diff --git a/.gitignore b/.gitignore index ad00ef6..17e801f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/slf4j-1.7.25.tar.gz +SOURCES/slf4j-1.7.28.tar.gz diff --git a/.slf4j.metadata b/.slf4j.metadata index 3209f5d..c799724 100644 --- a/.slf4j.metadata +++ b/.slf4j.metadata @@ -1 +1 @@ -f564e3825b62172e81874ec73fafcc2747fb3d3b SOURCES/slf4j-1.7.25.tar.gz +f57e8e97d434bdcd8ba87ab9933d8de64bafb071 SOURCES/slf4j-1.7.28.tar.gz diff --git a/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch b/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch deleted file mode 100644 index f77a14e..0000000 --- a/SOURCES/0001-Disallow-EventData-deserialization-by-default.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001 -From: Michael Simacek -Date: Mon, 19 Mar 2018 16:01:57 +0100 -Subject: [PATCH] Disallow EventData deserialization by default - ---- - .../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -index dc5b502..fa5c125 100644 ---- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java -@@ -76,12 +76,21 @@ public class EventData implements Serializable { - */ - @SuppressWarnings("unchecked") - public EventData(String xml) { -- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -- try { -- XMLDecoder decoder = new XMLDecoder(bais); -- this.eventData = (Map) decoder.readObject(); -- } catch (Exception e) { -- throw new EventException("Error decoding " + xml, e); -+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { -+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -+ try { -+ XMLDecoder decoder = new XMLDecoder(bais); -+ this.eventData = (Map) decoder.readObject(); -+ } catch (Exception e) { -+ throw new EventException("Error decoding " + xml, e); -+ } -+ } else { -+ throw new UnsupportedOperationException( -+ "Constructing EventData from XML is vulnerable to remote " + -+ "excution and is not allowed by default. If you're " + -+ "completely sure the source data is trusted, you can enable " + -+ "it by setting org.slf4j.ext.allowInsecureDeserialization " + -+ "JVM property to 1"); - } - } - --- -2.14.3 - diff --git a/SPECS/slf4j.spec b/SPECS/slf4j.spec index c16bcea..c3c3e6c 100644 --- a/SPECS/slf4j.spec +++ b/SPECS/slf4j.spec @@ -29,23 +29,18 @@ # Name: slf4j -Version: 1.7.25 -Release: 4%{?dist} -Epoch: 0 +Version: 1.7.28 +Release: 3%{?dist} Summary: Simple Logging Facade for Java # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT License: MIT and ASL 2.0 URL: http://www.slf4j.org/ Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz Source1: http://www.apache.org/licenses/LICENSE-2.0.txt -Patch0: 0001-Disallow-EventData-deserialization-by-default.patch BuildArch: noarch -BuildRequires: maven-local -BuildRequires: mvn(ch.qos.cal10n:cal10n-api) -BuildRequires: mvn(commons-lang:commons-lang) +BuildRequires: maven-local-openjdk8 BuildRequires: mvn(commons-logging:commons-logging) -BuildRequires: mvn(javassist:javassist) BuildRequires: mvn(log4j:log4j:1.2.17) BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin) @@ -63,11 +58,8 @@ SLF4J interfaces directly, e.g. NLOG4J or SimpleLogger. Alternatively, it is possible (and rather easy) to write SLF4J adapters for the given API implementation, e.g. Log4jLoggerAdapter or JDK14LoggerAdapter.. -%package javadoc -Summary: API documentation for %{name} - -%description javadoc -This package provides %{summary}. +%{?module_package} +%{?javadoc_package} %package manual Summary: Manual for %{name} @@ -93,16 +85,10 @@ Summary: SLF4J JCL Binding %description jcl SLF4J JCL Binding. -%package ext -Summary: SLF4J Extensions Module - -%description ext -Extensions to the SLF4J API. - -%package -n jcl-over-slf4j +%package -n %{?module_prefix}jcl-over-slf4j Summary: JCL 1.1.1 implemented over SLF4J -%description -n jcl-over-slf4j +%description -n %{?module_prefix}jcl-over-slf4j JCL 1.1.1 implemented over SLF4J. %package -n log4j-over-slf4j @@ -125,13 +111,13 @@ SLF4J Source JARs. %prep %setup -q -%patch0 -p1 find . -name "*.jar" | xargs rm cp -p %{SOURCE1} APACHE-LICENSE %pom_disable_module integration %pom_disable_module osgi-over-slf4j %pom_disable_module slf4j-android +%pom_disable_module slf4j-ext %pom_disable_module slf4j-migrator # Because of a non-ASCII comment in slf4j-api/src/main/java/org/slf4j/helpers/MessageFormatter.java @@ -179,7 +165,7 @@ sed -i "/Import-Package/s/.$/;resolution:=optional&/" slf4j-api/src/main/resourc %mvn_package :%{name}-nop %build -%mvn_build -f -s +%mvn_build -f -s -- -Drequired.jdk.version=1.6 %install # Compat symlinks @@ -192,28 +178,43 @@ install -d -m 0755 $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual rm -rf target/site/{.htaccess,apidocs} cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual -%files -f .mfiles +%files -n %{?module_prefix}%{name} -f .mfiles %license LICENSE.txt APACHE-LICENSE %files jdk14 -f .mfiles-%{name}-jdk14 %files log4j12 -f .mfiles-%{name}-log4j12 %files jcl -f .mfiles-%{name}-jcl -%files ext -f .mfiles-%{name}-ext -%files -n jcl-over-slf4j -f .mfiles-jcl-over-slf4j +%files -n %{?module_prefix}jcl-over-slf4j -f .mfiles-jcl-over-slf4j %files -n log4j-over-slf4j -f .mfiles-log4j-over-slf4j %files -n jul-to-slf4j -f .mfiles-jul-to-slf4j %files sources -f .mfiles-sources %license LICENSE.txt APACHE-LICENSE -%files javadoc -f .mfiles-javadoc -%license LICENSE.txt APACHE-LICENSE - %files manual %license LICENSE.txt APACHE-LICENSE %{_defaultdocdir}/%{name}-manual %changelog +* Sat Jan 25 2020 Mikolaj Izdebski - 1.7.28-3 +- Build with OpenJDK 8 + +* Tue Nov 05 2019 Mikolaj Izdebski - 1.7.28-2 +- Mass rebuild for javapackages-tools 201902 + +* Tue Aug 13 2019 Marian Koncek - 1.7.28-1 +- Update to upstream version 1.7.28 + +* Fri May 24 2019 Mikolaj Izdebski - 1.7.26-3 +- Mass rebuild for javapackages-tools 201901 + +* Fri May 24 2019 Mikolaj Izdebski - 1.7.26-2 +- Disable slf4j-ext module + +* Wed Feb 27 2019 Marian Koncek - 0:1.7.26-1 +- Update to upstream version 1.7.26 +- Fixes: RHBZ #1678877 + * Mon Mar 19 2018 Michael Simacek - 0:1.7.25-4 - Disallow EventData deserialization by default (CVE-2018-8088) - Resolves rhbz#1549928