Tony Mancill pushed to branch master at Debian Java Maintainers / velocity
Commits: 765693d6 by tony mancill at 2021-03-16T20:37:42-07:00 Update Vcs URLs to point to Salsa - - - - - 8ca516ee by tony mancill at 2021-03-16T20:55:02-07:00 Patch for CVE-2020-13936 (Closes: #985220) - - - - - adc1b0d3 by tony mancill at 2021-03-16T21:07:54-07:00 Ship Apache NOTICE file with package - - - - - 1eb28765 by tony mancill at 2021-03-16T21:08:19-07:00 prepare changelog for upload to unstable - - - - - 5 changed files: - debian/changelog - debian/control - + debian/patches/CVE-2020-13936.patch - debian/patches/series - + debian/velocity.docs Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,12 @@ +velocity (1.7-6) unstable; urgency=high + + * Team upload. + * Update Vcs URLs to point to Salsa + * Patch for CVE-2020-13936 (Closes: #985220) + * Ship Apache NOTICE file with package + + -- tony mancill <tmanc...@debian.org> Tue, 16 Mar 2021 21:07:58 -0700 + velocity (1.7-5.1) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. ===================================== debian/control ===================================== @@ -26,8 +26,8 @@ Build-Depends-Indep: ant, libservlet3.1-java, libwerken.xpath-java Standards-Version: 3.9.8 -Vcs-Git: https://anonscm.debian.org/git/pkg-java/velocity.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/velocity.git +Vcs-Git: https://salsa.debian.org/java-team/velocity.git +Vcs-Browser: https://salsa.debian.org/java-team/velocity Homepage: http://velocity.apache.org/ Package: velocity ===================================== debian/patches/CVE-2020-13936.patch ===================================== @@ -0,0 +1,48 @@ +Description: patch for CVE-2020-13936; disallow ClassLoader, Thread, and subclasses +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985220 +Source: https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485 +Comment: patch adapted to apply against Velocity 1.7 + +--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java ++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +@@ -121,6 +121,15 @@ + return true; + } + ++ /** ++ * Always disallow ClassLoader, Thread and subclasses ++ */ ++ if (ClassLoader.class.isAssignableFrom(clazz) || ++ Thread.class.isAssignableFrom(clazz)) ++ { ++ return false; ++ } ++ + /** + * check the classname (minus any array info) + * whether it matches disallowed classes or packages +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -247,13 +247,9 @@ + + introspector.restrict.packages = java.lang.reflect + +-# The two most dangerous classes ++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl + + introspector.restrict.classes = java.lang.Class +-introspector.restrict.classes = java.lang.ClassLoader +- +-# Restrict these for extra safety +- + introspector.restrict.classes = java.lang.Compiler + introspector.restrict.classes = java.lang.InheritableThreadLocal + introspector.restrict.classes = java.lang.Package +@@ -262,7 +258,6 @@ + introspector.restrict.classes = java.lang.RuntimePermission + introspector.restrict.classes = java.lang.SecurityManager + introspector.restrict.classes = java.lang.System +-introspector.restrict.classes = java.lang.Thread + introspector.restrict.classes = java.lang.ThreadGroup + introspector.restrict.classes = java.lang.ThreadLocal + ===================================== debian/patches/series ===================================== @@ -1 +1,2 @@ 0001-fix-example-scripts.patch +CVE-2020-13936.patch ===================================== debian/velocity.docs ===================================== @@ -0,0 +1 @@ +NOTICE View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/2d759d4219119074defc31e93f93310cb63a417e...1eb28765705512a868fd6507b06ca51e5e5208cb -- View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/2d759d4219119074defc31e93f93310cb63a417e...1eb28765705512a868fd6507b06ca51e5e5208cb You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list pkg-java-comm...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits