rpms/apache-commons-beanutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c10s
Branches Tags
rpms:c8-stream-201902
rpms:stream-javapackages-tools-201801-rhel-8.10.0
rpms:c10s
rpms:c9s
rpms:c9-beta-stream-202501
rpms:stream-javapackages-tools-202501-rhel-9.6.0
rpms:stream-javapackages-tools-202501-rhel-9.7.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.6.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.7.0
rpms:stream-javapackages-tools-202201-rhel-8.10.0
rpms:stream-javapackages-tools-202201-rhel-9.4.0
rpms:stream-javapackages-tools-201902-rhel-8.9.0
rpms:stream-javapackages-tools-201801-rhel-8.9.0
rpms:stream-javapackages-bootstrap-202201-rhel-8.9.0
rpms:c8-beta-stream-202201
rpms:c9-beta-stream-202201
rpms:stream-javapackages-tools-202201-rhel-9.1.0
rpms:stream-javapackages-tools-202201-rhel-9.3.0
rpms:stream-javapackages-tools-202201-rhel-8.9.0
rpms:c8s-stream-201902
rpms:c9
rpms:c9-beta
rpms:c8-beta-stream-201801
rpms:c8-stream-201801
rpms:imports/c10s/apache-commons-beanutils-1.9.4-21.el10
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1178+6aaa7e34
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1171+eb38a622
rpms:imports/c10s/apache-commons-beanutils-1.9.4-20.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-19.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-18.el10
rpms:imports/c8s-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.3.0+7256+fe62c937
rpms:imports/c9/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c9-beta/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c8-beta-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.2.0+4938+c0cffa5b
..
compare: rpms:c8-stream-201902
Branches Tags
rpms:stream-javapackages-tools-201801-rhel-8.10.0
rpms:c10s
rpms:c9s
rpms:c9-beta-stream-202501
rpms:stream-javapackages-tools-202501-rhel-9.6.0
rpms:stream-javapackages-tools-202501-rhel-9.7.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.6.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.7.0
rpms:stream-javapackages-tools-202201-rhel-8.10.0
rpms:stream-javapackages-tools-202201-rhel-9.4.0
rpms:stream-javapackages-tools-201902-rhel-8.9.0
rpms:stream-javapackages-tools-201801-rhel-8.9.0
rpms:stream-javapackages-bootstrap-202201-rhel-8.9.0
rpms:c8-beta-stream-202201
rpms:c9-beta-stream-202201
rpms:stream-javapackages-tools-202201-rhel-9.1.0
rpms:stream-javapackages-tools-202201-rhel-9.3.0
rpms:stream-javapackages-tools-202201-rhel-8.9.0
rpms:c8s-stream-201902
rpms:c9
rpms:c9-beta
rpms:c8-beta-stream-201801
rpms:c8-stream-201801
rpms:c8-stream-201902
rpms:imports/c10s/apache-commons-beanutils-1.9.4-21.el10
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1178+6aaa7e34
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1171+eb38a622
rpms:imports/c10s/apache-commons-beanutils-1.9.4-20.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-19.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-18.el10
rpms:imports/c8s-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.3.0+7256+fe62c937
rpms:imports/c9/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c9-beta/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c8-beta-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.2.0+4938+c0cffa5b

No commits in common. "c10s" and "c8-stream-201902" have entirely different histories.
c10s ... c8-stream-

9 changed files with 6 additions and 182 deletions
Show Stats Expand all files Collapse all files

1
.apache-commons-beanutils.metadata Normal file
View File

@ -0,0 +1 @@
be947cc3eb478da23abe564d27c527f30bf526b8 SOURCES/commons-beanutils-1.9.4-src.tar.gz

1
.fmf/version
View File

@ -1 +0,0 @@
1

10
.gitignore vendored
View File

@ -1,9 +1 @@
/results_*
/*.src.rpm
/commons-beanutils-1.8.3-src.tar.gz
/commons-beanutils-1.9.0-src.tar.gz
/commons-beanutils-1.9.1-src.tar.gz
/commons-beanutils-1.9.2-src.tar.gz
/commons-beanutils-1.9.3-src.tar.gz
/commons-beanutils-1.9.4-src.tar.gz
SOURCES/commons-beanutils-1.9.4-src.tar.gz

