rpms/apache-commons-beanutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8-stream-201801
Branches Tags
rpms:c8-stream-201902
rpms:c10
rpms:c8-stream-201801
rpms:c9
rpms:stream-javapackages-tools-201801-rhel-8.10.0
rpms:c10s
rpms:c9s
rpms:c9-beta-stream-202501
rpms:stream-javapackages-tools-202501-rhel-9.6.0
rpms:stream-javapackages-tools-202501-rhel-9.7.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.6.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.7.0
rpms:stream-javapackages-tools-202201-rhel-8.10.0
rpms:stream-javapackages-tools-202201-rhel-9.4.0
rpms:stream-javapackages-tools-201902-rhel-8.9.0
rpms:stream-javapackages-tools-201801-rhel-8.9.0
rpms:stream-javapackages-bootstrap-202201-rhel-8.9.0
rpms:c8-beta-stream-202201
rpms:c9-beta-stream-202201
rpms:stream-javapackages-tools-202201-rhel-9.1.0
rpms:stream-javapackages-tools-202201-rhel-9.3.0
rpms:stream-javapackages-tools-202201-rhel-8.9.0
rpms:c8s-stream-201902
rpms:c9-beta
rpms:c8-beta-stream-201801
rpms:imports/c10/apache-commons-beanutils-1.9.4-21.el10_0
rpms:imports/c8-stream-201801/apache-commons-beanutils-1.9.3-5.el8_10
rpms:imports/c9/apache-commons-beanutils-1.9.4-10.el9_6
rpms:imports/c10s/apache-commons-beanutils-1.9.4-21.el10
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1178+6aaa7e34
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1171+eb38a622
rpms:imports/c10s/apache-commons-beanutils-1.9.4-20.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-19.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-18.el10
rpms:imports/c8s-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.3.0+7256+fe62c937
rpms:imports/c9/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c9-beta/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c8-beta-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.2.0+4938+c0cffa5b
...
pull from: rpms:c8-stream-201902
Branches Tags
rpms:c10
rpms:c8-stream-201801
rpms:c9
rpms:stream-javapackages-tools-201801-rhel-8.10.0
rpms:c10s
rpms:c9s
rpms:c9-beta-stream-202501
rpms:stream-javapackages-tools-202501-rhel-9.6.0
rpms:stream-javapackages-tools-202501-rhel-9.7.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.6.0
rpms:stream-javapackages-bootstrap-202501-rhel-9.7.0
rpms:stream-javapackages-tools-202201-rhel-8.10.0
rpms:stream-javapackages-tools-202201-rhel-9.4.0
rpms:stream-javapackages-tools-201902-rhel-8.9.0
rpms:stream-javapackages-tools-201801-rhel-8.9.0
rpms:stream-javapackages-bootstrap-202201-rhel-8.9.0
rpms:c8-beta-stream-202201
rpms:c9-beta-stream-202201
rpms:stream-javapackages-tools-202201-rhel-9.1.0
rpms:stream-javapackages-tools-202201-rhel-9.3.0
rpms:stream-javapackages-tools-202201-rhel-8.9.0
rpms:c8s-stream-201902
rpms:c9-beta
rpms:c8-beta-stream-201801
rpms:c8-stream-201902
rpms:imports/c10/apache-commons-beanutils-1.9.4-21.el10_0
rpms:imports/c8-stream-201801/apache-commons-beanutils-1.9.3-5.el8_10
rpms:imports/c9/apache-commons-beanutils-1.9.4-10.el9_6
rpms:imports/c10s/apache-commons-beanutils-1.9.4-21.el10
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1178+6aaa7e34
rpms:imports/c9-beta-stream-202501/apache-commons-beanutils-1.9.4-36.module_el9+1171+eb38a622
rpms:imports/c10s/apache-commons-beanutils-1.9.4-20.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-19.el10
rpms:imports/c10s/apache-commons-beanutils-1.9.4-18.el10
rpms:imports/c8s-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.3.0+7256+fe62c937
rpms:imports/c9/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c9-beta/apache-commons-beanutils-1.9.4-9.el9
rpms:imports/c8-beta-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201801/apache-commons-beanutils-1.9.3-4.module+el8+2598+06babf2e
rpms:imports/c8-stream-201902/apache-commons-beanutils-1.9.4-2.module+el8.2.0+4938+c0cffa5b

No commits in common. "c8-stream-201801" and "c8-stream-201902" have entirely different histories.
c8-stream- ... c8-stream-

5 changed files with 17 additions and 112 deletions
Show Stats Expand all files Collapse all files

2
.apache-commons-beanutils.metadata
View File

@ -1 +1 @@
d9f237583ab7b8b4a4bdf55694e915b5af9e165a SOURCES/commons-beanutils-1.9.3-src.tar.gz be947cc3eb478da23abe564d27c527f30bf526b8 SOURCES/commons-beanutils-1.9.4-src.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/commons-beanutils-1.9.3-src.tar.gz SOURCES/commons-beanutils-1.9.4-src.tar.gz

