https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7863";>#7863 - Default servlet drops first accept-encoding header if there is more than one. (https://github.com/markslater";>@markslater) https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7858";>#7858 - GZipHandler does not play nice with other handlers in HandlerCollection https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7818";>#7818 - Modifying of HTTP headers in HttpChannel.Listener#onResponseBegin is no longer possible with Jetty 10 https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7808";>#7808 - Jetty 10.0.x 7801 duplicate set session cookie https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7802";>#7802 - HTTP/3 QPACK - do not expect section ack for zero required insert count https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7754";>#7754 - jetty.sh ignores JAVA_OPTIONS environment variable https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7748";>#7748 - Allow overriding of url-pattern mapping in ServletContextHandler to allow for regex or uri-template matching https://github-redirect.dependabot.com/eclipse/jetty.project/issues/7635";>#7635 - QPACK decoder should fail connection if the encoder blocks more than SETTINGS_QPACK_BLOCKED_STREAMS https://github-redirect.dependabot.com/eclipse/jetty.project/issues/4414";>#4414 - GZipHandler not excluding inflation for specified paths https://github-redir
[GitHub] [james-hupa] chibenwa merged pull request #2: Retire Apache James HUPA
chibenwa merged pull request #2: URL: https://github.com/apache/james-hupa/pull/2 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
[GitHub] [james-hupa] chibenwa opened a new pull request #2: Retire Apache James HUPA
chibenwa opened a new pull request #2: URL: https://github.com/apache/james-hupa/pull/2 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
[GitHub] [james-hupa] dongxuwang commented on issue #1: [SECURITY] Use HTTPS to resolve dependencies in Maven Build
dongxuwang commented on issue #1: [SECURITY] Use HTTPS to resolve dependencies in Maven Build URL: https://github.com/apache/james-hupa/pull/1#issuecomment-585513582 Thanks @JLLeitschuh This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
[GitHub] [james-hupa] dongxuwang merged pull request #1: [SECURITY] Use HTTPS to resolve dependencies in Maven Build
dongxuwang merged pull request #1: [SECURITY] Use HTTPS to resolve dependencies in Maven Build URL: https://github.com/apache/james-hupa/pull/1 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
[GitHub] [james-hupa] JLLeitschuh opened a new pull request #1: [SECURITY] Use HTTPS to resolve dependencies in Maven Build
JLLeitschuh opened a new pull request #1: [SECURITY] Use HTTPS to resolve dependencies in Maven Build URL: https://github.com/apache/james-hupa/pull/1 [![mitm_build](https://user-images.githubusercontent.com/1323708/59226671-90645200-8ba1-11e9-8ab3-39292bef99e9.jpeg)](https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e) - [Want to take over the Java ecosystem? All you need is a MITM!](https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e) - [Update: Want to take over the Java ecosystem? All you need is a MITM!](https://medium.com/bugbountywriteup/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23?source=friends_link&sk=8c8e52a7d57b98d0b7e541665688b454) --- This is a security fix for a vulnerability in your [Apache Maven](https://maven.apache.org/) `pom.xml` file(s). The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. This leaves your build vulnerable to allowing a [Man in the Middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) (MITM) attackers to execute arbitrary code on your or your computer or CI/CD system. This vulnerability has a CVSS v3.0 Base Score of [8.1/10](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). [POC code](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/) has existed since 2014 to maliciously compromise a JAR file in-flight. MITM attacks against HTTP are [increasingly common](https://security.stackexchange.com/a/12050), for example [Comcast is known to have done it to their own users](https://thenextweb.com/insights/2017/12/11/comcast-continues-to-inject-its-own-code-into-websites-you-visit/#). This contribution is a part of a submission to the [GitHub Security Lab](https://securitylab.github.com/) Bug Bounty program. ## Detecting this and Future Vulnerabilities This vulnerability was automatically detected by [LGTM.com](https://lgtm.com) using this [CodeQL Query](https://lgtm.com/rules/155648721/). As of September 2019 LGTM.com and Semmle are [officially a part of GitHub](https://github.blog/2019-09-18-github-welcomes-semmle/). You can automatically detect future vulnerabilities like this by enabling the free (for open-source) [LGTM App](https://github.com/marketplace/lgtm). I'm not an employee of GitHub nor of Semmle, I'm simply a user of [LGTM.com](https://lgtm.com) and an open-source security researcher. ## Source Yes, this contribution was automatically generated, however, the code to generate this PR was lovingly hand crafted to bring this security fix to your repository. The source code that generated and submitted this PR can be found here: [JLLeitschuh/bulk-security-pr-generator](https://github.com/JLLeitschuh/bulk-security-pr-generator) ## Opting-Out If you'd like to opt-out of future automated security vulnerability fixes like this, please consider adding a file called `.github/GH-ROBOTS.txt` to your repository with the line: ``` User-agent: JLLeitschuh/bulk-security-pr-generator Disallow: * ``` This bot will respect the [ROBOTS.txt](https://moz.com/learn/seo/robotstxt) format for future contributions. Alternatively, if this project is no longer actively maintained, consider [archiving](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-archiving-repositories) the repository. ## CLA Requirements _This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions._ It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed-off. > The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin > (see [https://developercertificate.org/](https://developercertificate.org/) for more information). > > \- [Git Commit Signoff documentation](https://developercertificate.org/) If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR. ## Tracking All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/bulk-security-pr-generator/issues/2 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use th