date:20220609

Build failed in Jenkins: ManifoldCF » ManifoldCF-ant-1x #45

2022-06-09 Thread Apache Jenkins Server

See 


Changes:


--
Started by an SCM change
Running as SYSTEM
[EnvInject] - Loading node environment variables.
Building remotely on builds35 (ubuntu) in workspace 

Updating https://svn.apache.org/repos/asf/manifoldcf/branches/dev_1x at 
revision '2022-06-10T02:04:07.847 +'
At revision 1901798

[ManifoldCF-ant-1x] $ ant clean-core-deps make-core-deps clean
Buildfile: 

Trying to override old definition of task javac

clean-core-deps:
   [delete] Deleting directory 


download-resteasy:
[mkdir] Created dir: 


setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/org/jboss/resteasy/resteasy-jaxrs/3.0.8.Final/resteasy-jaxrs-3.0.8.Final.jar
  [get] To: 


setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/org/jboss/resteasy/resteasy-client/3.0.8.Final/resteasy-client-3.0.8.Final.jar
  [get] To: 


setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/org/jboss/resteasy/jaxrs-api/3.0.8.Final/jaxrs-api-3.0.8.Final.jar
  [get] To: 


download-jsoup:

setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/org/jsoup/jsoup/1.8.1/jsoup-1.8.1.jar
  [get] To: 


download-mockito:

setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/org/mockito/mockito-core/1.9.5/mockito-core-1.9.5.jar
  [get] To: 


setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/com/github/tomakehurst/wiremock/1.34/wiremock-1.34.jar
  [get] To: 


setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/org/objenesis/objenesis/2.1/objenesis-2.1.jar
  [get] To: 


download-alfresco-webscript-plugin:
[mkdir] Created dir: 


setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/com/github/maoo/indexer/alfresco-indexer-webscripts/0.7.0/alfresco-indexer-webscripts-0.7.0.amp
  [get] To: 


download-guava:

setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/com/google/guava/guava/15.0/guava-15.0.jar
  [get] To: 


download-alfresco-indexer-client:

setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/com/github/maoo/indexer/alfresco-indexer-client/0.7.0/alfresco-indexer-client-0.7.0.jar
  [get] To: 


setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/com/google/code/gson/gson/2.2.4/gson-2.2.4.jar
  [get] To: 


download-mongo-java-driver:

setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/org/mongodb/mongo-java-driver/2.11.3/mongo-java-driver-2.11.3.jar
  [get] To: 


download-jira-client:

setup-maven-url:

download-via-maven:
  [get] Getting: 
https://repo1.maven.org/maven2/com/googlecode/json-simple/json-simple/1.1/json-simple-1.1.jar
  [get] To: 


download-google-api-client:

setup-maven-url:

download-via-maven:
  [get] Getting:

[GitHub] [manifoldcf] dependabot[bot] commented on pull request #119: Bump xercesImpl from 2.10.0 to 2.12.2 in /connectors/searchblox

2022-06-09 Thread GitBox



dependabot[bot] commented on PR #119:
URL: https://github.com/apache/manifoldcf/pull/119#issuecomment-1151366294

   OK, I won't notify you again about this release, but will get in touch when 
a new version is available. If you'd rather skip all updates until the next 
major or minor version, let me know by commenting `@dependabot ignore this 
major version` or `@dependabot ignore this minor version`.
   
   If you change your mind, just re-open this PR and I'll resolve any conflicts 
on it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@manifoldcf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [manifoldcf] asfgit closed pull request #119: Bump xercesImpl from 2.10.0 to 2.12.2 in /connectors/searchblox

2022-06-09 Thread GitBox



asfgit closed pull request #119: Bump xercesImpl from 2.10.0 to 2.12.2 in 
/connectors/searchblox
URL: https://github.com/apache/manifoldcf/pull/119


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@manifoldcf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Updated] (CONNECTORS-1717) upgrade to log4j 2.17.2

2022-06-09 Thread PJ Fanning (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

PJ Fanning updated CONNECTORS-1717:
---
Summary: upgrade to log4j 2.17.2  (was: upgrade to connectors 2.17.2)

> upgrade to log4j 2.17.2
> ---
>
> Key: CONNECTORS-1717
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1717
> Project: ManifoldCF
>  Issue Type: Improvement
>Affects Versions: ManifoldCF 2.22
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
> Fix For: ManifoldCF 2.23
>
> Attachments: patch.txt
>
>
> ant build.xml has version 2.15.0
> pom.xml has 2.17.0
> chemistry dependency seems to have log4j 2.17.2
> there are issues in versions up to v2.17.1
> seems best to standardise on 2.17.2



