You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by "Jonathan S. Fisher" <ex...@gmail.com> on 2017/06/06 15:44:32 UTC
CXF 2.6 branch
Hello guys!
I have backported a few commits to the CXF 2.6 branch to close several CVEs.
If possible, may I submit these somewhere for review, and would it possible
to get maintenance release completed? I know the branch is long dead, but
over at the TomEE project, we're trying to produce a maintenance release for
the community on our 1.7.x series of server (JEE6) which still sees heavy
production use.
Thank you for consideration,
-Jonathan
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
I'll call a vote shortly. Note that I removed the toolchains stuff, and
specified "1.5" for the compiler source + target as it was before - I was
having trouble using Java 7 to do mvn release:prepare with toolchains.
Colm.
On Fri, Jul 28, 2017 at 4:02 PM, jgallimore <jo...@gmail.com>
wrote:
> Ah, my bad. My local branch was out of date. Please ignore this, I'll close
> the PR. Is there anything else that needs to happen to close this off?
> Happy
> to help in any way I can.
>
> Thanks
>
> Jon
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.co
> m/CXF-2-6-branch-tp5780961p5782137.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 2.6 branch
Posted by jgallimore <jo...@gmail.com>.
Ah, my bad. My local branch was out of date. Please ignore this, I'll close
the PR. Is there anything else that needs to happen to close this off? Happy
to help in any way I can.
Thanks
Jon
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5782137.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by jgallimore <jo...@gmail.com>.
Sounds like I may have done something incorrectly... I apologize. Am I using
the correct branch in git? I used the 2.6.x-fixes:
https://github.com/apache/cxf/tree/2.6.x-fixes
I did also try grabbing my PR as a diff
(https://patch-diff.githubusercontent.com/raw/apache/cxf/pull/298.diff) and
applying it manually to a checkout of the 2.6.x-fixes branch :
----
Jonathans-MacBook-Pro:cxf jgallimore$ git status
On branch 2.6.x-fixes
Your branch is up-to-date with 'origin/2.6.x-fixes'.
nothing to commit, working tree clean
Jonathans-MacBook-Pro:cxf jgallimore$ git apply < ~/cxf.diff
Jonathans-MacBook-Pro:cxf jgallimore$ git status
On branch 2.6.x-fixes
Your branch is up-to-date with 'origin/2.6.x-fixes'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
modified: api/src/main/java/org/apache/cxf/helpers/FileUtils.java
modified:
rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JSONProvider.java
no changes added to commit (use "git add" and/or "git commit -a")
----
Do let me know if I have messed up somewhere, or if there is a
better/different way to get you a patch.
I did also see Jonathan's issue with CharSequence on the Jenkins CI. I built
with JDK 1.6 here, and that didn't have that issue.
Many thanks
Jon
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5782130.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
That patch does not apply to the 2.6.x branch?
error: patch failed: api/src/main/java/org/apache/
cxf/helpers/FileUtils.java:32
error: api/src/main/java/org/apache/cxf/helpers/FileUtils.java: patch does
not apply
error: patch failed: rt/rs/extensions/providers/
src/main/java/org/apache/cxf/jaxrs/provider/json/JSONProvider.java:526
error: rt/rs/extensions/providers/src/main/java/org/apache/cxf/
jaxrs/provider/json/JSONProvider.java: patch does not apply
Colm.
On Wed, Jul 26, 2017 at 9:12 PM, jgallimore <jo...@gmail.com>
wrote:
> Hi
>
> I had a look at the branch, and it seems to build perfectly and all tests
> pass, except I had a couple of checkstyle errors, which I fixed in this PR:
> https://github.com/apache/cxf/pull/298
>
> If it is sill at all possible for a release, that would be incredibly
> awesome of you. I'm happy to help with it in any way that I can.
>
> Many thanks!
>
> Jon
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.co
> m/CXF-2-6-branch-tp5780961p5782073.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 2.6 branch
Posted by jgallimore <jo...@gmail.com>.
Hi
I had a look at the branch, and it seems to build perfectly and all tests
pass, except I had a couple of checkstyle errors, which I fixed in this PR:
https://github.com/apache/cxf/pull/298
If it is sill at all possible for a release, that would be incredibly
awesome of you. I'm happy to help with it in any way that I can.
Many thanks!
