trouble building top level axis2 with jdk11 with source and target set to jdk1.8

2021-02-25 Thread Andrew Marlow 
Hello everyone,

I just tried to build axis2 1.7.9 on linux with openJDK11. I am running
into some problems and need a little help/guidance please.

First, I saw that in the top level pom we have:


maven-compiler-plugin
true

1.5
1.5



I had to change the 1.5 to 1.8. Then I got the error:

[ERROR]
/home/marlowa/mystuff/axis2-build/axis2-1.7.9/modules/adb/src/org/apache/axis2/rpc/receivers/ejb/EJBUtil.java:[161,37]
package javax.rmi does not exist

I note that rmi is removed in JDK11. Does this mean that axis2 must be
built in older versions, e.g. 1.8?

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: trouble building top level axis2 with jdk11 with source and target set to jdk1.8

2021-02-26 Thread Andrew Marlow 
Hello Robert, thank you for your quick reply. But now there is another
problem:

I just tried building the latest via git clone and got this weird
permission error:

Building: AXIS2-5782/pom.xml
The build exited with code 100. See
/home/marlowa/mystuff/axis2-build/latest-from-git/axis-axis2-java-core/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
for details.
AXIS2-5782/pom.xml ... FAILED

That logfile has this error in it:

java.security.AccessControlException: access denied
("java.io.FilePermission" "/usr/share/maven/bin/m2.conf" "read")

On my linux mint 20 machine that file is a symbolic link to
/etc/maven/m2.conf, a file to which everyone has read access.
I have a feeling that the permissioned denied error is due to the violation
of some java security policy, maybe because it requires access to this file
which is outside of the build directory. Does anyone have any ideas please?


On Thu, 25 Feb 2021 at 15:37, robertlazarski 
wrote:

> Axis2 1.7.9 will not build on JDK 11 for a few reasons such as the removal
> of XDoclet.
>
> The latest Axis2 trunk from our git repo does build on JDK 11 ... maybe
> later too, I haven't got to that yet.
>
>  git clone https://github.com/apache/axis-axis2-java-core.git
>
> Currently in git the Javac source is set to 1.7, I tried setting it to 1.8
> and it built fine for me on JDK 11.
>
> I can't think of a good reason not to bump the source requirement up to
> 1.8 so if there are no objections on this list I suggest we do that.
>
>
> On Thu, Feb 25, 2021 at 4:12 AM Andrew Marlow 
> wrote:
>
>> Hello everyone,
>>
>> I just tried to build axis2 1.7.9 on linux with openJDK11. I am running
>> into some problems and need a little help/guidance please.
>>
>> First, I saw that in the top level pom we have:
>>
>> 
>> maven-compiler-plugin
>> true
>> 
>> 1.5
>> 1.5
>> 
>> 
>>
>> I had to change the 1.5 to 1.8. Then I got the error:
>>
>> [ERROR]
>> /home/marlowa/mystuff/axis2-build/axis2-1.7.9/modules/adb/src/org/apache/axis2/rpc/receivers/ejb/EJBUtil.java:[161,37]
>> package javax.rmi does not exist
>>
>> I note that rmi is removed in JDK11. Does this mean that axis2 must be
>> built in older versions, e.g. 1.8?
>>
>> --
>> Regards,
>>
>> Andrew Marlow
>> http://www.andrewpetermarlow.co.uk
>>
>>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

axis2 git clone owasp build problem with com:sun:tools jar

2021-02-26 Thread Andrew Marlow 
Hello everyone,

I am trying to find out what CVE issues there are with axis2. I am using
the owasp maven plugin. With the appropriate plugin section added to the
pom I get a build error:

[INFO] < org.apache.axis2:axis2-jibx
>-
[INFO] Building Apache Axis2 - JiBX Data Binding 1.8.0-SNAPSHOT
[29/85]
[INFO] [ jar
]-
[INFO]
[INFO] --- dependency-check-maven:5.2.4:check (default-cli) @ axis2-jibx ---
[ERROR] Unable to resolve system scoped dependency:
com.sun:tools:jar:1.8.0:system

It looks like there is a dependency on com.sun.tools. This is shown by the
maven dependency analyser which reports:

INFO [m] +- org.apache.ant:ant:jar:1.10.9:test
INFO [m] |  +- org.apache.ant:ant-launcher:jar:1.10.9:test
INFO [m] |  \- com.sun:tools:jar:1.8.0:system