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Assigned] (CONNECTORS-1717) upgrade to connectors 2.17.2

2022-06-09 Thread Karl Wright (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Wright reassigned CONNECTORS-1717:
---

Assignee: Karl Wright

> upgrade to connectors 2.17.2
> 
>
> Key: CONNECTORS-1717
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1717
> Project: ManifoldCF
>  Issue Type: Improvement
>Affects Versions: ManifoldCF 2.22
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
> Attachments: patch.txt
>
>
> ant build.xml has version 2.15.0
> pom.xml has 2.17.0
> chemistry dependency seems to have log4j 2.17.2
> there are issues in versions up to v2.17.1
> seems best to standardise on 2.17.2



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[GitHub] [manifoldcf] pjfanning commented on pull request #120: upgrade commons-beanutils

2022-06-09 Thread GitBox



pjfanning commented on PR #120:
URL: https://github.com/apache/manifoldcf/pull/120#issuecomment-1151170389

   https://issues.apache.org/jira/browse/CONNECTORS-1714 is resolved


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@manifoldcf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [manifoldcf] pjfanning closed pull request #120: upgrade commons-beanutils

2022-06-09 Thread GitBox



pjfanning closed pull request #120: upgrade commons-beanutils
URL: https://github.com/apache/manifoldcf/pull/120


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@manifoldcf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Created] (CONNECTORS-1717) upgrade to connectors 2.17.2

2022-06-09 Thread PJ Fanning (Jira)

PJ Fanning created CONNECTORS-1717:
--

 Summary: upgrade to connectors 2.17.2
 Key: CONNECTORS-1717
 URL: https://issues.apache.org/jira/browse/CONNECTORS-1717
 Project: ManifoldCF
  Issue Type: Improvement
Reporter: PJ Fanning


ant build.xml has version 2.15.0
pom.xml has 2.17.0
chemistry dependency seems to have log4j 2.17.2

there are issues in versions up to v2.17.1

seems best to standardise on 2.17.2



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread PJ Fanning (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552161#comment-17552161
 ] 

PJ Fanning commented on CONNECTORS-1716:


Thanks [~kwri...@metacarta.com] - would it be possible to uptake the 2 other 
URL updates (for Rat and clojars). I tested those with:

```
ant rat-bootstrap1
ant download-h2-support
```

> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Comment Edited] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552149#comment-17552149
 ] 

Karl Wright edited comment on CONNECTORS-1715 at 6/9/22 11:50 AM:
--

[~pj.fanning], this is a blanket scan identifying jars with known CVEs.  There 
has been no analysis done whatsoever about whether the specific CVE attack is 
even a possibility in the ManifoldCF environment.  That's a lot of work but I 
will wager after all of that the major problem is that the tool doesn't 
understand the actual usage of ManifoldCF and is thus incapable of giving good 
advice.

Another thing to note is that most of ManifoldCF's dependencies come from Tika. 
 We just upgraded a month ago to the latest Tika 1.x version, which required 
massive dependency updates precisely to address CVEs that had been noted.  This 
took me almost three weeks because many of the underlying contracts in the jars 
also had to be updated.  That's a lot of work if a vulnerability cannot in fact 
be exploited at all, just to make a dumb tool happy.

I think it's fine if a careful analysis is done and an ACTUAL vulnerability is 
detected, but we want to not be stupid about this.  Can't afford it.




was (Author: kwri...@metacarta.com):
[~pj.fanning], this is a blanket scan identifying jars with known CVEs.  There 
has been no analysis done whatsoever about whether the specific CVE attack is 
even a possibility in the ManifoldCF environment.  That's a lot of work but I 
will wager after all of that the major problem is that the tool doesn't 
understand the actual usage of ManifoldCF and is thus incapable of giving good 
advice.


> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Assignee: Karl Wright
>Priority: Major
> Fix For: ManifoldCF 2.23
>
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552149#comment-17552149
 ] 

Karl Wright commented on CONNECTORS-1715:
-

[~pj.fanning], this is a blanket scan identifying jars with known CVEs.  There 
has been no analysis done whatsoever about whether the specific CVE attack is 
even a possibility in the ManifoldCF environment.  That's a lot of work but I 
will wager after all of that the major problem is that the tool doesn't 
understand the actual usage of ManifoldCF and is thus incapable of giving good 
advice.


> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Assignee: Karl Wright
>Priority: Major
> Fix For: ManifoldCF 2.23
>
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread PJ Fanning (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552145#comment-17552145
 ] 

PJ Fanning commented on CONNECTORS-1715:


[~himanshu-v] any chance that you could raise separate issues for the jars you 
are most concerned about and submit PRs with the fixes?

> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Assignee: Karl Wright
>Priority: Major
> Fix For: ManifoldCF 2.23
>
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1714) upgrade commons-beanutils due to CVE

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552132#comment-17552132
 ] 

Karl Wright commented on CONNECTORS-1714:
-

r1901777


> upgrade commons-beanutils due to CVE
> 
>
> Key: CONNECTORS-1714
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1714
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> https://github.com/advisories/GHSA-6phf-73q6-gh87
> https://github.com/apache/manifoldcf/blob/trunk/connectors/alfresco/pom.xml 
> -- upgrade beanutils to v1.9.4



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Resolved] (CONNECTORS-1714) upgrade commons-beanutils due to CVE

2022-06-09 Thread Karl Wright (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Wright resolved CONNECTORS-1714.
-
Fix Version/s: ManifoldCF 2.23
   Resolution: Fixed

Thanks, [~pj.fanning]!

> upgrade commons-beanutils due to CVE
> 
>
> Key: CONNECTORS-1714
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1714
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
> Fix For: ManifoldCF 2.23
>
>
> https://github.com/advisories/GHSA-6phf-73q6-gh87
> https://github.com/apache/manifoldcf/blob/trunk/connectors/alfresco/pom.xml 
> -- upgrade beanutils to v1.9.4



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552090#comment-17552090
 ] 

Karl Wright commented on CONNECTORS-1716:
-

Tried that URL here and it worked fine via "ant download-nuxeo-client":

{code}
BUILD SUCCESSFUL
Total time: 5 seconds
{code}

So I committed that change.


> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552086#comment-17552086
 ] 

Karl Wright commented on CONNECTORS-1716:
-

That sounds like a workable option for the moment.  I'll commit it if it seems 
to download the artifacts needed correctly.


> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1714) upgrade commons-beanutils due to CVE

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552084#comment-17552084
 ] 

Karl Wright commented on CONNECTORS-1714:
-

[~pj.fanning], I did not configure or set up the Travis build and it seems like 
it was broken before you started.  But I did look at the patch and it doesn't 
look to me like it's complete.  I have a busy workday today so I won't be able 
to spend hours on this but I do need to point out that the Maven build for MCF 
is secondary, not primary, so you first want to make sure that the ant build is 
correct in any case.

Thanks!


> upgrade commons-beanutils due to CVE
> 
>
> Key: CONNECTORS-1714
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1714
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> https://github.com/advisories/GHSA-6phf-73q6-gh87
> https://github.com/apache/manifoldcf/blob/trunk/connectors/alfresco/pom.xml 
> -- upgrade beanutils to v1.9.4



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread PJ Fanning (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552081#comment-17552081
 ] 

PJ Fanning commented on CONNECTORS-1716:


https://maven-eu.nuxeo.org/nexus/content/repositories/public-releases/ might be 
an option - I have made the change in my PR and will see if it works there.

> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Decommission Nuxeo connector?

2022-06-09 Thread Karl Wright

Hi all,

The Nuxeo connector relies on a downloaded client jar that cannot be
downloaded with a working secure connection (because the Nuxeo maven's SSL
certificate has expired).

Unless this can be addressed we have no choice but to remove the connector
from our suite.  Please respond if you have any influence at Nuxeo
sufficient to address this problem.  Thanks in advance.

Karl

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552079#comment-17552079
 ] 

Karl Wright commented on CONNECTORS-1716:
-

I looked into the nuxeo case; this is a client library required for building 
the nuxeo connector, so it is not just a testing artifact (where I have 
encountered poor adherence to ssl use in the past).  Unfortunately, as you 
point out, nuxeo's cert has expired and the only solution is to fully 
decommission the Nuxeo connector until this has been addressed.



> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552074#comment-17552074
 ] 

Karl Wright commented on CONNECTORS-1716:
-

[~pj.fanning] I am well aware of the reason.  The only option, however, is to 
turn off the specific integration test.

Please note that the integration tests are NOT run until after the build takes 
place, so they will not have any potential of corrupting the build.  Testing 
artifacts are not distributed as part of the distribution either.



> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[GitHub] [manifoldcf] DaddyWri commented on pull request #120: upgrade commons-beanutils

2022-06-09 Thread GitBox



DaddyWri commented on PR #120:
URL: https://github.com/apache/manifoldcf/pull/120#issuecomment-1150884030

   Introducing a single dependency change for the alfresco connector in a pom 
is insufficient to address this issue, since Maven is not the primary build 
platform for ManifoldCF - ant is.  You will need to address this change in 
build.xml and the root pom, if indeed common-beans is included there (it may 
not be).
   
   Github is a mirror of the main svn repository for manifoldcf also, but I can 
extract a patch from it.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@manifoldcf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Comment Edited] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread PJ Fanning (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552069#comment-17552069
 ] 

PJ Fanning edited comment on CONNECTORS-1716 at 6/9/22 9:19 AM:


[~kwri...@metacarta.com] https://github.com/apache/manifoldcf/pull/121

The reason not to use http in the build is that malicious actors could spoof 
the maven repo and you could end up building with a hacked version of the third 
party lib.


was (Author: pj.fanning):
[~kwri...@metacarta.com] https://github.com/apache/manifoldcf/pull/121

> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread PJ Fanning (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552069#comment-17552069
 ] 

PJ Fanning commented on CONNECTORS-1716:


[~kwri...@metacarta.com] https://github.com/apache/manifoldcf/pull/121

> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1714) upgrade commons-beanutils due to CVE

2022-06-09 Thread PJ Fanning (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552068#comment-17552068
 ] 

PJ Fanning commented on CONNECTORS-1714:


[~kwri...@metacarta.com] https://github.com/apache/manifoldcf/pull/120 - build 
is failing but I'm not sure if the build is failing due to the PR change or if 
it the issue is unrelated

> upgrade commons-beanutils due to CVE
> 
>
> Key: CONNECTORS-1714
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1714
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> https://github.com/advisories/GHSA-6phf-73q6-gh87
> https://github.com/apache/manifoldcf/blob/trunk/connectors/alfresco/pom.xml 
> -- upgrade beanutils to v1.9.4



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Comment Edited] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552065#comment-17552065
 ] 

Karl Wright edited comment on CONNECTORS-1716 at 6/9/22 9:15 AM:
-

Please propose a patch.

I am not certain what downloads you are specifically talking about but this 
happens only during the build process, and may be for a testing artifact.  In 
some cases https is not used because it is not supported by the test component 
supplier, e.g. alfresco or mongodb.  If you can find a way around that, great, 
if not there is nothing we can do about it - e.g. the nuxeo case.  You should 
file a ticket with them.



was (Author: kwri...@metacarta.com):
Please propose a patch.

I am not certain what downloads you are specifically talking about but this 
happens only during the build process, and may be for a testing artifact.  In 
some cases https is not used because it is not supported by the test component 
supplier, e.g. alfresco or mongodb.  If you can find a way around that, great, 
if not there is nothing we can do about it.


> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[GitHub] [manifoldcf] pjfanning commented on pull request #120: upgrade commons-beanutils

2022-06-09 Thread GitBox



pjfanning commented on PR #120:
URL: https://github.com/apache/manifoldcf/pull/120#issuecomment-1150877556

   maven build in travis failing due to tika appearing to use the wrong 
commons-io jar - not sure if this is somehow related to the PR change


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@manifoldcf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552065#comment-17552065
 ] 

Karl Wright commented on CONNECTORS-1716:
-

Please propose a patch.

I am not certain what downloads you are specifically talking about but this 
happens only during the build process, and may be for a testing artifact.  In 
some cases https is not used because it is not supported by the test component 
supplier, e.g. alfresco or mongodb.  If you can find a way around that, great, 
if not there is nothing we can do about it.


> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Assigned] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread Karl Wright (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Wright reassigned CONNECTORS-1716:
---

Assignee: Karl Wright

> should not use http to download artifacts (need https)
> --
>
> Key: CONNECTORS-1716
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> build.xml has a number of insecure http URLs
> the nexus one is a special problem because the https equivalent has the wrong 
> SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1714) upgrade commons-beanutils due to CVE

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552060#comment-17552060
 ] 

Karl Wright commented on CONNECTORS-1714:
-

Please propose a patch.
Thanks.


> upgrade commons-beanutils due to CVE
> 
>
> Key: CONNECTORS-1714
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1714
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> https://github.com/advisories/GHSA-6phf-73q6-gh87
> https://github.com/apache/manifoldcf/blob/trunk/connectors/alfresco/pom.xml 
> -- upgrade beanutils to v1.9.4



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Assigned] (CONNECTORS-1714) upgrade commons-beanutils due to CVE

2022-06-09 Thread Karl Wright (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Wright reassigned CONNECTORS-1714:
---

Assignee: Karl Wright

> upgrade commons-beanutils due to CVE
> 
>
> Key: CONNECTORS-1714
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1714
> Project: ManifoldCF
>  Issue Type: Bug
>Reporter: PJ Fanning
>Assignee: Karl Wright
>Priority: Major
>
> https://github.com/advisories/GHSA-6phf-73q6-gh87
> https://github.com/apache/manifoldcf/blob/trunk/connectors/alfresco/pom.xml 
> -- upgrade beanutils to v1.9.4



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Assigned] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Karl Wright (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Wright reassigned CONNECTORS-1715:
---

Assignee: Karl Wright

> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Assignee: Karl Wright
>Priority: Major
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Resolved] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Karl Wright (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Wright resolved CONNECTORS-1715.
-
Fix Version/s: ManifoldCF 2.23
   Resolution: Won't Fix

> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Assignee: Karl Wright
>Priority: Major
> Fix For: ManifoldCF 2.23
>
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Karl Wright (Jira)



[ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552059#comment-17552059
 ] 

Karl Wright commented on CONNECTORS-1715:
-

Sorry, most of these cannot be upgraded because there is nothing to upgrade to. 
 Example: Axis jars.

A quick look shows that the kinds of attacks listed here are operating modes 
for the jars in question that would make the attack vector impossible to 
exploit in ManifoldCF.  ManifoldCF indexes data from/to trusted systems, so an 
attack on ManifoldCF itself from such a setup would have to involve a 
man-in-the-middle, which can trivially be avoided if you are on either a secure 
network or use Https for your connections to your repositories.  ManifoldCF's 
UI and API we recommend also be localized to an internal network, but in any 
case they are what we secure.  Database connection security is left as an 
exercise for the user; it's beyond the scope of the ManifoldCF project.

> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Priority: Major
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[GitHub] [manifoldcf] pjfanning opened a new pull request, #121: use https in build.xml to download jars

2022-06-09 Thread GitBox



pjfanning opened a new pull request, #121:
URL: https://github.com/apache/manifoldcf/pull/121

   https://issues.apache.org/jira/browse/CONNECTORS-1716


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@manifoldcf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Created] (CONNECTORS-1716) should not use http to download artifacts (need https)

2022-06-09 Thread PJ Fanning (Jira)

PJ Fanning created CONNECTORS-1716:
--

 Summary: should not use http to download artifacts (need https)
 Key: CONNECTORS-1716
 URL: https://issues.apache.org/jira/browse/CONNECTORS-1716
 Project: ManifoldCF
  Issue Type: Bug
Reporter: PJ Fanning


build.xml has a number of insecure http URLs

the nexus one is a special problem because the https equivalent has the wrong 
SSL cert - see https://maven.nuxeo.com/



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Updated] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Himanshu (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu updated CONNECTORS-1715:
-
Attachment: (was: dependency-check-report-EasySearch.html)

> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Priority: Major
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Updated] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Himanshu (Jira)



 [ 
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu updated CONNECTORS-1715:
-
Attachment: dependency-check-report-Apache Manifold.html

> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
>  Issue Type: Bug
>Affects Versions: ManifoldCF 2.22
>Reporter: Himanshu
>Priority: Major
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Created] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

2022-06-09 Thread Himanshu (Jira)

Himanshu created CONNECTORS-1715:


 Summary: Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 
version
 Key: CONNECTORS-1715
 URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
 Project: ManifoldCF
  Issue Type: Bug
Affects Versions: ManifoldCF 2.22
Reporter: Himanshu
 Attachments: dependency-check-report-EasySearch.html

45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Created] (CONNECTORS-1714) upgrade commons-beanutils due to CVE

2022-06-09 Thread PJ Fanning (Jira)

PJ Fanning created CONNECTORS-1714:
--

 Summary: upgrade commons-beanutils due to CVE
 Key: CONNECTORS-1714
 URL: https://issues.apache.org/jira/browse/CONNECTORS-1714
 Project: ManifoldCF
  Issue Type: Bug
Reporter: PJ Fanning


https://github.com/advisories/GHSA-6phf-73q6-gh87

https://github.com/apache/manifoldcf/blob/trunk/connectors/alfresco/pom.xml -- 
upgrade beanutils to v1.9.4



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

40 matches

Mail list logo