Jon
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5782073.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
Any update? I'd like to get this release out and forget about the 2.6.x
branch then ;-)
Colm.
On Thu, Jun 22, 2017 at 6:22 PM, Jonathan S. Fisher <ex...@gmail.com>
wrote:
> It was a CNFE, CharSequence. Very strange.
>
> I did manage to find a workaround, however, I'm getting pulled elsewhere.
> I'll open another PR until I get a chance to dig in. My workaround is to
> specify an exact version of BCEL
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.
> com/CXF-2-6-branch-tp5780961p5781441.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 2.6 branch
Posted by "Jonathan S. Fisher" <ex...@gmail.com>.
It was a CNFE, CharSequence. Very strange.
I did manage to find a workaround, however, I'm getting pulled elsewhere.
I'll open another PR until I get a chance to dig in. My workaround is to
specify an exact version of BCEL
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5781441.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
What's the build error you're seeing? The branch passed for me with JDK 1.6.
Colm.
On Mon, Jun 19, 2017 at 8:04 PM, Jonathan S. Fisher <ex...@gmail.com>
wrote:
> I have a build error, I'll fix and send up another PR
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.
> com/CXF-2-6-branch-tp5780961p5781328.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 2.6 branch
Posted by "Jonathan S. Fisher" <ex...@gmail.com>.
I have a build error, I'll fix and send up another PR
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5781328.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by "Jonathan S. Fisher" <ex...@gmail.com>.
Thanks! Looking into this right now.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5781327.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
I've re-enabled the SAML tests that were failing + also backported two
additional CVEs (CVE-2015-5253 and CVE-2017-5656):
The branch now contains fixes for the following security advisories:
- CVE-2014-3577
- CVE-2014-3623
- CVE-2015-5253
- CVE-2016-8739
- CVE-2016-6812
- CVE-2017-5656
Please re-test and let me know if you are happy with it and we can call a
vote next week.
Colm.
On Thu, Jun 15, 2017 at 5:42 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> OK thanks. I've merged the branch. I also reverted the jibx changes to
> "systests/databinding/pom,xml" and "systests/jaxrs/pom.xml" as otherwise
> they don't build with JDK6. I am going to take a look at some of the
> ignored tests to see why they are not working.
>
> Colm.
>
> On Thu, Jun 15, 2017 at 4:40 PM, Jonathan S. Fisher <ex...@gmail.com>
> wrote:
>
>> I included the toolchain backport because it literally is the easiest way
>> to
>> get to the goal. Simply put this file in "~/.m2/toolchains.xml":
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <toolchains
>> xmlns="http://maven.apache.org/TOOLCHAINS/1.1.0"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:schemaLocation="http://maven.apache.org/TOOLCHAINS/1.1.0
>> http://maven.apache.org/xsd/toolchains-1.1.0.xsd">
>> <toolchain>
>> <type>jdk</type>
>> <provides>
>> <version>1.6</version>
>> <vendor>oracle</vendor>
>> </provides>
>> <configuration>
>>
>> <jdkHome>/Library/Java/JavaVirtualMachines/1.6.0.jdk/Content
>> s/Home</jdkHome>
>> </configuration>
>> </toolchain>
>> </toolchains>
>>
>> Change the jdkHome path to your JDK 1.6 home if necessary (That's the
>> default on my mac).
>>
>> This worked on CI and the build passed.
>>
>> The alternative is solving a bunch of TLS 1.1/1.2 issues because of https,
>> installing certificates into cacerts, download and install an alternative
>> maven, among many other things I didn't want to do to mess up my system
>> :/
>>
>>
>>
>>
>>
>> --
>> View this message in context: http://cxf.547215.n5.nabble.co
>> m/CXF-2-6-branch-tp5780961p5781238.html
>> Sent from the cxf-dev mailing list archive at Nabble.com.
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
OK thanks. I've merged the branch. I also reverted the jibx changes to
"systests/databinding/pom,xml" and "systests/jaxrs/pom.xml" as otherwise
they don't build with JDK6. I am going to take a look at some of the
ignored tests to see why they are not working.
Colm.