25
SOURCES/0001-Fix-CVE-2019-10086.patch
View File

@ -1,25 +0,0 @@
From a5be4419e2753593ddac1f7948f0731a2ce0a843 Mon Sep 17 00:00:00 2001
From: Rob Tompkins <chtompki@gmail.com>
Date: Wed, 5 Jun 2019 20:38:37 -0400
Subject: [PATCH 1/2] Fix CVE-2019-10086
Backported from upstream commit 62e82ad92cf4818709d6044aaf257b73d42659a4
---
.../java/org/apache/commons/beanutils/PropertyUtilsBean.java | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
index 5e76d97b..36eb7f57 100644
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
@@ -188,6 +188,7 @@ public class PropertyUtilsBean {
public final void resetBeanIntrospectors() {
introspectors.clear();
introspectors.add(DefaultBeanIntrospector.INSTANCE);
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
}
/**
--
2.49.0

66
SOURCES/0002-Fix-CVE-2025-48734.patch
View File

@ -1,66 +0,0 @@
From 863e08bed2a0ce1a6df37c4fd28482cfbc614a99 Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Sun, 25 May 2025 09:07:32 -0400
Subject: [PATCH 2/2] Fix CVE-2025-48734
Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
---
.../apache/commons/beanutils/PropertyUtilsBean.java | 1 +
.../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
.../org/apache/commons/beanutils/package-info.java | 6 ++++++
3 files changed, 18 insertions(+)
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
index 36eb7f57..04d99576 100644
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
introspectors.clear();
introspectors.add(DefaultBeanIntrospector.INSTANCE);
introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
}
/**
diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
index bd6b2cdc..cff34969 100644
--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+ /**
+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
+ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
+ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
+ * accessed.
+ *
+ * @since 1.11.0
+ */
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
+ Collections.singleton("declaringClass"));
+
/** A set with the names of the properties to be suppressed. */
private final Set<String> propertyNames;
diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
index 3cb9d34c..ac8d2a1f 100644
--- a/src/main/java/org/apache/commons/beanutils/package-info.java
+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
@@ -444,6 +444,12 @@
* <code>SUPPRESS_CLASS</code> constant of
* <code>SuppressPropertiesBeanIntrospector</code>.</p>
*
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
+ *
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
+ *
* <a name="dynamic"></a>
* <h1>3. Dynamic Beans (DynaBeans)</h1>
*
--
2.49.0

34
SPECS/apache-commons-beanutils.spec
View File

@ -1,18 +1,11 @@
%global base_name beanutils Name: apache-commons-beanutils
%global short_name commons-%{base_name} Version: 1.9.4
Release: 2%{?dist}
Name: apache-%{short_name}
Version: 1.9.3
Release: 5%{?dist}
Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
License: ASL 2.0 License: ASL 2.0
URL: http://commons.apache.org/%{base_name} URL: http://commons.apache.org/beanutils
BuildArch: noarch BuildArch: noarch
Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz
Source0: http://archive.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz
Patch0: 0001-Fix-CVE-2019-10086.patch
Patch1: 0002-Fix-CVE-2025-48734.patch
BuildRequires: maven-local BuildRequires: maven-local
BuildRequires: mvn(commons-collections:commons-collections) BuildRequires: mvn(commons-collections:commons-collections)
@ -33,9 +26,7 @@ Summary: Javadoc for %{name}
%{summary}. %{summary}.
%prep %prep
%setup -q -n %{short_name}-%{version}-src %setup -q -n commons-beanutils-%{version}-src
%patch -P0 -p1
%patch -P1 -p1
sed -i 's/\r//' *.txt sed -i 's/\r//' *.txt
%pom_remove_plugin :maven-assembly-plugin %pom_remove_plugin :maven-assembly-plugin
@ -43,7 +34,7 @@ sed -i 's/\r//' *.txt
%mvn_alias :{*} :@1-core :@1-bean-collections %mvn_alias :{*} :@1-core :@1-bean-collections
%mvn_alias :{*} org.apache.commons:@1 org.apache.commons:@1-core org.apache.commons:@1-bean-collections %mvn_alias :{*} org.apache.commons:@1 org.apache.commons:@1-core org.apache.commons:@1-bean-collections
%mvn_file : %{name} %{name}-core %{name}-bean-collections %mvn_file : %{name} %{name}-core %{name}-bean-collections
%mvn_file : %{short_name} %{short_name}-core %{short_name}-bean-collections %mvn_file : commons-beanutils commons-beanutils-core commons-beanutils-bean-collections
%build %build
# Some tests fail in Koji # Some tests fail in Koji
@ -60,9 +51,14 @@ sed -i 's/\r//' *.txt
%doc LICENSE.txt NOTICE.txt %doc LICENSE.txt NOTICE.txt
%changelog %changelog
* Mon Jun 16 2025 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.3-5 * Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-2
- Fix improper access control vulnerabilities - Mass rebuild for javapackages-tools 201902
- Resolves: CVE-2019-10086, CVE-2025-48734
* Thu Aug 15 2019 Marian Koncek <mkoncek@redhat.com> - 1.9.4-1
- Update to upstream version 1.9.4
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.3-5
- Mass rebuild for javapackages-tools 201901
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-4 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild