You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2019/08/15 12:57:23 UTC
[commons-beanutils] branch 1.X updated (32ceb2c -> c9bbfb7)
This is an automated email from the ASF dual-hosted git repository.
chtompki pushed a change to branch 1.X
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git.
from 32ceb2c (update) RC1 -> RC2
new dd8e3b5 (docs) rework from Sebb on CVE description
new c9bbfb7 (docs) updates to site, scm location, sha256 hash
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
pom.xml | 6 +++---
src/site/xdoc/download_beanutils.xml | 10 +++++-----
src/site/xdoc/index.xml | 18 +++++++++++++-----
3 files changed, 21 insertions(+), 13 deletions(-)
Re: [commons-beanutils] 02/02: (docs) updates to site, scm location,
sha256 hash
Posted by Rob Tompkins <ch...@gmail.com>.
The only difference between the generated download file and my updated
one is that the generated one puts sha1 signatures on the files because
of an older version of the build plugin. I suppose I could upversion the
build plugin to ensure that I only get 256 signatures. But I think that
point will be moot as soon as we release 2.X (which I plan to do sooner
than later) because that's on the latest version of all of our plugins.
-Rob
On 8/15/2019 9:11 AM, sebb wrote:
> The download xml file is generated from the pom, so the pom must be fixed too.
>
> On Thu, 15 Aug 2019 at 13:57, <ch...@apache.org> wrote:
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> chtompki pushed a commit to branch 1.X
>> in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
>>
>> commit c9bbfb7b16e89ac9cf68998db7ddd796f4f81932
>> Author: Rob Tompkins <ch...@gmail.com>
>> AuthorDate: Thu Aug 15 08:57:08 2019 -0400
>>
>> (docs) updates to site, scm location, sha256 hash
>> ---
>> pom.xml | 6 +++---
>> src/site/xdoc/download_beanutils.xml | 10 +++++-----
>> 2 files changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/pom.xml b/pom.xml
>> index 1a4c70d..8f1ebc0 100644
>> --- a/pom.xml
>> +++ b/pom.xml
>> @@ -79,9 +79,9 @@
>> </issueManagement>
>>
>> <scm>
>> - <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</connection>
>> - <developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</developerConnection>
>> - <url>http://svn.apache.org/viewvc/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</url>
>> + <connection>scm:git:https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</connection>
>> + <developerConnection>scm:git:https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</developerConnection>
>> + <url>https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</url>
>> </scm>
>>
>> <distributionManagement>
>> diff --git a/src/site/xdoc/download_beanutils.xml b/src/site/xdoc/download_beanutils.xml
>> index 48f45f6..397bea3 100644
>> --- a/src/site/xdoc/download_beanutils.xml
>> +++ b/src/site/xdoc/download_beanutils.xml
>> @@ -102,7 +102,7 @@ limitations under the License.
>> It is essential that you
>> <a href="https://www.apache.org/info/verification.html">verify the integrity</a>
>> of downloaded files, preferably using the <code>PGP</code> signature (<code>*.asc</code> files);
>> - failing that using the <code>SHA512</code> hash (<code>*.sha512</code> checksum files).
>> + failing that using the <code>SHA256</code> hash (<code>*.sha256</code> checksum files).
>> </p>
>> <p>
>> The <a href="https://www.apache.org/dist/commons/KEYS">KEYS</a>
>> @@ -116,12 +116,12 @@ limitations under the License.
>> <table>
>> <tr>
>> <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz">commons-beanutils-1.9.4-bin.tar.gz</a></td>
>> - <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.sha512">sha512</a></td>
>> + <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.sha256">sha256</a></td>
>> <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.asc">pgp</a></td>
>> </tr>
>> <tr>
>> <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip">commons-beanutils-1.9.4-bin.zip</a></td>
>> - <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.sha512">sha512</a></td>
>> + <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.sha256">sha256</a></td>
>> <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.asc">pgp</a></td>
>> </tr>
>> </table>
>> @@ -130,12 +130,12 @@ limitations under the License.
