Hello community, here is the log from the commit of package slf4j for openSUSE:Factory checked in at 2019-12-23 22:38:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/slf4j (Old) and /work/SRC/openSUSE:Factory/.slf4j.new.6675 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "slf4j" Mon Dec 23 22:38:56 2019 rev:22 rq:758086 version:1.7.25 Changes: -------- --- /work/SRC/openSUSE:Factory/slf4j/slf4j-sources.changes 2019-10-07 13:42:15.696137708 +0200 +++ /work/SRC/openSUSE:Factory/.slf4j.new.6675/slf4j-sources.changes 2019-12-23 22:41:51.269935117 +0100 @@ -1,0 +2,12 @@ +Wed Dec 18 09:09:30 UTC 2019 - Fridrich Strba <[email protected]> + +- Use the source tarball from github, since the previous one is + not accessible anymore +- Modified patches: + * slf4j-Disallow-EventData-deserialization-by-default.patch + + Adapt to unix line-ends + * slf4j-commons-lang3.patch + + Adapt to unix line-ends + + Do not patch inexisting files + +------------------------------------------------------------------- slf4j.changes: same change Old: ---- slf4j-1.7.25.tar.gz New: ---- v_1.7.25.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ slf4j-sources.spec ++++++ --- /var/tmp/diff_new_pack.VGBxge/_old 2019-12-23 22:41:54.057936326 +0100 +++ /var/tmp/diff_new_pack.VGBxge/_new 2019-12-23 22:41:54.061936328 +0100 @@ -1,7 +1,7 @@ # -# spec file for package slf4j +# spec file for package slf4j-sources # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -26,7 +26,7 @@ License: MIT AND Apache-2.0 Group: Development/Libraries/Java URL: http://www.slf4j.org/ -Source0: http://www.slf4j.org/dist/%{base_name}-%{version}.tar.gz +Source0: https://github.com/qos-ch/%{base_name}/archive/v_%{version}.tar.gz Source1: http://www.apache.org/licenses/LICENSE-2.0.txt Patch2: slf4j-commons-lang3.patch Patch3: slf4j-Disallow-EventData-deserialization-by-default.patch @@ -42,7 +42,7 @@ SLF4J Source JARs. %prep -%setup -q -n %{base_name}-%{version} +%setup -q -n %{base_name}-v_%{version} %patch2 -p1 %patch3 -p1 find . -name "*.jar" | xargs rm ++++++ slf4j.spec ++++++ --- /var/tmp/diff_new_pack.VGBxge/_old 2019-12-23 22:41:54.077936336 +0100 +++ /var/tmp/diff_new_pack.VGBxge/_new 2019-12-23 22:41:54.077936336 +0100 @@ -1,7 +1,7 @@ # # spec file for package slf4j # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -25,7 +25,7 @@ License: MIT AND Apache-2.0 Group: Development/Libraries/Java URL: http://www.slf4j.org/ -Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz +Source0: https://github.com/qos-ch/%{name}/archive/v_%{version}.tar.gz Source1: http://www.apache.org/licenses/LICENSE-2.0.txt Source2: build.xml.tar.bz2 Patch1: build-remove-slf4j_api-binder.patch @@ -133,7 +133,7 @@ JUL to SLF4J bridge. %prep -%setup -q -a2 +%setup -q -n %{name}-v_%{version} -a2 %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -161,7 +161,7 @@ # # during build time, it is necessary to mark the imported package as an # # optional one. # # Reported upstream: http://bugzilla.slf4j.org/show_bug.cgi?id=283 -sed -i "/Import-Package/s/.$/;resolution:=optional&/" slf4j-api/src/main/resources/META-INF/MANIFEST.MF +sed -i "/Import-Package/s/$/;resolution:=optional/" slf4j-api/src/main/resources/META-INF/MANIFEST.MF %pom_change_dep -r -f ::::: ::::: ++++++ slf4j-Disallow-EventData-deserialization-by-default.patch ++++++ --- /var/tmp/diff_new_pack.VGBxge/_old 2019-12-23 22:41:54.117936352 +0100 +++ /var/tmp/diff_new_pack.VGBxge/_new 2019-12-23 22:41:54.117936352 +0100 @@ -3,37 +3,37 @@ --- slf4j-1.7.12.orig/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +++ slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java @@ -76,12 +76,21 @@ public class EventData implements Serial - */ - @SuppressWarnings("unchecked") - public EventData(String xml) { -- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -- try { -- XMLDecoder decoder = new XMLDecoder(bais); -- this.eventData = (Map<String, Object>) decoder.readObject(); -- } catch (Exception e) { -- throw new EventException("Error decoding " + xml, e); -+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { -+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); -+ try { -+ XMLDecoder decoder = new XMLDecoder(bais); -+ this.eventData = (Map<String, Object>) decoder.readObject(); -+ } catch (Exception e) { -+ throw new EventException("Error decoding " + xml, e); -+ } -+ } else { -+ throw new UnsupportedOperationException( -+ "Constructing EventData from XML is vulnerable to remote " + -+ "excution and is not allowed by default. If you're " + -+ "completely sure the source data is trusted, you can enable " + -+ "it by setting org.slf4j.ext.allowInsecureDeserialization " + -+ "JVM property to 1"); - } - } - + */ + @SuppressWarnings("unchecked") + public EventData(String xml) { +- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); +- try { +- XMLDecoder decoder = new XMLDecoder(bais); +- this.eventData = (Map<String, Object>) decoder.readObject(); +- } catch (Exception e) { +- throw new EventException("Error decoding " + xml, e); ++ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { ++ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); ++ try { ++ XMLDecoder decoder = new XMLDecoder(bais); ++ this.eventData = (Map<String, Object>) decoder.readObject(); ++ } catch (Exception e) { ++ throw new EventException("Error decoding " + xml, e); ++ } ++ } else { ++ throw new UnsupportedOperationException( ++ "Constructing EventData from XML is vulnerable to remote " + ++ "excution and is not allowed by default. If you're " + ++ "completely sure the source data is trusted, you can enable " + ++ "it by setting org.slf4j.ext.allowInsecureDeserialization " + ++ "JVM property to 1"); + } + } + @@ -302,4 +311,4 @@ public class EventData implements Serial - public int hashCode() { - return this.eventData.hashCode(); - } + public int hashCode() { + return this.eventData.hashCode(); + } -} \ No newline at end of file -+} ++} ++++++ slf4j-commons-lang3.patch ++++++ --- /var/tmp/diff_new_pack.VGBxge/_old 2019-12-23 22:41:54.121936355 +0100 +++ /var/tmp/diff_new_pack.VGBxge/_new 2019-12-23 22:41:54.121936355 +0100 @@ -1,148 +1,42 @@ ---- slf4j-1.7.25/site/apidocs/org/slf4j/ext/MDCStrLookup.html 2017-03-16 17:20:38.000000000 +0100 -+++ slf4j-1.7.25/site/apidocs/org/slf4j/ext/MDCStrLookup.html 2018-10-22 12:34:24.777760087 +0200 -@@ -88,7 +88,7 @@ - <li><a href="http://java.sun.com/j2se/1.5.0/docs/api/java/lang/Object.html?is-external=true"; title="class or interface in java.lang">java.lang.Object</a></li> - <li> - <ul class="inheritance"> --<li>org.apache.commons.lang.text.StrLookup</li> -+<li>org.apache.commons.lang3.text.StrLookup</li> - <li> - <ul class="inheritance"> - <li>org.slf4j.ext.MDCStrLookup</li> -@@ -103,7 +103,7 @@ - <hr> - <br> - <pre>public class <a href="../../../src-html/org/slf4j/ext/MDCStrLookup.html#line.36">MDCStrLookup</a> --extends org.apache.commons.lang.text.StrLookup</pre> -+extends org.apache.commons.lang3.text.StrLookup</pre> - <div class="block">This class can be used with the Commons Lang StrSubstitutor to replace - tokens that occur in Strings with their values in the MDC.</div> - <dl><dt><span class="strong">Author:</span></dt> -@@ -151,10 +151,10 @@ - </tr> - </table> - <ul class="blockList"> --<li class="blockList"><a name="methods_inherited_from_class_org.apache.commons.lang.text.StrLookup"> -+<li class="blockList"><a name="methods_inherited_from_class_org.apache.commons.lang3.text.StrLookup"> - <!-- --> - </a> --<h3>Methods inherited from class org.apache.commons.lang.text.StrLookup</h3> -+<h3>Methods inherited from class org.apache.commons.lang3.text.StrLookup</h3> - <code>mapLookup, noneLookup, systemPropertiesLookup</code></li> - </ul> - <ul class="blockList"> -@@ -205,7 +205,7 @@ - <div class="block">Looks up up a value in the MDC.