Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xstream for openSUSE:Factory checked
in at 2021-09-28 19:16:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xstream (Old)
and /work/SRC/openSUSE:Factory/.xstream.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xstream"
Tue Sep 28 19:16:39 2021 rev:7 rq:921981 version:1.4.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/xstream/xstream.changes 2021-06-04
22:44:50.607240274 +0200
+++ /work/SRC/openSUSE:Factory/.xstream.new.1899/xstream.changes
2021-09-28 19:17:31.868254877 +0200
@@ -1,0 +2,41 @@
+Tue Sep 28 05:49:16 UTC 2021 - Fridrich Strba <fst...@suse.com>
+
+- Upgrade to 1.4.18
+ * Security fixes
+ + This maintenance release addresses following security
+ vulnerabilities, when unmarshalling with an XStream instance
+ using the default blacklist of an uninitialized security
+ framework. XStream is therefore now using a whitelist by
+ default. (CVE-2021-39139, CVE-2021-39140, CVE-2021-39141,
+ CVE-2021-39144, CVE-2021-39145, CVE-2021-39146,
+ CVE-2021-39147, CVE-2021-39148, CVE-2021-39149,
+ CVE-2021-39150, CVE-2021-39151, CVE-2021-39152,
+ CVE-2021-39153, CVE-2021-39154, bsc#1189798)
+ * Minor changes
+ + Support serializable types with non-serializable parent with
+ PureJavaReflectionConverter.
+ * Stream compatibility
+ + Starting with version 1.14.12 nine years ago, XStream contains
+ a Security Framework to implement a black- or whitelist for
+ the allowed types at deserialization time. Until version
+ 1.4.17, XStream kept a default blacklist in order to deny all
+ types of the Java runtime, which are used for all kinds of
+ security attacks, in order to guarantee optimal runtime
+ compatibility for existing users. However, this approach has
+ failed. The last months have shown, that the Java runtime
+ alone contains dozens of types that can be used for an attack,
+ not even looking at the 3rd party libraries on a classpath.
+ The new version of XStream uses therefore now by default a
+ whitelist, which is recommended since nine years. It also has
+ been complaining on the console for a long time about an
+ uninitialized security framework the first time it was run.
+ Anyone who has followed the advice and initialized the
+ security framework for their own scenario can easily update
+ to the new version without any problem. Everyone else will
+ have to do a proper initialization now, otherwise the new
+ version will fail with certainty at deserialization time.
+- Modified patch:
+ * Revert-MXParser-changes.patch
+ + rediff to changed context
+
+-------------------------------------------------------------------
Old:
----
xstream-distribution-1.4.17-src.zip
New:
----
xstream-distribution-1.4.18-src.zip
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xstream.spec ++++++
--- /var/tmp/diff_new_pack.JcA3ud/_old 2021-09-28 19:17:32.500255605 +0200
+++ /var/tmp/diff_new_pack.JcA3ud/_new 2021-09-28 19:17:32.504255611 +0200
@@ -19,7 +19,7 @@
%bcond_with hibernate
Name: xstream
-Version: 1.4.17
+Version: 1.4.18
Release: 0
Summary: Java XML serialization library
License: BSD-3-Clause
++++++ Revert-MXParser-changes.patch ++++++
--- /var/tmp/diff_new_pack.JcA3ud/_old 2021-09-28 19:17:32.528255638 +0200
+++ /var/tmp/diff_new_pack.JcA3ud/_new 2021-09-28 19:17:32.528255638 +0200
@@ -1,5 +1,5 @@
---- xstream-1.4.16/pom.xml 2021-03-13 00:23:06.000000000 +0100
-+++ xstream-1.4.16/pom.xml 2021-04-15 15:42:54.386563880 +0200
+--- xstream-1.4.18/pom.xml 2021-08-22 13:58:10.000000000 +0200
++++ xstream-1.4.18/pom.xml 2021-09-28 07:44:32.141757059 +0200
@@ -576,13 +576,13 @@
</dependency>
@@ -34,12 +34,12 @@
<version.commons.lang>2.4</version.commons.lang>
<version.dom4j>1.6.1</version.dom4j>
<version.hsqldb>2.2.8</version.hsqldb>
--
<version.io.github.x-stream.mxparser>1.2.1</version.io.github.x-stream.mxparser>
+-
<version.io.github.x-stream.mxparser>1.2.2</version.io.github.x-stream.mxparser>
<version.javaassist>3.12.1.GA</version.javaassist>
<version.javax.activation>1.1.1</version.javax.activation>
<version.javax.annotation.api>1.3.2</version.javax.annotation.api>
---- xstream-1.4.16/xstream/pom.xml 2021-03-13 00:23:06.000000000 +0100
-+++ xstream-1.4.16/xstream/pom.xml 2021-04-15 15:41:49.950193229 +0200
+--- xstream-1.4.18/xstream/pom.xml 2021-08-22 13:58:10.000000000 +0200
++++ xstream-1.4.18/xstream/pom.xml 2021-09-28 07:43:49.593498733 +0200
@@ -69,8 +69,8 @@
</dependency>
@@ -59,8 +59,8 @@
</dependency>
<dependency>
----
xstream-1.4.16/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDomDriver.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDomDriver.java
1970-01-01 01:00:00.000000000 +0100
+---
xstream-1.4.18/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDomDriver.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDomDriver.java
1970-01-01 01:00:00.000000000 +0100
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2021 XStream Committers.
@@ -115,8 +115,8 @@
- return new MXParser();
- }
-}
----
xstream-1.4.16/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDriver.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDriver.java
1970-01-01 01:00:00.000000000 +0100
+---
xstream-1.4.18/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDriver.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDriver.java
1970-01-01 01:00:00.000000000 +0100
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2021 XStream Committers.
@@ -173,8 +173,8 @@
- return new MXParser();
- }
-}
----
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
2021-04-15 15:45:40.355519216 +0200
+---
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
2021-09-28 07:43:49.593498733 +0200
@@ -16,7 +16,7 @@
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
@@ -193,8 +193,8 @@
ByteArrayOutputStream buffer = new ByteArrayOutputStream();
HierarchicalStreamWriter binaryWriter = new
BinaryStreamWriter(buffer);
----
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java
2021-04-15 15:48:20.244440952 +0200
+---
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java
2021-09-28 07:43:49.593498733 +0200
@@ -16,7 +16,7 @@
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
@@ -213,8 +213,8 @@
StringWriter buffer = new StringWriter();
HierarchicalStreamWriter destinationWriter = new
CompactWriter(buffer);
----
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
2021-04-15 15:46:14.723717329 +0200
+---
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
2021-09-28 07:43:49.593498733 +0200
@@ -27,8 +27,6 @@
import com.thoughtworks.xstream.io.xml.JDomDriver;
import com.thoughtworks.xstream.io.xml.KXml2DomDriver;
@@ -233,8 +233,8 @@
addDriverTest(new Xpp3DomDriver());
addDriverTest(new Xpp3Driver());
addDriverTest(new XppDomDriver());
----
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/xml/MXParserReaderTest.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream/src/test/com/thoughtworks/xstream/io/xml/MXParserReaderTest.java
1970-01-01 01:00:00.000000000 +0100
+---
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/xml/MXParserReaderTest.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream/src/test/com/thoughtworks/xstream/io/xml/MXParserReaderTest.java
1970-01-01 01:00:00.000000000 +0100
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2021 XStream Committers.
@@ -277,9 +277,9 @@
-
- // inherits tests from superclass
-}
---- xstream-1.4.16/xstream-distribution/src/content/changes.html
2021-03-13 00:23:06.000000000 +0100
-+++ xstream-1.4.16/xstream-distribution/src/content/changes.html
2021-04-15 15:41:49.950193229 +0200
-@@ -55,12 +55,6 @@
+--- xstream-1.4.18/xstream-distribution/src/content/changes.html
2021-08-22 13:58:10.000000000 +0200
++++ xstream-1.4.18/xstream-distribution/src/content/changes.html
2021-09-28 07:43:49.597498756 +0200
+@@ -122,12 +122,6 @@
<li><a href="CVE-2021-21351.html">CVE-2021-21351</a></li>
</ul>
@@ -292,8 +292,8 @@
<h2>Minor changes</h2>
<ul>
---- xstream-1.4.16/xstream-distribution/src/content/download.html
2021-03-13 00:23:06.000000000 +0100
-+++ xstream-1.4.16/xstream-distribution/src/content/download.html
2021-04-15 15:41:49.950193229 +0200
+--- xstream-1.4.18/xstream-distribution/src/content/download.html
2021-08-22 13:58:10.000000000 +0200
++++ xstream-1.4.18/xstream-distribution/src/content/download.html
2021-09-28 07:43:49.597498756 +0200
@@ -55,14 +55,11 @@
<h1 id="optional-deps">Optional Dependencies</h1>
@@ -325,8 +325,8 @@
</ul>
</li>
</ul>
---- xstream-1.4.16/xstream-jmh/pom.xml 2021-03-13 00:23:06.000000000 +0100
-+++ xstream-1.4.16/xstream-jmh/pom.xml 2021-04-15 15:41:49.950193229 +0200
+--- xstream-1.4.18/xstream-jmh/pom.xml 2021-08-22 13:58:10.000000000 +0200
++++ xstream-1.4.18/xstream-jmh/pom.xml 2021-09-28 07:43:49.597498756 +0200
@@ -175,13 +175,13 @@
</dependency>
<!-- parser -->
@@ -344,8 +344,8 @@
<scope>runtime</scope>
</dependency>
<dependency>
----
xstream-1.4.16/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java
2021-04-15 15:41:49.950193229 +0200
+---
xstream-1.4.18/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java
2021-09-28 07:43:49.597498756 +0200
@@ -37,7 +37,7 @@
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
@@ -364,8 +364,8 @@
xstream.addPermission(NoTypePermission.NONE);
xstream.addPermission(ArrayTypePermission.ARRAYS);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
----
xstream-1.4.16/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java
2021-04-15 15:41:49.950193229 +0200
+---
xstream-1.4.18/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java
2021-09-28 07:43:49.597498756 +0200
@@ -44,7 +44,6 @@
import com.thoughtworks.xstream.io.xml.JDom2Driver;
import com.thoughtworks.xstream.io.xml.JDomDriver;
@@ -387,8 +387,8 @@
* Factory for the {@link Xpp3Driver}.
*
* @since 1.4.9
----
xstream-1.4.16/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java
2021-03-13 00:23:06.000000000 +0100
-+++
xstream-1.4.16/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java
2021-04-15 15:41:49.950193229 +0200
+---
xstream-1.4.18/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java
2021-08-22 13:58:10.000000000 +0200
++++
xstream-1.4.18/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java
2021-09-28 07:43:49.597498756 +0200
@@ -37,7 +37,6 @@
import com.thoughtworks.xstream.converters.basic.AbstractSingleValueConverter;
import com.thoughtworks.xstream.core.util.WeakCache;