66
0001-Fix-CVE-2025-48734.patch
View File

@ -1,66 +0,0 @@
From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Sun, 25 May 2025 09:07:32 -0400
Subject: [PATCH] Fix CVE-2025-48734
Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
---
.../apache/commons/beanutils/PropertyUtilsBean.java | 1 +
.../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
.../org/apache/commons/beanutils/package-info.java | 6 ++++++
3 files changed, 18 insertions(+)
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
index 36eb7f57..04d99576 100644
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
introspectors.clear();
introspectors.add(DefaultBeanIntrospector.INSTANCE);
introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
}
/**
diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
index bd6b2cdc..cff34969 100644
--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+ /**
+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
+ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
+ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
+ * accessed.
+ *
+ * @since 1.11.0
+ */
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
+ Collections.singleton("declaringClass"));
+
/** A set with the names of the properties to be suppressed. */
private final Set<String> propertyNames;
diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
index 3cb9d34c..ac8d2a1f 100644
--- a/src/main/java/org/apache/commons/beanutils/package-info.java
+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
@@ -444,6 +444,12 @@
* <code>SUPPRESS_CLASS</code> constant of
* <code>SuppressPropertiesBeanIntrospector</code>.</p>
*
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
+ *
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
+ *
* <a name="dynamic"></a>
* <h1>3. Dynamic Beans (DynaBeans)</h1>
*
--
2.49.0

94
apache-commons-beanutils.spec → SPECS/apache-commons-beanutils.spec
View File

@ -1,26 +1,17 @@
%bcond_with bootstrap
Name: apache-commons-beanutils
Version: 1.9.4
Release: 21%{?dist}
Release: 2%{?dist}
Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
License: Apache-2.0
License: ASL 2.0
URL: http://commons.apache.org/beanutils
BuildArch: noarch
ExclusiveArch: %{java_arches} noarch
Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz
Patch0: 0001-Fix-CVE-2025-48734.patch
%if %{with bootstrap}
BuildRequires: javapackages-bootstrap
%else
BuildRequires: maven-local
BuildRequires: mvn(commons-collections:commons-collections)
BuildRequires: mvn(commons-collections:commons-collections-testframework)
BuildRequires: mvn(commons-logging:commons-logging)
BuildRequires: mvn(org.apache.commons:commons-parent:pom:)
%endif
%description
The scope of this package is to create a package of Java utility methods
@ -36,7 +27,6 @@ Summary: Javadoc for %{name}
%prep
%setup -q -n commons-beanutils-%{version}-src
%patch 0 -p1
sed -i 's/\r//' *.txt
%pom_remove_plugin :maven-assembly-plugin
@ -48,7 +38,7 @@ sed -i 's/\r//' *.txt
%build
# Some tests fail in Koji
%mvn_build -f -- -Dcommons.packageId=beanutils
%mvn_build -f
%install
%mvn_install
@ -61,91 +51,15 @@ sed -i 's/\r//' *.txt
%doc LICENSE.txt NOTICE.txt
%changelog
* Fri Jun 13 2025 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-21
- Fix improper access control vulnerability
- Resolves: CVE-2025-48734
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.9.4-20
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Thu Aug 01 2024 Troy Dawson <tdawson@redhat.com> - 1.9.4-19
- Bump release for Aug 2024 java mass rebuild
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.9.4-18
- Bump release for June 2024 mass rebuild
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Dec 04 2023 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-15
- Port to apache-commons-parent 65
* Fri Sep 01 2023 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-14
- Convert License tag to SPDX format
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Feb 05 2022 Jiri Vanek <jvanek@redhat.com> - 1.9.4-10
- Rebuilt for java-17-openjdk as system jdk
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Nov 02 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-8
- Bump Java compiler source/target levels to 1.7
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon May 17 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-6
- Bootstrap build
- Non-bootstrap build
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 10 2020 Jiri Vanek <jvanek@redhat.com> - 1.9.4-3
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-2
- Mass rebuild for javapackages-tools 201902
* Fri Oct 04 2019 Fabio Valentini <decathorpe@gmail.com> - 1.9.4-1
- Update to version 1.9.4.
- Re-enable test suite.
* Thu Aug 15 2019 Marian Koncek <mkoncek@redhat.com> - 1.9.4-1
- Update to upstream version 1.9.4
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.3-5
- Mass rebuild for javapackages-tools 201901
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

1
ci.fmf
View File

@ -1 +0,0 @@
resultsdb-testcase: separate

7
gating.yaml
View File

@ -1,7 +0,0 @@
--- !Policy
product_versions:
- rhel-10
decision_contexts:
- osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/javapackages.functional}

7
plans/javapackages.fmf
View File

@ -1,7 +0,0 @@
summary: Run javapackages-specific tests
discover:
how: fmf
url: https://gitlab.com/redhat/centos-stream/tests/javapackages.git
ref: c10s
execute:
how: tmt

1
sources
View File

@ -1 +0,0 @@
SHA512 (commons-beanutils-1.9.4-src.tar.gz) = 6f3d30d02b9a66cf20509bd868c6e2dadb44bb27da1e6b9af7275675e0f3826845a5d4005509dd1eb77a5b2937820c4770a3753daaab072785dcdab0caa69e73