diff --git a/.gitignore b/.gitignore index e718820..3df801c 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ slf4j-1.6.1.tar.gz /slf4j-1.7.21.tar.gz /slf4j-1.7.22.tar.gz /slf4j-1.7.25.tar.gz +/slf4j-1.7.26.tar.gz diff --git a/0001-Disallow-EventData-deserialization-by-default.patch b/0001-Disallow-EventData-deserialization-by-default.patch deleted file mode 100644 index f77a14e..0000000 --- a/0001-Disallow-EventData-deserialization-by-default.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001 -From: Michael Simacek -Date: Mon, 19 Mar 2018 16:01:57 +0100 -Subject: [PATCH] Disallow EventData deserialization by default - ---- - .../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -index dc5b502..fa5c125 100644 ---- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -@@ -76,12 +76,21 @@ public class EventData implements Serializable { - */ - @SuppressWarnings("unchecked") - public EventData(String xml) { -- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -- try { -- XMLDecoder decoder = new XMLDecoder(bais); -- this.eventData = (Map) decoder.readObject(); -- } catch (Exception e) { -- throw new EventException("Error decoding " + xml, e); -+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { -+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -+ try { -+ XMLDecoder decoder = new XMLDecoder(bais); -+ this.eventData = (Map) decoder.readObject(); -+ } catch (Exception e) { -+ throw new EventException("Error decoding " + xml, e); -+ } -+ } else { -+ throw new UnsupportedOperationException( -+ "Constructing EventData from XML is vulnerable to remote " + -+ "excution and is not allowed by default. If you're " + -+ "completely sure the source data is trusted, you can enable " + -+ "it by setting org.slf4j.ext.allowInsecureDeserialization " + -+ "JVM property to 1"); - } - } - --- -2.14.3 - diff --git a/slf4j.spec b/slf4j.spec index 4baa0bd..fa185f2 100644 --- a/slf4j.spec +++ b/slf4j.spec @@ -29,15 +29,14 @@ # Name: slf4j -Version: 1.7.25 -Release: 4%{?dist} +Version: 1.7.26 +Release: 1%{?dist} Summary: Simple Logging Facade for Java # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT License: MIT and ASL 2.0 URL: http://www.slf4j.org/ Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz Source1: http://www.apache.org/licenses/LICENSE-2.0.txt -Patch0: 0001-Disallow-EventData-deserialization-by-default.patch BuildArch: noarch BuildRequires: maven-local @@ -124,7 +123,6 @@ SLF4J Source JARs. %prep %setup -q -%patch0 -p1 find . -name "*.jar" | xargs rm cp -p %{SOURCE1} APACHE-LICENSE @@ -213,6 +211,10 @@ cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual %{_defaultdocdir}/%{name}-manual %changelog +* Wed Feb 27 2019 Marian Koncek - 0:1.7.26-1 +- Update to upstream version 1.7.26 +- Fixes: RHBZ #1678877 + * Mon Mar 19 2018 Michael Simacek - 0:1.7.25-4 - Disallow EventData deserialization by default (CVE-2018-8088) - Resolves rhbz#1549928 diff --git a/sources b/sources index 39e2943..2b75617 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (slf4j-1.7.25.tar.gz) = 4f6a02ff542b1e8333d06d94d0dd604f6101b67e73bc348c224c26b0f503ac5a6cb14711526a659e3670bd724b65a0d9165aff926e10090b8ef60f34767bbce5 +SHA512 (slf4j-1.7.26.tar.gz) = a033aca563914d3a718dfad2b47c20cb84e734c2450c75d0c4cb42438ac2c2f993b9cae44eaab91d1f9daba925162bf5c7601926c7564737d45442a0ed52829c SHA512 (LICENSE-2.0.txt) = 98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8