On Thu, Jun 15, 2017 at 4:40 PM, Jonathan S. Fisher <ex...@gmail.com>
wrote:
> I included the toolchain backport because it literally is the easiest way
> to
> get to the goal. Simply put this file in "~/.m2/toolchains.xml":
>
> <?xml version="1.0" encoding="UTF-8"?>
> <toolchains
> xmlns="http://maven.apache.org/TOOLCHAINS/1.1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://maven.apache.org/TOOLCHAINS/1.1.0
> http://maven.apache.org/xsd/toolchains-1.1.0.xsd">
> <toolchain>
> <type>jdk</type>
> <provides>
> <version>1.6</version>
> <vendor>oracle</vendor>
> </provides>
> <configuration>
>
> <jdkHome>/Library/Java/JavaVirtualMachines/1.6.0.jdk/
> Contents/Home</jdkHome>
> </configuration>
> </toolchain>
> </toolchains>
>
> Change the jdkHome path to your JDK 1.6 home if necessary (That's the
> default on my mac).
>
> This worked on CI and the build passed.
>
> The alternative is solving a bunch of TLS 1.1/1.2 issues because of https,
> installing certificates into cacerts, download and install an alternative
> maven, among many other things I didn't want to do to mess up my system :/
>
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.
> com/CXF-2-6-branch-tp5780961p5781238.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 2.6 branch
Posted by "Jonathan S. Fisher" <ex...@gmail.com>.
I included the toolchain backport because it literally is the easiest way to
get to the goal. Simply put this file in "~/.m2/toolchains.xml":
<?xml version="1.0" encoding="UTF-8"?>
<toolchains
xmlns="http://maven.apache.org/TOOLCHAINS/1.1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/TOOLCHAINS/1.1.0
http://maven.apache.org/xsd/toolchains-1.1.0.xsd">
<toolchain>
<type>jdk</type>
<provides>
<version>1.6</version>
<vendor>oracle</vendor>
</provides>
<configuration>
<jdkHome>/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home</jdkHome>
</configuration>
</toolchain>
</toolchains>
Change the jdkHome path to your JDK 1.6 home if necessary (That's the
default on my mac).
This worked on CI and the build passed.
The alternative is solving a bunch of TLS 1.1/1.2 issues because of https,
installing certificates into cacerts, download and install an alternative
maven, among many other things I didn't want to do to mess up my system :/
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5781238.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
Why is the toolchain stuff included? This isn't in the Apache CXF master
pom. I get a build failure when trying to build the branch:
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-toolchains-plugin:1.1:toolchain (default) on
project cxf: Cannot find matching toolchain definitions for the following
toolchain types:
[ERROR] jdk [ vendor='oracle' version='1.6' ]
Colm.
On Mon, Jun 12, 2017 at 8:47 PM, Jonathan S. Fisher <ex...@gmail.com>
wrote:
> I'm confident we've closed all of the known open CVEs.
> https://github.com/apache/cxf/pull/279
>
> If you have a brief moment, reviewing my patches might be beneficial to the
> community, though I am already very thankful for the new 2.6 release.
>
> cheers,
> -Jonathan
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.
> com/CXF-2-6-branch-tp5780961p5781148.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF 2.6 branch
Posted by "Jonathan S. Fisher" <ex...@gmail.com>.
I'm confident we've closed all of the known open CVEs.
https://github.com/apache/cxf/pull/279
If you have a brief moment, reviewing my patches might be beneficial to the
community, though I am already very thankful for the new 2.6 release.
cheers,
-Jonathan
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5781148.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by "Jonathan S. Fisher" <ex...@gmail.com>.
Yes, 2.6 is long dead. That's very much appreciated. Let me make very certain
I crush all of them this go around.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-6-branch-tp5780961p5781089.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: CXF 2.6 branch
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Jonathan,
CXF 2.6.x is *long* dead and not maintained any more. However, I'm willing
to help get this release out on a "once off" basis just to cover the
security advisories. Let me know when the PR is ready and I'll review it.
Colm.
On Tue, Jun 6, 2017 at 4:44 PM, Jonathan S. Fisher <ex...@gmail.com>
wrote:
> Hello guys!
>
> I have backported a few commits to the CXF 2.6 branch to close several
> CVEs.
>
> If possible, may I submit these somewhere for review, and would it possible
> to get maintenance release completed? I know the branch is long dead, but
> over at the TomEE project, we're trying to produce a maintenance release
> for
> the community on our 1.7.x series of server (JEE6) which still sees heavy
> production use.
>
> Thank you for consideration,
>
> -Jonathan
>
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.
> com/CXF-2-6-branch-tp5780961.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com