Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kafka-kit for openSUSE:Factory checked in at 2021-12-21 18:40:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kafka-kit (Old) and /work/SRC/openSUSE:Factory/.kafka-kit.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kafka-kit" Tue Dec 21 18:40:49 2021 rev:2 rq:941845 version:2.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kafka-kit/kafka-kit.changes 2019-12-10 22:40:50.745844229 +0100 +++ /work/SRC/openSUSE:Factory/.kafka-kit.new.2520/kafka-kit.changes 2021-12-21 18:41:26.861917791 +0100 @@ -1,0 +2,6 @@ +Thu Dec 16 18:47:53 UTC 2021 - Jan Zerebecki <[email protected]> + +- Remove JMSAppender from log4j jars during build to + prevent bsc#1193662, CVE-2021-4104 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kafka-kit.spec ++++++ --- /var/tmp/diff_new_pack.qbDQsM/_old 2021-12-21 18:41:28.481919245 +0100 +++ /var/tmp/diff_new_pack.qbDQsM/_new 2021-12-21 18:41:28.481919245 +0100 @@ -1,7 +1,7 @@ # # spec file for package kafka-kit # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -22,7 +22,7 @@ Summary: Build-time dependency of project "kafka" License: BSD-3-Clause Group: Development/Libraries/Java -Url: https://github.com/SilvioMoioli/tetra +URL: https://github.com/SilvioMoioli/tetra # This tarball needs to be generated from the source tarball shipped with the # matching kafka package using Tetra (ruby2.2-rubygem-tetra). You will find # detailed instructions for generating it in README.updating. This is neccessary @@ -38,6 +38,7 @@ ExclusiveArch: x86_64 BuildRequires: fdupes BuildRequires: xz +BuildRequires: zip # https://www.virustotal.com/en/file/3a8dc4a12ab9f3607a1a2097bbab0150c947ad6719d8f1bb6d5b47d0fb0c4779/analysis/1491457251/ #!BuildIgnore: post-build-checks-malwarescan Provides: tetra-kit @@ -54,6 +55,11 @@ %build # nothing to do, precompiled by design +# avoid log4j security bugs by removing classes +#zip error: Nothing to do! (./kit/apache-ant-1.9.7/lib/ant-apache-log4j.jar) +#zip error: Nothing to do! (./kit/gradle-5.1/lib/log4j-over-slf4j-1.7.25.jar) +zip -q -d gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/log4j/net/JMSAppender.class +#zip error: Nothing to do! (./kit/gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-log4j12/1.7.25/110cefe2df103412849d72ef7a67e4e91e4266b4/slf4j-log4j12-1.7.25.jar) %install export NO_BRP_CHECK_BYTECODE_VERSION=true
