Update to upstream version 1.7.26

.gitignore

@@ -21,3 +21,4 @@ slf4j-1.6.1.tar.gz
 /slf4j-1.7.21.tar.gz
 /slf4j-1.7.22.tar.gz
 /slf4j-1.7.25.tar.gz
+/slf4j-1.7.26.tar.gz

0001-Disallow-EventData-deserialization-by-default.patch

@@ -1,44 +0,0 @@
-From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
-From: Michael Simacek <msimacek@redhat.com>
-Date: Mon, 19 Mar 2018 16:01:57 +0100
-Subject: [PATCH] Disallow EventData deserialization by default
-
----
- .../src/main/java/org/slf4j/ext/EventData.java      | 21 +++++++++++++++------
- 1 file changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
-index dc5b502..fa5c125 100644
---- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
-+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
-@@ -76,12 +76,21 @@ public class EventData implements Serializable {
-      */
-     @SuppressWarnings("unchecked")
-     public EventData(String xml) {
--        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
--        try {
--            XMLDecoder decoder = new XMLDecoder(bais);
--            this.eventData = (Map<String, Object>) decoder.readObject();
--        } catch (Exception e) {
--            throw new EventException("Error decoding " + xml, e);
-+        if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
-+            ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
-+            try {
-+                XMLDecoder decoder = new XMLDecoder(bais);
-+                this.eventData = (Map<String, Object>) decoder.readObject();
-+            } catch (Exception e) {
-+                throw new EventException("Error decoding " + xml, e);
-+            }
-+        } else {
-+            throw new UnsupportedOperationException(
-+                    "Constructing EventData from XML is vulnerable to remote " +
-+                    "excution and is not allowed by default. If you're " +
-+                    "completely sure the source data is trusted, you can enable " +
-+                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
-+                    "JVM property to 1");
-         }
-     }
- 
--- 
-2.14.3
-

slf4j.spec

@@ -29,15 +29,14 @@
 #
 
 Name:           slf4j
-Version:        1.7.25
-Release:        4%{?dist}
+Version:        1.7.26
+Release:        1%{?dist}
 Summary:        Simple Logging Facade for Java
 # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
 License:        MIT and ASL 2.0
 URL:            http://www.slf4j.org/
 Source0:        http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
 Source1:        http://www.apache.org/licenses/LICENSE-2.0.txt
-Patch0:         0001-Disallow-EventData-deserialization-by-default.patch
 BuildArch:      noarch
 
 BuildRequires:  maven-local
@@ -124,7 +123,6 @@ SLF4J Source JARs.
 
 %prep
 %setup -q
-%patch0 -p1
 find . -name "*.jar" | xargs rm
 cp -p %{SOURCE1} APACHE-LICENSE
 
@@ -213,6 +211,10 @@ cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
 %{_defaultdocdir}/%{name}-manual
 
 %changelog
+* Wed Feb 27 2019 Marian Koncek <mkoncek@redhat.com> - 0:1.7.26-1
+- Update to upstream version 1.7.26
+- Fixes: RHBZ #1678877
+
 * Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.25-4
 - Disallow EventData deserialization by default (CVE-2018-8088)
 - Resolves rhbz#1549928

sources

@@ -1,2 +1,2 @@
-SHA512 (slf4j-1.7.25.tar.gz) = 4f6a02ff542b1e8333d06d94d0dd604f6101b67e73bc348c224c26b0f503ac5a6cb14711526a659e3670bd724b65a0d9165aff926e10090b8ef60f34767bbce5
+SHA512 (slf4j-1.7.26.tar.gz) = a033aca563914d3a718dfad2b47c20cb84e734c2450c75d0c4cb42438ac2c2f993b9cae44eaab91d1f9daba925162bf5c7601926c7564737d45442a0ed52829c
 SHA512 (LICENSE-2.0.txt) = 98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8