[Git][java-team/velocity][master] 4 commits: Update Vcs URLs to point to Salsa

Tue, 16 Mar 2021 21:53:47 -0700 


Tony Mancill pushed to branch master at Debian Java Maintainers / velocity


Commits:
765693d6 by tony mancill at 2021-03-16T20:37:42-07:00
Update Vcs URLs to point to Salsa

- - - - -
8ca516ee by tony mancill at 2021-03-16T20:55:02-07:00
Patch for CVE-2020-13936 (Closes: #985220)

- - - - -
adc1b0d3 by tony mancill at 2021-03-16T21:07:54-07:00
Ship Apache NOTICE file with package

- - - - -
1eb28765 by tony mancill at 2021-03-16T21:08:19-07:00
prepare changelog for upload to unstable

- - - - -


5 changed files:

- debian/changelog
- debian/control
- + debian/patches/CVE-2020-13936.patch
- debian/patches/series
- + debian/velocity.docs


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+velocity (1.7-6) unstable; urgency=high
+
+  * Team upload.
+  * Update Vcs URLs to point to Salsa
+  * Patch for CVE-2020-13936 (Closes: #985220)
+  * Ship Apache NOTICE file with package
+
+ -- tony mancill <tmanc...@debian.org>  Tue, 16 Mar 2021 21:07:58 -0700
+
 velocity (1.7-5.1) unstable; urgency=medium
 
   * Non maintainer upload by the Reproducible Builds team.


=====================================
debian/control
=====================================
@@ -26,8 +26,8 @@ Build-Depends-Indep: ant,
                      libservlet3.1-java,
                      libwerken.xpath-java
 Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/velocity.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/velocity.git
+Vcs-Git: https://salsa.debian.org/java-team/velocity.git
+Vcs-Browser: https://salsa.debian.org/java-team/velocity
 Homepage: http://velocity.apache.org/
 
 Package: velocity


=====================================
debian/patches/CVE-2020-13936.patch
=====================================
@@ -0,0 +1,48 @@
+Description: patch for CVE-2020-13936; disallow ClassLoader, Thread, and 
subclasses
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985220
+Source: 
https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485
+Comment: patch adapted to apply against Velocity 1.7
+
+--- 
a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
++++ 
b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+@@ -121,6 +121,15 @@
+             return true;
+         }
+ 
++       /**
++       * Always disallow ClassLoader, Thread and subclasses
++       */
++        if (ClassLoader.class.isAssignableFrom(clazz) ||
++                Thread.class.isAssignableFrom(clazz))
++        {
++            return false;
++        }
++
+         /**
+          * check the classname (minus any array info)
+          * whether it matches disallowed classes or packages
+--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+@@ -247,13 +247,9 @@
+ 
+ introspector.restrict.packages = java.lang.reflect
+ 
+-# The two most dangerous classes
++## ClassLoader, Thread, and subclasses disabled by default in 
SecureIntrospectorImpl
+ 
+ introspector.restrict.classes = java.lang.Class
+-introspector.restrict.classes = java.lang.ClassLoader
+-                
+-# Restrict these for extra safety
+-
+ introspector.restrict.classes = java.lang.Compiler
+ introspector.restrict.classes = java.lang.InheritableThreadLocal
+ introspector.restrict.classes = java.lang.Package
+@@ -262,7 +258,6 @@
+ introspector.restrict.classes = java.lang.RuntimePermission
+ introspector.restrict.classes = java.lang.SecurityManager
+ introspector.restrict.classes = java.lang.System
+-introspector.restrict.classes = java.lang.Thread
+ introspector.restrict.classes = java.lang.ThreadGroup
+ introspector.restrict.classes = java.lang.ThreadLocal
+ 


=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
 0001-fix-example-scripts.patch
+CVE-2020-13936.patch


=====================================
debian/velocity.docs
=====================================
@@ -0,0 +1 @@
+NOTICE



View it on GitLab: 
https://salsa.debian.org/java-team/velocity/-/compare/2d759d4219119074defc31e93f93310cb63a417e...1eb28765705512a868fd6507b06ca51e5e5208cb

-- 
View it on GitLab: 
https://salsa.debian.org/java-team/velocity/-/compare/2d759d4219119074defc31e93f93310cb63a417e...1eb28765705512a868fd6507b06ca51e5e5208cb
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to