svn commit: r30873 - /release/felix/
Author: cziegeler Date: Tue Nov 13 11:02:43 2018 New Revision: 30873 Log: SCR 2.1.14 Added: release/felix/org.apache.felix.scr-2.1.14-javadoc.jar (with props) release/felix/org.apache.felix.scr-2.1.14-javadoc.jar.asc (with props) release/felix/org.apache.felix.scr-2.1.14-javadoc.jar.sha1 (with props) release/felix/org.apache.felix.scr-2.1.14-javadoc.jar.sha512 (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.tar.gz (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.tar.gz.asc (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.tar.gz.sha1 (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.tar.gz.sha512 (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.zip (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.zip.asc (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.zip.sha1 (with props) release/felix/org.apache.felix.scr-2.1.14-source-release.zip.sha512 (with props) release/felix/org.apache.felix.scr-2.1.14-sources.jar (with props) release/felix/org.apache.felix.scr-2.1.14-sources.jar.asc (with props) release/felix/org.apache.felix.scr-2.1.14-sources.jar.sha1 (with props) release/felix/org.apache.felix.scr-2.1.14-sources.jar.sha512 (with props) release/felix/org.apache.felix.scr-2.1.14.jar (with props) release/felix/org.apache.felix.scr-2.1.14.jar.asc (with props) release/felix/org.apache.felix.scr-2.1.14.jar.sha1 (with props) release/felix/org.apache.felix.scr-2.1.14.jar.sha512 (with props) release/felix/org.apache.felix.scr-2.1.14.pom (with props) release/felix/org.apache.felix.scr-2.1.14.pom.asc (with props) release/felix/org.apache.felix.scr-2.1.14.pom.sha1 (with props) release/felix/org.apache.felix.scr-2.1.14.pom.sha512 (with props) Removed: release/felix/org.apache.felix.scr-2.1.12-javadoc.jar release/felix/org.apache.felix.scr-2.1.12-javadoc.jar.asc release/felix/org.apache.felix.scr-2.1.12-javadoc.jar.sha1 release/felix/org.apache.felix.scr-2.1.12-javadoc.jar.sha512 release/felix/org.apache.felix.scr-2.1.12-source-release.tar.gz release/felix/org.apache.felix.scr-2.1.12-source-release.tar.gz.asc release/felix/org.apache.felix.scr-2.1.12-source-release.tar.gz.sha1 release/felix/org.apache.felix.scr-2.1.12-source-release.tar.gz.sha512 release/felix/org.apache.felix.scr-2.1.12-source-release.zip release/felix/org.apache.felix.scr-2.1.12-source-release.zip.asc release/felix/org.apache.felix.scr-2.1.12-source-release.zip.sha1 release/felix/org.apache.felix.scr-2.1.12-source-release.zip.sha512 release/felix/org.apache.felix.scr-2.1.12-sources.jar release/felix/org.apache.felix.scr-2.1.12-sources.jar.asc release/felix/org.apache.felix.scr-2.1.12-sources.jar.sha1 release/felix/org.apache.felix.scr-2.1.12-sources.jar.sha512 release/felix/org.apache.felix.scr-2.1.12.jar release/felix/org.apache.felix.scr-2.1.12.jar.asc release/felix/org.apache.felix.scr-2.1.12.jar.sha1 release/felix/org.apache.felix.scr-2.1.12.jar.sha512 release/felix/org.apache.felix.scr-2.1.12.pom release/felix/org.apache.felix.scr-2.1.12.pom.asc release/felix/org.apache.felix.scr-2.1.12.pom.sha1 release/felix/org.apache.felix.scr-2.1.12.pom.sha512 Added: release/felix/org.apache.felix.scr-2.1.14-javadoc.jar == Binary file - no diff available. Propchange: release/felix/org.apache.felix.scr-2.1.14-javadoc.jar -- svn:executable = * Propchange: release/felix/org.apache.felix.scr-2.1.14-javadoc.jar -- svn:mime-type = application/octet-stream Added: release/felix/org.apache.felix.scr-2.1.14-javadoc.jar.asc == --- release/felix/org.apache.felix.scr-2.1.14-javadoc.jar.asc (added) +++ release/felix/org.apache.felix.scr-2.1.14-javadoc.jar.asc Tue Nov 13 11:02:43 2018 @@ -0,0 +1,16 @@ +-BEGIN PGP SIGNATURE- + +iQIzBAABCgAdFiEEX9UUWovQMXqU3HcTP89Sn/LyegYFAlvmrzYACgkQP89Sn/Ly +egZcHA//SjXj0XCJkT5dxmbirqcEkth2v29QTcLJ4aS+Mngpp/LoCQcQNR3Ec+Z4 +u5mcn5xSeWiaxV0rGXPWXvhio6s9FJ7/UWAOxJV/r/rUt72Q2wYLdHlu2swBc+tr +SDPIdQr2JXfn1BJS+uneFDeB3FUGPH3EIXBQ2z6xc9XcSq72Ltq1bI+jATWEnEdX +FJgvxxZsplo3KalcDX2mYnI603YPzNd9sW+3NFnYLzUTQCoes6wPmOKGywHQKvwl +NjQZNhB8V2iC2/atJk51MapeORZWBRzCWcFqh9J3aLPQgEBlqSf4buGSJlU4fvbO +/ggiOJqLkTuOYOObFunXq41MIsUEWwsW5zJd+4GEduX2oORm3dOlRIMNydP8f+Af +dI1lMCqGnnSUoK6pXbzBLDsC6DhEzn8rhkdmSB53LYptbchUEtnhyqkCuvcOy4Xw +res1TgFJRD9f4iiioIedE52IqzGpooZR6o2F77WPVxCOEBG9qJPDmHVN3QNGT/Tq
svn commit: r1846501 - in /felix/trunk/webconsole: ./ src/main/java/org/apache/felix/webconsole/internal/servlet/ src/test/java/org/apache/felix/webconsole/internal/servlet/
Author: cziegeler Date: Tue Nov 13 10:38:33 2018 New Revision: 1846501 URL: http://svn.apache.org/viewvc?rev=1846501=rev Log: FELIX-5934 : The Felix Web Console stores unsalted hashed password. Apply patch from Antonio Sanso Added: felix/trunk/webconsole/src/test/java/org/apache/felix/webconsole/internal/servlet/ felix/trunk/webconsole/src/test/java/org/apache/felix/webconsole/internal/servlet/PasswordTest.java (with props) Modified: felix/trunk/webconsole/changelog.txt felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/Password.java Modified: felix/trunk/webconsole/changelog.txt URL: http://svn.apache.org/viewvc/felix/trunk/webconsole/changelog.txt?rev=1846501=1846500=1846501=diff == --- felix/trunk/webconsole/changelog.txt (original) +++ felix/trunk/webconsole/changelog.txt Tue Nov 13 10:38:33 2018 @@ -1,9 +1,15 @@ +Changes in 4.3.10 +- +** Improvement +* [FELIX-5934] - The web console stores unsalted hashed password + + Changes in 4.3.8 ** Improvement -* [5901] - Update to latest jQuery UI 1.12.1 +* [FELIX-5901] - Update to latest jQuery UI 1.12.1 ** Bug -* [5893] - JQuery Security bug CVE-2015-9251 in Web Console +* [FELIX-5893] - JQuery Security bug CVE-2015-9251 in Web Console Changes from 4.3.2 to 4.3.4 Modified: felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/Password.java URL: http://svn.apache.org/viewvc/felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/Password.java?rev=1846501=1846500=1846501=diff == --- felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/Password.java (original) +++ felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/Password.java Tue Nov 13 10:38:33 2018 @@ -19,10 +19,10 @@ package org.apache.felix.webconsole.internal.servlet; +import java.math.BigInteger; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Arrays; - +import java.security.SecureRandom; /** * The Password class encapsulates encoding and decoding @@ -31,22 +31,29 @@ import java.util.Arrays; * Encoded hashed passwords are strings of the form * {hashAlgorithm}base64-encoded-password-hash where * hashAlgorithm is the name of the hash algorithm used to hash - * the password and base64-encoded-password-hash is the password - * hashed with the indicated hash algorithm and subsequently encoded in - * Base64. + * the password and password is the password + * hashed with the indicated hash algorithm. */ class Password { // the default hash algorithm (part of the Java Platform since 1.4) private static final String DEFAULT_HASH_ALGO = "SHA-256"; + +private static final char DELIMITER = '-'; + +private static final int NO_ITERATIONS = 1; + +private static final int DEFAULT_ITERATIONS = 1000; + +public static final int DEFAULT_SALT_SIZE = 8; // the hash algorithm used to hash the password or null // if the password is not hashed at all private final String hashAlgo; // the hashed or plain password -private final byte[] password; +private final String password; /** @@ -73,18 +80,16 @@ class Password */ static String hashPassword( final String textPassword ) { -final byte[] bytePassword = Base64.getBytesUtf8( textPassword ); -return hashPassword( DEFAULT_HASH_ALGO, bytePassword ); +String salt = generateSalt(DEFAULT_SALT_SIZE); +return hashPassword( DEFAULT_HASH_ALGO, DEFAULT_ITERATIONS, salt, textPassword ); } - Password( String textPassword ) { this.hashAlgo = getPasswordHashAlgorithm( textPassword ); -this.password = getPasswordBytes( textPassword ); +this.password = getPassword(textPassword); } - /** * Returns {@code true} if this password matches the password * {@code toCompare}. If this password is hashed, the {@code toCompare} @@ -97,32 +102,47 @@ class Password */ boolean matches( final byte[] toCompare ) { -return Arrays.equals( this.password, hashPassword( toCompare, this.hashAlgo ) ); +if (this.hashAlgo != null) +{ +int startPos = 0; +String salt = extractSalt(this.password, startPos); +int iterations = NO_ITERATIONS; +if (salt != null) +{ +startPos += salt.length()+1; +iterations = extractIterations(this.password, startPos); + +} +String hash = hashPassword(this.hashAlgo, iterations, salt, new String(toCompare)); +final StringBuilder buf = new StringBuilder(); +
svn commit: r1846502 - in /felix/site/trunk/content: downloads.list news.mdtext
Author: cziegeler Date: Tue Nov 13 11:05:12 2018 New Revision: 1846502 URL: http://svn.apache.org/viewvc?rev=1846502=rev Log: SCR 2.1.14 Modified: felix/site/trunk/content/downloads.list felix/site/trunk/content/news.mdtext Modified: felix/site/trunk/content/downloads.list URL: http://svn.apache.org/viewvc/felix/site/trunk/content/downloads.list?rev=1846502=1846501=1846502=diff == --- felix/site/trunk/content/downloads.list (original) +++ felix/site/trunk/content/downloads.list Tue Nov 13 11:05:12 2018 @@ -89,7 +89,7 @@ OSGi OBR service API|org.osgi.service.ob Preferences|org.apache.felix.prefs|1.1.0 Remote Shell|org.apache.felix.shell.remote|1.1.2|project||doc/changelog.txt Resolver|org.apache.felix.resolver|2.0.0|||doc/changelog.txt -SCR (Declarative Services)|org.apache.felix.scr|2.1.12 +SCR (Declarative Services)|org.apache.felix.scr|2.1.14 SCR Compat (Declarative Services)|org.apache.felix.scr.compat|1.0.4 SCR Annotations|org.apache.felix.scr.annotations|1.12.0 SCR DS Annotations|org.apache.felix.scr.ds-annotations|1.2.10 @@ -137,4 +137,4 @@ SCR Ant Task|org.apache.felix.scr.ant|1. # This list is sorted by the title before writing the table # Format: title|artifactId|version[|classifier[|extension]] SCR bnd Plugin|org.apache.felix.scr.bnd|1.9.0 -SCR Ext Anno|org.apache.felix.scr.ext.anno|1.0.0 \ No newline at end of file +SCR Ext Anno|org.apache.felix.scr.ext.anno|1.0.0 Modified: felix/site/trunk/content/news.mdtext URL: http://svn.apache.org/viewvc/felix/site/trunk/content/news.mdtext?rev=1846502=1846501=1846502=diff == --- felix/site/trunk/content/news.mdtext (original) +++ felix/site/trunk/content/news.mdtext Tue Nov 13 11:05:12 2018 @@ -1,5 +1,6 @@ Title: News +* Apache Felix SCR 2.1.14 released (November 13th, 2018) * Apache Felix Dependency Manager r13 (October 22nd, 2018) * Apache Felix Felix Http SSL Filter 1.2.6 released (October 18th, 2018) * Apache Felix SCR 2.1.12 released (October 17th, 2018) @@ -394,4 +395,4 @@ Title: News * Feathercast [podcast](http://feathercast.org/?p=46) about Felix released. (May 23, 2007) * Felix has graduated into a top level project! * The Felix 0.8.0-incubator release is now available in the http://felix.apache.org/site/downloads.cgi;>downloads section. -* Felix has its own website! (July 17, 2006) \ No newline at end of file +* Felix has its own website! (July 17, 2006)
svn commit: r1036894 - in /websites/staging/felix/trunk/content: ./ downloads.html news.html
Author: buildbot Date: Tue Nov 13 11:05:56 2018 New Revision: 1036894 Log: Staging update by buildbot for felix Modified: websites/staging/felix/trunk/content/ (props changed) websites/staging/felix/trunk/content/downloads.html websites/staging/felix/trunk/content/news.html Propchange: websites/staging/felix/trunk/content/ -- --- cms:source-revision (original) +++ cms:source-revision Tue Nov 13 11:05:56 2018 @@ -1 +1 @@ -1844753 +1846502 Modified: websites/staging/felix/trunk/content/downloads.html == --- websites/staging/felix/trunk/content/downloads.html (original) +++ websites/staging/felix/trunk/content/downloads.html Tue Nov 13 11:05:56 2018 @@ -543,9 +543,9 @@ h2:hover > .headerlink, h3:hover > .head SCR (Declarative Services) -2.1.12 (http://svn.apache.org/repos/asf/felix/releases/org.apache.felix.scr-2.1.12/changelog.txt;>changes) -jar (http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.12.jar.asc;>asc, http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.12.jar.sha1;>sha1) -tar.gz (http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.12-source-release.tar.gz.asc;>asc, http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.12-source-release.tar.gz.sha1;>sha1) zip (http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.12-source-release.zip.asc;>asc, http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.12-source-release.zip.sha1;>sha1) +2.1.14 (http://svn.apache.org/repos/asf/felix/releases/org.apache.felix.scr-2.1.14/changelog.txt;>changes) +jar (http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.14.jar.asc;>asc, http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.14.jar.sha1;>sha1) +tar.gz (http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.14-source-release.tar.gz.asc;>asc, http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.14-source-release.tar.gz.sha1;>sha1) zip (http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.14-source-release.zip.asc;>asc, http://www.apache.org/dist/felix/org.apache.felix.scr-2.1.14-source-release.zip.sha1;>sha1) SCR Annotations @@ -823,7 +823,7 @@ the http://archive.apache.org/d -Rev. 1844590 by pderop on Mon, 22 Oct 2018 17:23:35 + +Rev. 1846502 by cziegeler on Tue, 13 Nov 2018 11:05:12 + Apache Felix, Felix, Apache, the Apache feather logo, and the Apache Felix project Modified: websites/staging/felix/trunk/content/news.html == --- websites/staging/felix/trunk/content/news.html (original) +++ websites/staging/felix/trunk/content/news.html Tue Nov 13 11:05:56 2018 @@ -89,6 +89,7 @@ h2:hover > .headerlink, h3:hover > .head } h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible } +Apache Felix SCR 2.1.14 released (November 13th, 2018) Apache Felix Dependency Manager r13 (October 22nd, 2018) Apache Felix Felix Http SSL Filter 1.2.6 released (October 18th, 2018) Apache Felix SCR 2.1.12 released (October 17th, 2018) @@ -486,7 +487,7 @@ h2:hover > .headerlink, h3:hover > .head Felix has its own website! (July 17, 2006) -Rev. 1844589 by pderop on Mon, 22 Oct 2018 17:21:41 + +Rev. 1846502 by cziegeler on Tue, 13 Nov 2018 11:05:12 + Apache Felix, Felix, Apache, the Apache feather logo, and the Apache Felix project