You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by da...@apache.org on 2022/11/25 08:59:50 UTC

[camel-karaf] branch camel-karaf-3.18.x updated (30aafd2d -> 78064db9)

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a change to branch camel-karaf-3.18.x
in repository https://gitbox.apache.org/repos/asf/camel-karaf.git


    from 30aafd2d Regen
     new 1ff31781 vuln-fix: Temporary File Information Disclosure (#210)
     new 5a8d01cc Upgrade stax2-api to 4.2.1 / Version 3.1.4 conflicting with cxf (#208)
     new 78064db9 Upgrade stax2-api to 4.2.1 / Version 3.1.4 conflicting with cxf (#208)

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../src/test/java/org/apache/camel/blueprint/MainTest.java             | 3 ++-
 platforms/karaf/features/src/main/resources/features.xml               | 1 +
 pom.xml                                                                | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

[camel-karaf] 03/03: Upgrade stax2-api to 4.2.1 / Version 3.1.4 conflicting with cxf (#208)

Posted by da...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch camel-karaf-3.18.x
in repository https://gitbox.apache.org/repos/asf/camel-karaf.git

commit 78064db9f26ad052ba19c67ae951c1e3dd31a1d7
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Fri Nov 25 09:08:15 2022 +0100

    Upgrade stax2-api to 4.2.1 / Version 3.1.4 conflicting with cxf (#208)
---
 platforms/karaf/features/src/main/resources/features.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/platforms/karaf/features/src/main/resources/features.xml b/platforms/karaf/features/src/main/resources/features.xml
index c98ecaf1..47f8c609 100644
--- a/platforms/karaf/features/src/main/resources/features.xml
+++ b/platforms/karaf/features/src/main/resources/features.xml
@@ -1693,6 +1693,7 @@
     <bundle dependency='true'>wrap:mvn:org.apache.olingo/odata-server-api/${olingo4-version}$overwrite=merge&amp;Export-Package=org.apache.olingo.server.api;version=${olingo4-version},org.apache.olingo.server.api.uri;version=${olingo4-version},org.apache.olingo.server.api.processor;version=${olingo4-version},org.apache.olingo.server.api.batch;version=${olingo4-version},org.apache.olingo.server.api.debug;version=${olingo4-version},org.apache.olingo.server.api.deserializer;version=${olingo [...]
     <bundle dependency='true'>wrap:mvn:org.apache.olingo/odata-server-core/${olingo4-version}$overwrite=merge&amp;Export-Package=org.apache.olingo.server.core;version=${olingo4-version},org.apache.olingo.server.core.uri.parser;version=${olingo4-version}</bundle>
     <bundle dependency='true'>wrap:mvn:org.apache.olingo/odata-client-core/${olingo4-version}$overwrite=merge&amp;Export-Package=org.apache.olingo.client.core;version=${olingo4-version},org.apache.olingo.client.core.domain;version=${olingo4-version},org.apache.olingo.client.core.http;version=${olingo4-version},org.apache.olingo.client.core.communication.request.batch;version=${olingo4-version}</bundle>
+    <bundle dependency='true'>mvn:org.codehaus.woodstox/stax2-api/3.1.4</bundle>
     <bundle dependency='true'>mvn:commons-codec/commons-codec/${commons-codec-version}</bundle>
     <bundle dependency='true'>mvn:commons-io/commons-io/${commons-io-version}</bundle>
     <bundle dependency='true'>mvn:org.apache.commons/commons-lang3/${commons-lang3-version}</bundle>

[camel-karaf] 01/03: vuln-fix: Temporary File Information Disclosure (#210)

Posted by da...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch camel-karaf-3.18.x
in repository https://gitbox.apache.org/repos/asf/camel-karaf.git

commit 1ff3178192ff488453668b4257d6392cbf19bf4b
Author: Jonathan Leitschuh <jo...@gmail.com>
AuthorDate: Fri Nov 25 01:02:09 2022 -0500

    vuln-fix: Temporary File Information Disclosure (#210)
    
    This fixes temporary file information disclosure vulnerability due to the use
    of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
    using the `Files.createTempFile()` method which sets the correct posix permissions.
    
    Weakness: CWE-377: Insecure Temporary File
    Severity: Medium
    CVSSS: 5.5
    Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
    
    Reported-by: Jonathan Leitschuh <Jo...@gmail.com>
    Signed-off-by: Jonathan Leitschuh <Jo...@gmail.com>
    
    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
    
    
    Co-authored-by: Moderne <te...@moderne.io>
    
    Co-authored-by: Moderne <te...@moderne.io>
---
 .../src/test/java/org/apache/camel/blueprint/MainTest.java             | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java b/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java
index fd045a3c..c3876cbb 100644
--- a/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java
+++ b/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java
@@ -20,6 +20,7 @@ import java.io.File;
 import java.io.FileOutputStream;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.nio.file.Files;
 
 import org.apache.aries.util.io.IOUtils;
 import org.apache.camel.ProducerTemplate;
@@ -64,7 +65,7 @@ public class MainTest {
                 .set("Bundle-ManifestVersion", "2")
                 .set("Bundle-SymbolicName", SYMBOLIC_NAME)
                 .set("Bundle-Version", "1.0.0");
-        File tb = File.createTempFile(SYMBOLIC_NAME + "-", ".jar", new File("target"));
+        File tb = Files.createTempFile(new File("target").toPath(), SYMBOLIC_NAME + "-", ".jar").toFile();
         FileOutputStream out = new FileOutputStream(tb);
         IOUtils.copy(bundle.build(), out);
         out.close();

[camel-karaf] 02/03: Upgrade stax2-api to 4.2.1 / Version 3.1.4 conflicting with cxf (#208)

Posted by da...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch camel-karaf-3.18.x
in repository https://gitbox.apache.org/repos/asf/camel-karaf.git

commit 5a8d01cc9eeeb400fbbe8f9bc45a49e096a7ab7e
Author: donkon <bj...@gmail.com>
AuthorDate: Fri Nov 25 07:05:31 2022 +0100

    Upgrade stax2-api to 4.2.1 / Version 3.1.4 conflicting with cxf (#208)
    
    Co-authored-by: Björn Konrad <bj...@hr.de>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 90b493d8..66c029d2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -295,7 +295,7 @@
         <squareup-okhttp-bundle-version>2.7.5_1</squareup-okhttp-bundle-version>
         <squareup-okio-bundle-version>1.15.0_1</squareup-okio-bundle-version>
         <squareup-retrofit2-bundle-version>2.5.0_2</squareup-retrofit2-bundle-version>
-        <stax2-api-bundle-version>3.1.4</stax2-api-bundle-version>
+        <stax2-api-bundle-version>4.2.1</stax2-api-bundle-version>
         <stax2v4-api-bundle-version>4.2</stax2v4-api-bundle-version>
         <stringtemplate-bundle-version>4.3.3_1</stringtemplate-bundle-version>
         <tagsoup-bundle-version>1.2.1_1</tagsoup-bundle-version>