You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by rz...@apache.org on 2022/10/10 12:19:48 UTC

[tomee] branch tomee-8.x updated (26366374ea -> 286b979044)

This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a change to branch tomee-8.x
in repository https://gitbox.apache.org/repos/asf/tomee.git


    from 26366374ea TOMEE-4085 - commons-cli 1.5.0
     new beaf53a7ce TOMEE-4087 - Tomcat 9.0.68
     new 286b979044 TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../src/main/java/org/apache/openejb/loader/SystemInstance.java    | 7 +++++++
 pom.xml                                                            | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

[tomee] 02/02: TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)

Posted by rz...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a commit to branch tomee-8.x
in repository https://gitbox.apache.org/repos/asf/tomee.git

commit 286b979044fded5be2a00fff77443d167ca0a82c
Author: Richard Zowalla <ri...@hs-heilbronn.de>
AuthorDate: Mon Oct 10 14:19:35 2022 +0200

    TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
---
 .../src/main/java/org/apache/openejb/loader/SystemInstance.java    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
index f200a16d7f..4f03303afb 100644
--- a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
+++ b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
@@ -145,6 +145,13 @@ public final class SystemInstance {
         if (getProperty("hsqldb.reconfig_logging") == null) {
             setProperty("hsqldb.reconfig_logging", "false", true);
         }
+
+        // TOMEE-4086
+        // Prevent CVE-2022-41853 by setting hsqldb.method_class_names if it isn't set.
+        // See: https://github.com/advisories/GHSA-77xx-rxvh-q682
+        if (getProperty("hsqldb.method_class_names") == null) {
+            setProperty("hsqldb.method_class_names", "invalid", true);
+        }
     }
 
     public <E> E fireEvent(final E event) {

[tomee] 01/02: TOMEE-4087 - Tomcat 9.0.68

Posted by rz...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a commit to branch tomee-8.x
in repository https://gitbox.apache.org/repos/asf/tomee.git

commit beaf53a7ce58363d20098aef2c9c2f19aee958f0
Author: Richard Zowalla <ri...@hs-heilbronn.de>
AuthorDate: Mon Oct 10 14:17:51 2022 +0200

    TOMEE-4087 - Tomcat 9.0.68
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0b0c49ecb5..f464544cae 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,7 +147,7 @@
     <version.shrinkwrap.descriptor>2.0.0</version.shrinkwrap.descriptor>
     <version.shrinkwrap.shrinkwrap>1.2.6</version.shrinkwrap.shrinkwrap>
 
-    <tomcat.version>9.0.67</tomcat.version>
+    <tomcat.version>9.0.68</tomcat.version>
 
     <cxf.version>3.4.8</cxf.version>
     <ehcache.version>2.10.6</ehcache.version>