Can anyone shed any light on this error please?
-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

axis2 1.7.9 CVEs as reported by owasp: still using log4j version 1 and spring framework 2.5.1

2021-02-26 Thread Andrew Marlow 
Hello everyone,

I have noticed that axis2 depends on log4j version 1 and spring framework
2.5.1. These have significant CVEs. Are there any plans for axis2 to move
off these vulnerable components please?

log4j-v1
Apache Axis2 - Transport - testkit
Apache Axis2 - tool - WSDL2Code Maven Plugin

spring-core-2.5.1
Apache Axis2 - spring
-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: trouble building top level axis2 with jdk11 with source and target set to jdk1.8

2021-02-26 Thread Andrew Marlow 
On Fri, 26 Feb 2021 at 15:26, robertlazarski 
wrote:

> That's a maven error beyond the scope of axis2, but anyways what do these
> commands show?
>
> ls -l /etc/maven/m2.conf
> whoami
> groups
>

On my linux mint 20 machine that file is a symbolic link to
/etc/maven/m2.conf, a file to which everyone has read access.

I've also updated the jre java security policy config to give everyone read
access to this file. It makes no difference.


> On Thu, Feb 25, 2021 at 11:45 PM Andrew Marlow 
> wrote:
>
>> Hello Robert, thank you for your quick reply. But now there is another
>> problem:
>>
>> I just tried building the latest via git clone and got this weird
>> permission error:
>>
>> Building: AXIS2-5782/pom.xml
>> The build exited with code 100. See
>> /home/marlowa/mystuff/axis2-build/latest-from-git/axis-axis2-java-core/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>> for details.
>> AXIS2-5782/pom.xml ... FAILED
>>
>> That logfile has this error in it:
>>
>> java.security.AccessControlException: access denied
>> ("java.io.FilePermission" "/usr/share/maven/bin/m2.conf" "read")
>>
>> On my linux mint 20 machine that file is a symbolic link to
>> /etc/maven/m2.conf, a file to which everyone has read access.
>> I have a feeling that the permissioned denied error is due to the
>> violation of some java security policy, maybe because it requires access to
>> this file which is outside of the build directory. Does anyone have any
>> ideas please?
>>
>>
>> On Thu, 25 Feb 2021 at 15:37, robertlazarski 
>> wrote:
>>
>>> Axis2 1.7.9 will not build on JDK 11 for a few reasons such as the
>>> removal of XDoclet.
>>>
>>> The latest Axis2 trunk from our git repo does build on JDK 11 ... maybe
>>> later too, I haven't got to that yet.
>>>
>>>  git clone https://github.com/apache/axis-axis2-java-core.git
>>>
>>> Currently in git the Javac source is set to 1.7, I tried setting it to
>>> 1.8 and it built fine for me on JDK 11.
>>>
>>> I can't think of a good reason not to bump the source requirement up to
>>> 1.8 so if there are no objections on this list I suggest we do that.
>>>
>>>
>>> On Thu, Feb 25, 2021 at 4:12 AM Andrew Marlow 
>>> wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> I just tried to build axis2 1.7.9 on linux with openJDK11. I am running
>>>> into some problems and need a little help/guidance please.
>>>>
>>>> First, I saw that in the top level pom we have:
>>>>
>>>> 
>>>> maven-compiler-plugin
>>>>     true
>>>> 
>>>> 1.5
>>>> 1.5
>>>> 
>>>>     
>>>>
>>>> I had to change the 1.5 to 1.8. Then I got the error:
>>>>
>>>> [ERROR]
>>>> /home/marlowa/mystuff/axis2-build/axis2-1.7.9/modules/adb/src/org/apache/axis2/rpc/receivers/ejb/EJBUtil.java:[161,37]
>>>> package javax.rmi does not exist
>>>>
>>>> I note that rmi is removed in JDK11. Does this mean that axis2 must be
>>>> built in older versions, e.g. 1.8?
>>>>
>>>> --
>>>> Regards,
>>>>
>>>> Andrew Marlow
>>>> http://www.andrewpetermarlow.co.uk
>>>>
>>>>
>>
>> --
>> Regards,
>>
>> Andrew Marlow
>> http://www.andrewpetermarlow.co.uk
>>
>>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: trouble building top level axis2 with jdk11 with source and target set to jdk1.8

2021-02-26 Thread Andrew Marlow 
On Fri, 26 Feb 2021 at 16:06, robertlazarski 
wrote:

> On my linux mint 20 machine that file is a symbolic link to
> /etc/maven/m2.conf, a file to which everyone has read access.
>
>>
>> I've also updated the jre java security policy config to give everyone
>> read access to this file. It makes no difference.
>>
>
> I suspect an issue with selinux, I suggest trying "setenforce 0" to debug.
>

I tried building as root. That made the error go away. Hmm.
But then the next problem was a dependency issue in Apache Axis2 -
Transport - HTTP - Commons HttpClient 3.x where it failed with the error:

ERROR [m] Failed to execute goal on project axis2-transport-http-hc: Could
not resolve dependencies for project
org.apache.axis2:axis2-transport-http-hc3:jar:1.8.0-SNAPSHOT: Could not
find artifact
org.apache.axis2:axis2-transport-http:jar:tests:1.8.0-SNAPSHOT in
apache.snapshots (https://repository.apache.org/snapshots)

I am not a mint user however the /var/log/auth* or /var/log/secure* logs
> may have some clues. Axis2 builds fine for me on Centos 7 and OpenSuse.
>


-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency

2021-02-28 Thread Andrew Marlow 
Hello everyone,

I've discovered that a dependency in the axi2 clustering component makes
axis2 vulnerable to CVE-2020-0822, filed against tomcat, which has a NIST
score of 8.4 high.

A maven dependency analysis shows this:

INFO [m] +- org.apache.axis2:axis2-clustering:jar:1.8.0-SNAPSHOT:compile
INFO [m] |  +- org.apache.tomcat:tribes:jar:6.0.53:compile
INFO [m] |  \- org.apache.tomcat:juli:jar:6.0.53:compile

I don't understand why axis2 depends on tomcat. Can someone explain please?

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency

2021-03-07 Thread Andrew Marlow 
Hello Andreas,

Yes, it's true that the clustering component is optional. However, my
concern is not about whether one is actually exposed to the CVE, my concern
is that the analysis tools think that the software is exposed. When a
project that uses axis is analysed by Black Duck it reports the
vulnerability. The question is, what to do? The question that sprung to my
mind when I first saw this Black Duck report was "but *why* does axis2
depend on tomcat?".

On Sun, 7 Mar 2021 at 12:25, Andreas Veithen-Knowles <
andreas.veit...@gmail.com> wrote:

> Note that the clustering component is optional. You can remove it if you
> don't need it.
>
> Andreas
>
> On Sun, Feb 28, 2021 at 10:22 AM Andrew Marlow 
> wrote:
>
>> Hello everyone,
>>
>> I've discovered that a dependency in the axi2 clustering component makes
>> axis2 vulnerable to CVE-2020-0822, filed against tomcat, which has a NIST
>> score of 8.4 high.
>>
>> A maven dependency analysis shows this:
>>
>> INFO [m] +- org.apache.axis2:axis2-clustering:jar:1.8.0-SNAPSHOT:compile
>> INFO [m] |  +- org.apache.tomcat:tribes:jar:6.0.53:compile
>> INFO [m] |  \- org.apache.tomcat:juli:jar:6.0.53:compile
>>
>> I don't understand why axis2 depends on tomcat. Can someone explain
>> please?
>>
>> --
>> Regards,
>>
>> Andrew Marlow
>> http://www.andrewpetermarlow.co.uk
>>
>>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: trouble building top level axis2 with jdk11 with source and target set to jdk1.8

2021-03-07 Thread Andrew Marlow 
Yes, I have the stack trace, sorry about the delay.

/home/marlowa/mystuff/axis2-build/latest-from-git/axis-axis2-java-core: cat
/home/marlowa/mystuff/axis2-build/latest-from-git/axis-axis2-java-core/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
java.security.AccessControlException: access denied
("java.io.FilePermission" "/usr/share/maven/bin/m2.conf" "read")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
com.github.veithen.hermetic.HermeticSecurityManager.checkPermission(HermeticSecurityManager.java:58)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at java.io.FileInputStream.(FileInputStream.java:127)
at java.io.FileInputStream.(FileInputStream.java:93)
at
org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:381)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)

On Sat, 27 Feb 2021 at 13:33, Andreas Veithen-Knowles <
andreas.veit...@gmail.com> wrote:

>
>
> On Fri, Feb 26, 2021 at 9:45 AM Andrew Marlow 
> wrote:
>
>> Hello Robert, thank you for your quick reply. But now there is another
>> problem:
>>
>> I just tried building the latest via git clone and got this weird
>> permission error:
>>
>> Building: AXIS2-5782/pom.xml
>> The build exited with code 100. See
>> /home/marlowa/mystuff/axis2-build/latest-from-git/axis-axis2-java-core/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>> for details.
>> AXIS2-5782/pom.xml ... FAILED
>>
>> That logfile has this error in it:
>>
>> java.security.AccessControlException: access denied
>> ("java.io.FilePermission" "/usr/share/maven/bin/m2.conf" "read")
>>
>
> Do you have a full stack trace?
>
>
>>
>> On my linux mint 20 machine that file is a symbolic link to
>> /etc/maven/m2.conf, a file to which everyone has read access.
>> I have a feeling that the permissioned denied error is due to the
>> violation of some java security policy, maybe because it requires access to
>> this file which is outside of the build directory. Does anyone have any
>> ideas please?
>>
>>
>> On Thu, 25 Feb 2021 at 15:37, robertlazarski 
>> wrote:
>>
>>> Axis2 1.7.9 will not build on JDK 11 for a few reasons such as the
>>> removal of XDoclet.
>>>
>>> The latest Axis2 trunk from our git repo does build on JDK 11 ... maybe
>>> later too, I haven't got to that yet.
>>>
>>>  git clone https://github.com/apache/axis-axis2-java-core.git
>>>
>>> Currently in git the Javac source is set to 1.7, I tried setting it to
>>> 1.8 and it built fine for me on JDK 11.
>>>
>>> I can't think of a good reason not to bump the source requirement up to
>>> 1.8 so if there are no objections on this list I suggest we do that.
>>>
>>>
>>> On Thu, Feb 25, 2021 at 4:12 AM Andrew Marlow 
>>> wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> I just tried to build axis2 1.7.9 on linux with openJDK11. I am running
>>>> into some problems and need a little help/guidance please.
>>>>
>>>> First, I saw that in the top level pom we have:
>>>>
>>>> 
>>>> maven-compiler-plugin
>>>> true
>>>> 
>>>>     1.5
>>>> 1.5
>>>>     
>>>> 
>>>>
>>>> I had to change the 1.5 to 1.8. Then I got the error:
>>>>
>>>> [ERROR]
>>>> /home/marlowa/mystuff/axis2-build/axis2-1.7.9/modules/adb/src/org/apache/axis2/rpc/receivers/ejb/EJBUtil.java:[161,37]
>>>> package javax.rmi does not exist
>>>>
>>>> I note that rmi is removed in JDK11. Does this mean that axis2 must be
>>>> built in older versions, e.g. 1.8?
>>>>
>>>> --
>>>> Regards,
>>>>
>>>> Andrew Marlow
>>>> http://www.andrewpetermarlow.co.uk
>>>>
>>>>
>>
>> --
>> Regards,
>>
>> Andrew Marlow
>> http://www.andrewpetermarlow.co.uk
>>
>>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: Outstanding items for the next Axis2 release

2021-03-08 Thread Andrew Marlow 
Hello Robert and thank you for sending this note about the next axis2
release.

axis2 depends on tomcat version 6.0.53 via the clustering component. Now I
know that the clustering component is optional, in that if one chooses not
to use it then it can be omitted from jars and then one does not depend on
it, but nonetheless, owasp and Black Duck dependency analysis shows the
dependency. They show that there is a CVE, CVE-2020-8022 which is ranked by
NIST has 8.4 high. Thus, projects that use axis2 get this vulnerability
reported against them. The CVE reporting tools do not know if your project,
configuration, and environment have taken the decision not to use that part
of axis2. They go by the dependency.

I hope someone can explain why there is this dependency please and what can
be done to address the reporting of this CVE.

According to https://nvd.nist.gov/vuln/detail/CVE-2020-8022:
This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to
8.0.53-29.32.1.

If this dependency has to be there maybe a more recent version could be
used please?

On Mon, 8 Mar 2021 at 16:29, robertlazarski 
wrote:

> All,
>
> Please take this opportunity to indicate anything you would like to see in
> the next Axis2 release.
>
> There are no known open CVE issues in any Axis project git repo. Prompt
> attention to any issue raised by secur...@apache.org is the project's
> highest priority.
>
> For me personally, I'd like to remove the support for commons httpclient
> 3.x and only support 4.x.
>
> I'm also curious if anyone is using Axis2 for JSON. That is primarily how
> I use Axis2 at this point, via the GSON support.
>
> I spent this last quarter switching my day job to use Moshi internally
> instead of GSON since the latter has largely stopped development and the
> former uses less memory.
>
> I mention that because I expect to have more time for Axis2 these next few
> months and could possibly contribute Moshi support.
>
> Also, spring boot is becoming quite popular and the Axis2 setup is harder
> than it should be. Just like to know if anyone is using Axis2 in spring
> boot.
>
> Regards,
> Robert
>


-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

axis2, tomcat tribes and artifact relocation

2021-03-09 Thread Andrew Marlow 
Hello Axis2 developers,

Looking at the top level pom where we have the dependency on tomcat tribes
I see that the latest version is in use, 6.0.53. This version was released
April 2017. However, looking at where this is in a typical maven repo, at
https://mvnrepository.com/artifact/org.apache.tomcat/tribes, I see that the
artifact has relocated. It has changed from org.apache.tomcat to
tomcat-tribes. Nipping over to the new place at
https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-tribes I see
there has been more development and the latest release is 10.0.2, release
date Feb 2021.

CVE-2020-8022 applies to tomcat 6.0.53 which has a score of 8.4 high from
NIST. The NIST report says this is still undergoing analysis so it is
unclear what version, if any, it is fixed in. However, surely the best
thing to do in order to close the vulnerability is to move to the latest
version, 10.0.2. I know this has a CVE as well, CVE-2021-25329, but that
has only very recently been filed. I'm sure that there will be a version
after 10.0.2 that addresses it.

What do people think about moving over to version 10.0.2 please?
-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

build error with JDK8 to do with permissions

2021-03-10 Thread Andrew Marlow 
Hello everyone,

I just did a git clone to get the latest (what will presumably become
1.8.0) and tried "mvn install". I got the error shown below. I don't get it
when I run the build as root but IMO building as root should not be a
requirement.

/home/marlowa/mystuff/axis2-build/latest-from-git/axis-axis2-java-core: cat
/home/marlowa/mystuff/axis2-build/latest-from-git/axis-axis2-java-core/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
java.security.AccessControlException: access denied
("java.io.FilePermission" "/usr/share/maven/bin/m2.conf" "read")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
com.github.veithen.hermetic.HermeticSecurityManager.checkPermission(HermeticSecurityManager.java:58)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at java.io.FileInputStream.(FileInputStream.java:127)
at java.io.FileInputStream.(FileInputStream.java:93)
at
org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:381)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

what will be 1.8.0 from git clone has several CVEs including one from ant-plugin

2021-03-11 Thread Andrew Marlow 
Hello everyone,

When I build axis2 as root the build now completes ok (avoiding that
strange permission denied problem). So I am now able to do a full owasp and
maven dependency tree analysis. I am pleased to say that this shows that
the CVEs from tomcat 6 are gone, since it now depends on tomcat 10. Great!
However, the dependency on the ant-plugin seems to have crept back in.
Below are the CVEs reported by owasp:

axis2-ant-plugin-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-ant-plugin@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) : CVE-2020-1945
axis2.war: taglibs-standard-impl-1.2.5.jar
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
axis2-xmlbeans-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-xmlbeans@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-xmlbeans-codegen@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
commons-httpclient-3.1.jar
(pkg:maven/commons-httpclient/commons-httpclient@3.1,
cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*,
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : CVE-2020-13956
failureaccess-1.0.1.jar (pkg:maven/com.google.guava/failureaccess@1.0.1,
cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : CVE-2020-8908
org.eclipse.ui.ide-3.17.100.v20200530-0835.jar
(pkg:maven/osgi.bundle/org.eclipse.ui.ide@3.17.100.v20200530-0835,
cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*,
cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : CVE-2008-7271
org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar
(pkg:maven/osgi.bundle/org.eclipse.ui.workbench@3.119.0.v20200521-1247,
cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) :
CVE-2008-7271
taglibs-standard-impl-1.2.5.jar
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
xmlbeans-2.6.0.jar (pkg:maven/org.apache.xmlbeans/xmlbeans@2.6.0,
cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: [jira] [Commented] (AXIS2-5996) Axis contains a vulnerable dependecy

2021-03-11 Thread Andrew Marlow 
hello,

That ticket is closed. I've just done an owasp check on the latest github
clone, what will become 1.8.0, and it reveals the following:

axis2-ant-plugin-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-ant-plugin@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) : CVE-2020-1945
axis2.war: taglibs-standard-impl-1.2.5.jar
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
axis2-xmlbeans-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-xmlbeans@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-xmlbeans-codegen@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
commons-httpclient-3.1.jar
(pkg:maven/commons-httpclient/commons-httpclient@3.1,
cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*,
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : CVE-2020-13956
failureaccess-1.0.1.jar (pkg:maven/com.google.guava/failureaccess@1.0.1,
cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : CVE-2020-8908
org.eclipse.ui.ide-3.17.100.v20200530-0835.jar
(pkg:maven/osgi.bundle/org.eclipse.ui.ide@3.17.100.v20200530-0835,
cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*,
cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : CVE-2008-7271
org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar
(pkg:maven/osgi.bundle/org.eclipse.ui.workbench@3.119.0.v20200521-1247,
cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) :
CVE-2008-7271
taglibs-standard-impl-1.2.5.jar
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
xmlbeans-2.6.0.jar (pkg:maven/org.apache.xmlbeans/xmlbeans@2.6.0,
cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926

On Thu, 11 Mar 2021 at 13:16, Joseph (Jira)  wrote:

>
> [
> https://issues.apache.org/jira/browse/AXIS2-5996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299553#comment-17299553
> ]
>
> Joseph commented on AXIS2-5996:
> ---
>
> Hi [~robertlazarski],
>
> Thank you for the information! We are locked into importing packages
> through maven unfortunately, any information on when this might be released?
>
> > Axis contains a vulnerable dependecy
> > 
> >
> > Key: AXIS2-5996
> > URL: https://issues.apache.org/jira/browse/AXIS2-5996
> > Project: Axis2
> >  Issue Type: Bug
> >Affects Versions: 1.7.9
> >Reporter: Joseph
> >Priority: Major
> >  Labels: security
> >
> > Axis 2 is dependent on Apache Client 4.5.3 which is vulnerable to
> CVE-2020-13956
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.3.4#803005)
>
> -
> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
> For additional commands, e-mail: java-dev-h...@axis.apache.org
>
>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

xmlbeans 2.6.0 and CVE-2021-23926

2021-03-12 Thread Andrew Marlow 
Hello everyone,

The soon to be released axis2 version 1.8.0 depends on xmlbeans 2.6.0 which
is exposed to CVE-2021-23926, which is ranked by NIST as 9.1 critical.
Can't we move to version 3.0.1? I tried that and it all built ok. I also
tried version 4.0.0 but that had problems due to API changes. I think 3.0.1
should be safe, hopefully.

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

when will axis2 version 1.8.0 be released

2021-03-19 Thread Andrew Marlow 
Hello everyone,

When will 1.8.0 be ready? I am anticipating the recent security fixes that
have been made by advancing the version number of various component
dependencies. What other things are planned for the release please?

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: when will axis2 version 1.8.0 be released

2021-04-20 Thread Andrew Marlow 
Hello again,

I'm sorry to bother everyone but I would really like to know what the next
step is regarding the release of axis2 version 1.8.0 please.

On Mon, 22 Mar 2021 at 19:15, robertlazarski 
wrote:

> I have several Jira issues assigned to me that I expect to get cleared up
> in the next couple weeks.
>
> Once that gets settled, in order to release we'd need a vote on this list
> with at least 3 +1 votes and no -1 votes.
>
>
>
> On Thu, Mar 18, 2021 at 11:13 PM Andrew Marlow 
> wrote:
>
>> Hello everyone,
>>
>> When will 1.8.0 be ready? I am anticipating the recent security fixes
>> that have been made by advancing the version number of various component
>> dependencies. What other things are planned for the release please?
>>
>> --
>> Regards,
>>
>> Andrew Marlow
>> http://www.andrewpetermarlow.co.uk
>>
>>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: [VOTE] Release Apache Axis2 1.8.0

2021-08-02 Thread Andrew Marlow 
+1

regards

andrew marlow
http://www.andrewpetermarlow.co.uk

On Mon, 2 Aug 2021, 01:37 robertlazarski,  wrote:

> This is a vote to release Apache Axis2 1.8.0
>
> Git tag:
> https://github.com/apache/axis-axis2-java-core/releases/tag/v1.8.0
>
> Distributions:
> https://dist.apache.org/repos/dist/dev/axis/axis2/java/core/
>
> Maven artifacts:
> https://repository.apache.org/content/repositories/orgapacheaxis2-1022/
>
> Site: http://axis.apache.org/axis2/java/core-staging/
>
> +1 from me.
>
> Robert
>