</div> - <dl> - <dt><strong>Specified by:</strong></dt> --<dd><code>lookup</code> in class <code>org.apache.commons.lang.text.StrLookup</code></dd> -+<dd><code>lookup</code> in class <code>org.apache.commons.lang3.text.StrLookup</code></dd> - <dt><span class="strong">Parameters:</span></dt><dd><code>key</code> - the key to be looked up, may be null</dd> - <dt><span class="strong">Returns:</span></dt><dd>the matching value, null if no match</dd></dl> - </li> ---- slf4j-1.7.25/site/apidocs/org/slf4j/ext/package-tree.html 2017-03-16 17:20:39.000000000 +0100 -+++ slf4j-1.7.25/site/apidocs/org/slf4j/ext/package-tree.html 2018-10-22 12:34:02.781643219 +0200 -@@ -82,7 +82,7 @@ - <li type="circle">org.slf4j.ext.<a href="../../../org/slf4j/ext/XLogger.html" title="class in org.slf4j.ext"><span class="strong">XLogger</span></a> (implements org.slf4j.<a href="../../../org/slf4j/Logger.html" title="interface in org.slf4j">Logger</a>)</li> - </ul> - </li> --<li type="circle">org.apache.commons.lang.text.StrLookup -+<li type="circle">org.apache.commons.lang3.text.StrLookup - <ul> - <li type="circle">org.slf4j.ext.<a href="../../../org/slf4j/ext/MDCStrLookup.html" title="class in org.slf4j.ext"><span class="strong">MDCStrLookup</span></a></li> - </ul> ---- slf4j-1.7.25/site/apidocs/overview-tree.html 2017-03-16 17:20:42.000000000 +0100 -+++ slf4j-1.7.25/site/apidocs/overview-tree.html 2018-10-22 12:34:02.781643219 +0200 -@@ -198,7 +198,7 @@ - <li type="circle">org.slf4j.impl.<a href="org/slf4j/impl/StaticMarkerBinder.html" title="class in org.slf4j.impl"><span class="strong">StaticMarkerBinder</span></a> (implements org.slf4j.spi.<a href="org/slf4j/spi/MarkerFactoryBinder.html" title="interface in org.slf4j.spi">MarkerFactoryBinder</a>)</li> - <li type="circle">org.slf4j.impl.<a href="org/slf4j/impl/StaticMDCBinder.html" title="class in org.slf4j.impl"><span class="strong">StaticMDCBinder</span></a></li> - <li type="circle">org.slf4j.profiler.<a href="org/slf4j/profiler/StopWatch.html" title="class in org.slf4j.profiler"><span class="strong">StopWatch</span></a> (implements org.slf4j.profiler.<a href="org/slf4j/profiler/TimeInstrument.html" title="interface in org.slf4j.profiler">TimeInstrument</a>)</li> --<li type="circle">org.apache.commons.lang.text.StrLookup -+<li type="circle">org.apache.commons.lang3.text.StrLookup - <ul> - <li type="circle">org.slf4j.ext.<a href="org/slf4j/ext/MDCStrLookup.html" title="class in org.slf4j.ext"><span class="strong">MDCStrLookup</span></a></li> - </ul> ---- slf4j-1.7.25/site/extensions.html 2017-03-16 17:21:57.000000000 +0100 -+++ slf4j-1.7.25/site/extensions.html 2018-10-22 12:34:02.781643219 +0200 -@@ -602,7 +602,7 @@ - where data is a reference to the EventData object.</p> - - <pre class="prettyprint source">import org.slf4j.MDC; --import org.apache.commons.lang.time.DateUtils; -+import org.apache.commons.lang3.time.DateUtils; - - import javax.servlet.Filter; - import javax.servlet.FilterConfig; -@@ -832,7 +832,7 @@ - <p>Some classes may misbehave when being rendered with "object.toString()" so they may be explicitly disabled - in the logback configuration file permanently. For instance the ToStringBuilder in the Apache Jakarta commons lang - package is a prime candidate for this. For logback add this snippet to logback.xml: -- <pre><logger name="org.apache.commons.lang.builder" level="OFF" /></pre> -+ <pre><logger name="org.apache.commons.lang3.builder" level="OFF" /></pre> - </p> - - ---- slf4j-1.7.25/site/news.html 2017-03-16 17:21:57.000000000 +0100 -+++ slf4j-1.7.25/site/news.html 2018-10-22 12:34:02.781643219 +0200 -@@ -966,7 +966,7 @@ - used with Apache Commons Lang's <code>StrSubstitutor</code> class to - inject values in the SLF4J MDC into strings. Information on - StrSubstitutor can be found at <a -- href="http://commons.apache.org/lang/api-release/org/apache/commons/lang/text/StrSubstitutor.html";>StrSubstitutor -+ href="http://commons.apache.org/lang/api-release/org/apache/commons/lang3/text/StrSubstitutor.html";>StrSubstitutor - javadoc</a>. - </p> - ---- slf4j-1.7.25/site/xref/org/slf4j/ext/MDCStrLookup.html 2017-03-16 17:20:31.000000000 +0100 -+++ slf4j-1.7.25/site/xref/org/slf4j/ext/MDCStrLookup.html 2018-10-22 12:34:02.781643219 +0200 -@@ -34,7 +34,7 @@ - <a class="jxr_linenumber" name="24" href="#24">24</a> <em class="jxr_javadoccomment"> */</em> - <a