>> <table>
>> <tr>
>> <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz">commons-beanutils-1.9.4-src.tar.gz</a></td>
>> - <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.sha512">sha512</a></td>
>> + <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.sha256">sha256</a></td>
>> <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.asc">pgp</a></td>
>> </tr>
>> <tr>
>> <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.zip">commons-beanutils-1.9.4-src.zip</a></td>
>> - <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.sha512">sha512</a></td>
>> + <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.sha256">sha256</a></td>
>> <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.asc">pgp</a></td>
>> </tr>
>> </table>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [commons-beanutils] 02/02: (docs) updates to site, scm location,
sha256 hash
Posted by sebb <se...@gmail.com>.
The download xml file is generated from the pom, so the pom must be fixed too.
On Thu, 15 Aug 2019 at 13:57, <ch...@apache.org> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> chtompki pushed a commit to branch 1.X
> in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
>
> commit c9bbfb7b16e89ac9cf68998db7ddd796f4f81932
> Author: Rob Tompkins <ch...@gmail.com>
> AuthorDate: Thu Aug 15 08:57:08 2019 -0400
>
> (docs) updates to site, scm location, sha256 hash
> ---
> pom.xml | 6 +++---
> src/site/xdoc/download_beanutils.xml | 10 +++++-----
> 2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/pom.xml b/pom.xml
> index 1a4c70d..8f1ebc0 100644
> --- a/pom.xml
> +++ b/pom.xml
> @@ -79,9 +79,9 @@
> </issueManagement>
>
> <scm>
> - <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</connection>
> - <developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</developerConnection>
> - <url>http://svn.apache.org/viewvc/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</url>
> + <connection>scm:git:https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</connection>
> + <developerConnection>scm:git:https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</developerConnection>
> + <url>https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</url>
> </scm>
>
> <distributionManagement>
> diff --git a/src/site/xdoc/download_beanutils.xml b/src/site/xdoc/download_beanutils.xml
> index 48f45f6..397bea3 100644
> --- a/src/site/xdoc/download_beanutils.xml
> +++ b/src/site/xdoc/download_beanutils.xml
> @@ -102,7 +102,7 @@ limitations under the License.
> It is essential that you
> <a href="https://www.apache.org/info/verification.html">verify the integrity</a>
> of downloaded files, preferably using the <code>PGP</code> signature (<code>*.asc</code> files);
> - failing that using the <code>SHA512</code> hash (<code>*.sha512</code> checksum files).
> + failing that using the <code>SHA256</code> hash (<code>*.sha256</code> checksum files).
> </p>
> <p>
> The <a href="https://www.apache.org/dist/commons/KEYS">KEYS</a>
> @@ -116,12 +116,12 @@ limitations under the License.
> <table>
> <tr>
> <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz">commons-beanutils-1.9.4-bin.tar.gz</a></td>
> - <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.sha512">sha512</a></td>
> + <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.sha256">sha256</a></td>
> <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.asc">pgp</a></td>
> </tr>
> <tr>
> <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip">commons-beanutils-1.9.4-bin.zip</a></td>
> - <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.sha512">sha512</a></td>
> + <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.sha256">sha256</a></td>
> <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.asc">pgp</a></td>
> </tr>
> </table>
> @@ -130,12 +130,12 @@ limitations under the License.
> <table>
> <tr>
> <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz">commons-beanutils-1.9.4-src.tar.gz</a></td>
> - <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.sha512">sha512</a></td>
> + <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.sha256">sha256</a></td>
> <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.asc">pgp</a></td>
> </tr>
> <tr>
> <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.zip">commons-beanutils-1.9.4-src.zip</a></td>
> - <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.sha512">sha512</a></td>
> + <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.sha256">sha256</a></td>
> <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.asc">pgp</a></td>
> </tr>
> </table>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
[commons-beanutils] 02/02: (docs) updates to site, scm location,
sha256 hash
Posted by ch...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
chtompki pushed a commit to branch 1.X
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
commit c9bbfb7b16e89ac9cf68998db7ddd796f4f81932
Author: Rob Tompkins <ch...@gmail.com>
AuthorDate: Thu Aug 15 08:57:08 2019 -0400
(docs) updates to site, scm location, sha256 hash
---
pom.xml | 6 +++---
src/site/xdoc/download_beanutils.xml | 10 +++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/pom.xml b/pom.xml
index 1a4c70d..8f1ebc0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,9 +79,9 @@
</issueManagement>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</developerConnection>
- <url>http://svn.apache.org/viewvc/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3</url>
+ <connection>scm:git:https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</connection>
+ <developerConnection>scm:git:https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</developerConnection>
+ <url>https://gitbox.apache.org/repos/asf?p=commons-beanutils.git</url>
</scm>
<distributionManagement>
diff --git a/src/site/xdoc/download_beanutils.xml b/src/site/xdoc/download_beanutils.xml
index 48f45f6..397bea3 100644
--- a/src/site/xdoc/download_beanutils.xml
+++ b/src/site/xdoc/download_beanutils.xml
@@ -102,7 +102,7 @@ limitations under the License.
It is essential that you
<a href="https://www.apache.org/info/verification.html">verify the integrity</a>
of downloaded files, preferably using the <code>PGP</code> signature (<code>*.asc</code> files);
- failing that using the <code>SHA512</code> hash (<code>*.sha512</code> checksum files).
+ failing that using the <code>SHA256</code> hash (<code>*.sha256</code> checksum files).
</p>
<p>
The <a href="https://www.apache.org/dist/commons/KEYS">KEYS</a>
@@ -116,12 +116,12 @@ limitations under the License.
<table>
<tr>
<td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz">commons-beanutils-1.9.4-bin.tar.gz</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.sha256">sha256</a></td>
<td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.asc">pgp</a></td>
</tr>
<tr>
<td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip">commons-beanutils-1.9.4-bin.zip</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.sha256">sha256</a></td>
<td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.asc">pgp</a></td>
</tr>
</table>
@@ -130,12 +130,12 @@ limitations under the License.
<table>
<tr>
<td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz">commons-beanutils-1.9.4-src.tar.gz</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.sha256">sha256</a></td>
<td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.asc">pgp</a></td>
</tr>
<tr>
<td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.zip">commons-beanutils-1.9.4-src.zip</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.sha256">sha256</a></td>
<td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.asc">pgp</a></td>
</tr>
</table>
[commons-beanutils] 01/02: (docs) rework from Sebb on CVE
description
Posted by ch...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
chtompki pushed a commit to branch 1.X
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
commit dd8e3b5935bc32531dfe8821a8561209b3b8d2b3
Author: Rob Tompkins <ch...@gmail.com>
AuthorDate: Tue Aug 13 20:38:51 2019 -0400
(docs) rework from Sebb on CVE description
---
src/site/xdoc/index.xml | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index bc7508a..75083ed 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -103,14 +103,20 @@ Bean Collections has an additional dependency on
<strong>Severity.</strong> Medium<br/><br/>
<strong>Vendor.</strong> The Apache Software Foundation<br/><br/>
<strong>Versions Affected.</strong> All versions commons-beanutils-1.9.3 and before.<br/><br/>
- <strong>Description.</strong> In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for
- an attacker to access the classloader via the class property available on all Java objects. We, however were not
- using this by default characteristic of the PropertyUtilsBean.<br/><br/>
+ <strong>Description.</strong> A special BeanIntrospector class was added in version 1.9.2.
+ This can be used to stop attackers from using the class property of
+ Java objects to get access to the classloader.
+ However this protection was not enabled by default.
+ PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
+ level property access by default, thus protecting against
+ CVE-2014-0114.<br/><br/>
<strong>Mitigation.</strong> Upgrade to commons-beanutils-1.9.4<br/><br/>
<strong>Credit.</strong> This was discovered by Melloware (https://melloware.com/).<br/><br/>
<strong>Example.</strong>
<source>/**
-* Example usage after 1.9.4
+* Example displaying the new default behaviour such that
+* it is not possible to access class level properties utilizing the
+* BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
*/
public void testSuppressClassPropertyByDefault() throws Exception {
final BeanUtilsBean bub = new BeanUtilsBean();
@@ -124,7 +130,9 @@ public void testSuppressClassPropertyByDefault() throws Exception {
}
/**
-* Example usage to restore 1.9.3 behaviour
+* Example showing how by which one would use to revert to the
+* behaviour prior to the 1.9.4 release where class level properties were accessible by
+* the BeanUtilsBean and the PropertyUtilsBean.
*/
public void testAllowAccessToClassProperty() throws Exception {
final BeanUtilsBean bub = new BeanUtilsBean();