Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package jdom2 for openSUSE:Factory checked
in at 2021-06-29 22:43:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jdom2 (Old)
and /work/SRC/openSUSE:Factory/.jdom2.new.2625 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jdom2"
Tue Jun 29 22:43:37 2021 rev:3 rq:903078 version:2.0.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/jdom2/jdom2.changes 2019-10-04
11:22:29.648933748 +0200
+++ /work/SRC/openSUSE:Factory/.jdom2.new.2625/jdom2.changes 2021-06-29
22:44:20.910959860 +0200
@@ -1,0 +2,8 @@
+Thu Jun 17 09:17:40 UTC 2021 - Pedro Monreal <pmonr...@suse.com>
+
+- Security fix: [bsc#1187446, CVE-2021-33813]
+ * XXE issue in SAXBuilder can cause a denial of service via
+ a crafted HTTP request
+- Add jdom2-CVE-2021-33813.patch
+
+-------------------------------------------------------------------
New:
----
jdom2-CVE-2021-33813.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jdom2.spec ++++++
--- /var/tmp/diff_new_pack.t0KLFg/_old 2021-06-29 22:44:21.326960408 +0200
+++ /var/tmp/diff_new_pack.t0KLFg/_new 2021-06-29 22:44:21.330960414 +0200
@@ -1,7 +1,7 @@
#
# spec file for package jdom2
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,8 @@
# Disable gpg signatures
# Process contrib and junit pom files
Patch0: 0001-Adapt-build.patch
+# PATCH-FIX-UPSTREAM bsc#1187446 CVE-2021-33813 Fix XXE issue in SAXBuilder
+Patch1: jdom2-CVE-2021-33813.patch
BuildRequires: ant
BuildRequires: ant-junit
BuildRequires: fdupes
@@ -65,6 +67,7 @@
find -name '*.class' -delete
%patch0 -p1
+%patch1 -p1
cp -p %{SOURCE1} maven/contrib.pom
cp -p %{SOURCE2} maven/junit.pom
@@ -74,11 +77,10 @@
# Unable to run coverage: use log4j12 but switch to log4j 2.x
sed -i.coverage "s|coverage, jars|jars|" build.xml
+%build
mkdir lib
build-jar-repository lib xerces-j2 xml-commons-apis jaxen junit isorelax
xalan-j2 xalan-j2-serializer
-
-%build
-ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6
-Dj2se.apidoc=%{_javadocdir}/java maven
+%ant -Dversion=%{version} -Dcompile.target=6 -Dcompile.source=6
-Dj2se.apidoc=%{_javadocdir}/java maven
%install
# jar
++++++ jdom2-CVE-2021-33813.patch ++++++
>From bd3ab78370098491911d7fe9d7a43b97144a234e Mon Sep 17 00:00:00 2001
From: Esti <esther.b...@gmail.com>
Date: Thu, 18 Feb 2021 16:40:01 +0200
Subject: [PATCH] fix setFeature bug and add test case
---
core/src/java/org/jdom2/input/SAXBuilder.java | 10 ++++------
.../test/cases/input/TestSAXBuilder.java | 20 +++++++++++++++++++
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java
b/core/src/java/org/jdom2/input/SAXBuilder.java
index d7105ec6..a1462334 100644
--- a/core/src/java/org/jdom2/input/SAXBuilder.java
+++ b/core/src/java/org/jdom2/input/SAXBuilder.java
@@ -971,11 +971,6 @@ protected void configureParser(final XMLReader parser,
final SAXHandler contentH
}
}
- // Set any user-specified features on the parser.
- for (final Map.Entry<String, Boolean> me : features.entrySet())
{
- internalSetFeature(parser, me.getKey(),
me.getValue().booleanValue(), me.getKey());
- }
-
// Set any user-specified properties on the parser.
for (final Map.Entry<String, Object> me :
properties.entrySet()) {
internalSetProperty(parser, me.getKey(), me.getValue(),
me.getKey());
@@ -1007,7 +1002,10 @@ protected void configureParser(final XMLReader parser,
final SAXHandler contentH
// No lexical reporting available
}
}
-
+ // Set any user-specified features on the parser.
+ for (final Map.Entry<String, Boolean> me : features.entrySet())
{
+ internalSetFeature(parser, me.getKey(),
me.getValue().booleanValue(), me.getKey());
+ }
}
/**
diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
index 4ef34834..a69380ba 100644
--- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
@@ -600,6 +600,26 @@ public void testSetFeature() {
}
}
+ @Test
+ public void testSetExternalFeature() {
+ String feature =
"http://xml.org/sax/features/external-general-entities";;
+ MySAXBuilder sb = new MySAXBuilder();
+ try {
+ sb.setFeature(feature, true);
+ XMLReader reader = sb.createParser();
+ assertNotNull(reader);
+ assertTrue(reader.getFeature(feature));
+ sb.setFeature(feature, false);
+ reader = sb.createParser();
+ assertNotNull(reader);
+ assertFalse(reader.getFeature(feature));
+
+ } catch (Exception e) {
+ e.printStackTrace();
+ fail("Could not create parser: " + e.getMessage());
+ }
+ }
+
@Test
public void testSetProperty() {
LexicalHandler lh = new LexicalHandler() {