class="jxr_linenumber" name="25" href="#25">25</a> <strong class="jxr_keyword">package</strong> org.slf4j.ext; - <a class="jxr_linenumber" name="26" href="#26">26</a> --<a class="jxr_linenumber" name="27" href="#27">27</a> <strong class="jxr_keyword">import</strong> org.apache.commons.lang.text.StrLookup; -+<a class="jxr_linenumber" name="27" href="#27">27</a> <strong class="jxr_keyword">import</strong> org.apache.commons.lang3.text.StrLookup; - <a class="jxr_linenumber" name="28" href="#28">28</a> <strong class="jxr_keyword">import</strong> org.slf4j.MDC; - <a class="jxr_linenumber" name="29" href="#29">29</a> - <a class="jxr_linenumber" name="30" href="#30">30</a> <em class="jxr_javadoccomment">/**</em> --- slf4j-1.7.25/slf4j-ext/src/main/java/org/slf4j/ext/MDCStrLookup.java 2016-12-22 19:54:22.000000000 +0100 +++ slf4j-1.7.25/slf4j-ext/src/main/java/org/slf4j/ext/MDCStrLookup.java 2018-10-22 12:34:02.781643219 +0200 @@ -24,7 +24,7 @@ - */ - package org.slf4j.ext; - --import org.apache.commons.lang.text.StrLookup; -+import org.apache.commons.lang3.text.StrLookup; - import org.slf4j.MDC; - - /** + */ + package org.slf4j.ext; + +-import org.apache.commons.lang.text.StrLookup; ++import org.apache.commons.lang3.text.StrLookup; + import org.slf4j.MDC; + + /** --- slf4j-1.7.25/slf4j-site/src/site/pages/extensions.html 2016-12-22 19:54:23.000000000 +0100 +++ slf4j-1.7.25/slf4j-site/src/site/pages/extensions.html 2018-10-22 12:34:02.781643219 +0200 @@ -602,7 +602,7 @@ - where data is a reference to the EventData object.</p> - - <pre class="prettyprint source">import org.slf4j.MDC; --import org.apache.commons.lang.time.DateUtils; -+import org.apache.commons.lang3.time.DateUtils; - - import javax.servlet.Filter; - import javax.servlet.FilterConfig; + where data is a reference to the EventData object.</p> + + <pre class="prettyprint source">import org.slf4j.MDC; +-import org.apache.commons.lang.time.DateUtils; ++import org.apache.commons.lang3.time.DateUtils; + + import javax.servlet.Filter; + import javax.servlet.FilterConfig; @@ -832,7 +832,7 @@ - <p>Some classes may misbehave when being rendered with "object.toString()" so they may be explicitly disabled - in the logback configuration file permanently. For instance the ToStringBuilder in the Apache Jakarta commons lang - package is a prime candidate for this. For logback add this snippet to logback.xml: -- <pre><logger name="org.apache.commons.lang.builder" level="OFF" /></pre> -+ <pre><logger name="org.apache.commons.lang3.builder" level="OFF" /></pre> - </p> - - + <p>Some classes may misbehave when being rendered with "object.toString()" so they may be explicitly disabled + in the logback configuration file permanently. For instance the ToStringBuilder in the Apache Jakarta commons lang + package is a prime candidate for this. For logback add this snippet to logback.xml: +- <pre><logger name="org.apache.commons.lang.builder" level="OFF" /></pre> ++ <pre><logger name="org.apache.commons.lang3.builder" level="OFF" /></pre> + </p> + + --- slf4j-1.7.25/slf4j-site/src/site/pages/news.html 2017-03-16 17:16:09.000000000 +0100 +++ slf4j-1.7.25/slf4j-site/src/site/pages/news.html 2018-10-22 12:34:02.785643241 +0200 @@ -966,7 +966,7 @@ - used with Apache Commons Lang's <code>StrSubstitutor</code> class to - inject values in the SLF4J MDC into strings. Information on - StrSubstitutor can be found at <a -- href="http://commons.apache.org/lang/api-release/org/apache/commons/lang/text/StrSubstitutor.html";>StrSubstitutor -+ href="http://commons.apache.org/lang/api-release/org/apache/commons/lang3/text/StrSubstitutor.html";>StrSubstitutor - javadoc</a>. - </p> - + used with Apache Commons Lang's <code>StrSubstitutor</code> class to + inject values in the SLF4J MDC into strings. Information on + StrSubstitutor can be found at <a +- href="http://commons.apache.org/lang/api-release/org/apache/commons/lang/text/StrSubstitutor.html";>StrSubstitutor ++ href="http://commons.apache.org/lang/api-release/org/apache/commons/lang3/text/StrSubstitutor.html";>StrSubstitutor + javadoc</a>. + </p> +
