diff --git a/0003-resteasy-cve-2014-3490.patch b/0003-resteasy-cve-2014-3490.patch new file mode 100644 index 0000000..14cc7a4 --- /dev/null +++ b/0003-resteasy-cve-2014-3490.patch @@ -0,0 +1,19 @@ +diff -up Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java.1073 Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java +--- Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java.1073 2014-09-29 17:44:28.776812688 -0400 ++++ Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-09-29 17:47:52.202425895 -0400 +@@ -154,6 +154,7 @@ public class ExternalEntityUnmarshaller + XMLReader xmlReader = sp.getXMLReader(); + xmlReader.setFeature("http://xml.org/sax/features/validation", false); + xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); ++ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + SAXSource saxSource = new SAXSource(xmlReader, source); + return delegate.unmarshal(saxSource); + } +@@ -198,6 +199,7 @@ public class ExternalEntityUnmarshaller + XMLReader xmlReader = sp.getXMLReader(); + xmlReader.setFeature("http://xml.org/sax/features/validation", false); + xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); ++ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ((SAXSource) source).setXMLReader(xmlReader); + return delegate.unmarshal(source, declaredType); + } diff --git a/resteasy.spec b/resteasy.spec index 5074af8..2b2c579 100644 --- a/resteasy.spec +++ b/resteasy.spec @@ -3,7 +3,7 @@ Name: resteasy Version: 3.0.6 -Release: 5%{?dist} +Release: 7%{?dist} Summary: Framework for RESTful Web services and Java applications License: ASL 2.0 and CDDL URL: http://www.jboss.org/resteasy @@ -12,92 +12,244 @@ Source0: https://github.com/resteasy/Resteasy/archive/%{namedversion}.tar.gz # Support for mime4j 0.7.2 Patch0: 0001-Mime4j-0.7.2-support.patch Patch1: 0002-bcmail-api-change.patch +Patch2: 0003-resteasy-cve-2014-3490.patch BuildArch: noarch -BuildRequires: apache-commons-lang -BuildRequires: apache-commons-cli -BuildRequires: apache-commons-codec -BuildRequires: apache-commons-logging -BuildRequires: apache-commons-collections -BuildRequires: apache-mime4j >= 0:0.7.2-2 -BuildRequires: apache-james-project - -BuildRequires: bea-stax -BuildRequires: bean-validation-api -#BuildRequires: bouncycastle -BuildRequires: bouncycastle-mail -BuildRequires: cglib -BuildRequires: classmate -BuildRequires: codehaus-parent -BuildRequires: dnsjava -BuildRequires: geronimo-annotation -BuildRequires: glassfish-jaxb >= 0:2.2.5-2 -BuildRequires: glassfish-jaxb-api -BuildRequires: google-guice -BuildRequires: hibernate-validator -BuildRequires: httpcomponents-client -BuildRequires: httpcomponents-core -BuildRequires: hsqldb -BuildRequires: httpunit -BuildRequires: infinispan -BuildRequires: jackson-databind -BuildRequires: jackson-module-jaxb-annotations -BuildRequires: jackson-annotations -BuildRequires: jackson-core -BuildRequires: jackson-jaxrs-json-provider -BuildRequires: jakarta-commons-httpclient -BuildRequires: javamail -BuildRequires: javassist -BuildRequires: jandex -BuildRequires: jboss-servlet-2.5-api -BuildRequires: jboss-servlet-3.0-api -BuildRequires: jcip-annotations -BuildRequires: jettison -BuildRequires: jetty-server -BuildRequires: junit -BuildRequires: jsonp -BuildRequires: netty -BuildRequires: scannotation -BuildRequires: slf4j -BuildRequires: snakeyaml -BuildRequires: glassfish-fastinfoset -BuildRequires: tomcat-el-2.2-api -BuildRequires: cdi-api -BuildRequires: xerces-j2 -BuildRequires: picketbox -BuildRequires: springframework-webmvc -BuildRequires: jetty-version-maven-plugin -BuildRequires: maven-local -BuildRequires: maven-compiler-plugin -BuildRequires: maven-deploy-plugin -BuildRequires: maven-install-plugin -BuildRequires: maven-javadoc-plugin -BuildRequires: maven-jaxb2-plugin -BuildRequires: maven-plugin-cobertura -BuildRequires: maven-pmd-plugin -BuildRequires: maven-resources-plugin -BuildRequires: maven-site-plugin -BuildRequires: maven-source-plugin -BuildRequires: maven-surefire-plugin -BuildRequires: maven-surefire-report-plugin -BuildRequires: maven-surefire-provider-junit -BuildRequires: jboss-annotations-1.1-api -BuildRequires: undertow +BuildRequires: maven-local +BuildRequires: mvn(asm:asm) +BuildRequires: mvn(com.beust:jcommander) +BuildRequires: mvn(com.fasterxml:classmate) +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-databind) +BuildRequires: mvn(com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider) +BuildRequires: mvn(com.google.inject:guice) +BuildRequires: mvn(commons-httpclient:commons-httpclient) +BuildRequires: mvn(commons-io:commons-io) +BuildRequires: mvn(com.sun.xml.bind:jaxb-impl) +BuildRequires: mvn(com.sun.xml.fastinfoset:FastInfoset) +BuildRequires: mvn(httpunit:httpunit) +BuildRequires: mvn(io.undertow:undertow-core) +BuildRequires: mvn(io.undertow:undertow-servlet) +BuildRequires: mvn(javax.annotation:jsr250-api) +BuildRequires: mvn(javax.el:javax.el-api) +BuildRequires: mvn(javax.enterprise:cdi-api) +BuildRequires: mvn(javax.json:javax.json-api) +BuildRequires: mvn(javax.mail:mail) +BuildRequires: mvn(javax.servlet:servlet-api) +BuildRequires: mvn(junit:junit) +BuildRequires: mvn(log4j:log4j) +BuildRequires: mvn(net.jcip:jcip-annotations) +BuildRequires: mvn(org.apache.httpcomponents:httpclient) +BuildRequires: mvn(org.apache.james:apache-mime4j-core) +BuildRequires: mvn(org.apache.james:apache-mime4j-dom) +BuildRequires: mvn(org.apache.james:apache-mime4j-storage) +BuildRequires: mvn(org.apache.maven.plugins:maven-deploy-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin) +BuildRequires: mvn(org.bouncycastle:bcmail-jdk16) +BuildRequires: mvn(org.bouncycastle:bcprov-jdk16) +BuildRequires: mvn(org.codehaus.jackson:jackson-core-asl) +BuildRequires: mvn(org.codehaus.jackson:jackson-jaxrs) +BuildRequires: mvn(org.codehaus.jackson:jackson-mapper-asl) +BuildRequires: mvn(org.codehaus.jackson:jackson-xc) +BuildRequires: mvn(org.codehaus.jettison:jettison) +BuildRequires: mvn(org.eclipse.jetty:jetty-server) +BuildRequires: mvn(org.glassfish:javax.json) +BuildRequires: mvn(org.glassfish.web:javax.el) +BuildRequires: mvn(org.hibernate:hibernate-validator) +BuildRequires: mvn(org.hibernate.javax.persistence:hibernate-jpa-2.0-api) +BuildRequires: mvn(org.infinispan:infinispan-core) +BuildRequires: mvn(org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec) +BuildRequires: mvn(org.jboss.spec.javax.ejb:jboss-ejb-api_3.1_spec) +BuildRequires: mvn(org.jboss.spec.javax.servlet:jboss-servlet-api_2.5_spec) +BuildRequires: mvn(org.jboss.spec.javax.servlet:jboss-servlet-api_3.0_spec) +BuildRequires: mvn(org.jboss.weld.se:weld-se) +BuildRequires: mvn(org.jboss.weld:weld-core) +BuildRequires: mvn(org.picketbox:picketbox) +BuildRequires: mvn(org.scannotation:scannotation) +BuildRequires: mvn(org.slf4j:slf4j-api) +BuildRequires: mvn(org.slf4j:slf4j-simple) +BuildRequires: mvn(org.springframework:spring-core) +BuildRequires: mvn(org.springframework:spring-webmvc) +BuildRequires: mvn(org.yaml:snakeyaml) -%description -RESTEasy contains a JBoss project that provides frameworks to help -build RESTful Web Services and RESTful Java applications. It is a fully -certified and portable implementation of the JAX-RS specification. +%if 0%{?fedora} > 20 +BuildRequires: mvn(io.netty:netty-all) +%else +BuildRequires: mvn(io.netty:netty) +%endif -%package javadoc -Summary: Javadocs for %{name} +Requires: resteasy-jaxrs-api = %{version}-%{release} +Requires: resteasy-core = %{version}-%{release} +Requires: resteasy-atom-provider = %{version}-%{release} +Requires: resteasy-fastinfoset-provider = %{version}-%{release} +Requires: resteasy-jackson-provider = %{version}-%{release} +Requires: resteasy-jackson2-provider = %{version}-%{release} +Requires: resteasy-jaxb-provider = %{version}-%{release} +Requires: resteasy-jettison-provider = %{version}-%{release} +Requires: resteasy-json-p-provider = %{version}-%{release} +Requires: resteasy-multipart-provider = %{version}-%{release} +Requires: resteasy-validator-provider-11 = %{version}-%{release} +Requires: resteasy-yaml-provider = %{version}-%{release} +Requires: resteasy-client = %{version}-%{release} +Requires: resteasy-optional = %{version}-%{release} +Requires: resteasy-test = %{version}-%{release} + +%description +%global desc \ +RESTEasy contains a JBoss project that provides frameworks to help\ +build RESTful Web Services and RESTful Java applications. It is a fully\ +certified and portable implementation of the JAX-RS specification. +%{desc} +%global extdesc %{desc}\ +\ +This package contains + +%package javadoc +Summary: Javadocs for %{name} %description javadoc This package contains the API documentation for %{name}. +%package jaxrs-api +Summary: Module jaxrs-api for %{name} + +%description jaxrs-api +%{extdesc} %{summary}. + +%package core +Summary: Core modules for %{name} + +%description core +%{extdesc} %{summary}. + +%package atom-provider +Summary: Module atom-provider for %{name} + +%description atom-provider +%{extdesc} %{summary}. + +%package fastinfoset-provider +Summary: Module fastinfoset-provider for %{name} + +%description fastinfoset-provider +%{extdesc} %{summary}. + +%package jackson-provider +Summary: Module jackson-provider for %{name} + +%description jackson-provider +%{extdesc} %{summary}. + +%package jackson2-provider +Summary: Module jackson2-provider for %{name} + +%description jackson2-provider +%{extdesc} %{summary}. + +%package jaxb-provider +Summary: Module jaxb-provider for %{name} + +%description jaxb-provider +%{extdesc} %{summary}. + +%package jettison-provider +Summary: Module jettison-provider for %{name} + +%description jettison-provider +%{extdesc} %{summary}. + +%package json-p-provider +Summary: Module json-p-provider for %{name} + +%description json-p-provider +%{extdesc} %{summary}. + +%package multipart-provider +Summary: Module multipart-provider for %{name} + +%description multipart-provider +%{extdesc} %{summary}. + +%package validator-provider-11 +Summary: Module validate-provider-11 for %{name} + +%description validator-provider-11 +%{extdesc} %{summary}. + +%package yaml-provider +Summary: Module yaml-provider for %{name} + +%description yaml-provider +%{extdesc} %{summary}. + + +%package client +Summary: Client for %{name} + +%description client +%{extdesc} %{summary}. + +%package optional +Summary: Optional modules for %{name} + +%description optional +%{extdesc} %{summary}. + +%package test +Summary: Test modules for %{name} + +%description test +%{extdesc} %{summary}. + %prep %setup -q -n Resteasy-%{namedversion} +%mvn_package ":jaxrs-api" jaxrs-api +%mvn_package ":resteasy-jaxrs" core +%mvn_package ":providers-pom" core +%mvn_package ":resteasy-jaxrs-all" core +%mvn_package ":resteasy-pom" core +%mvn_package ":resteasy-atom-provider" atom-provider +%mvn_package ":resteasy-fastinfoset-provider" fastinfoset-provider +%mvn_package ":resteasy-jackson-provider" jackson-provider +%mvn_package ":resteasy-jackson2-provider" jackson2-provider +%mvn_package ":resteasy-jaxb-provider" jaxb-provider +%mvn_package ":resteasy-jettison-provider" jettison-provider +%mvn_package ":resteasy-json-p-provider" json-p-provider +%mvn_package ":resteasy-multipart-provider" multipart-provider +%mvn_package ":resteasy-validator-provider-11" validator-provider-11 +%mvn_package ":resteasy-yaml-provider" yaml-provider +%mvn_package ":resteasy-client" client +%mvn_package ":test-resteasy-html" test +%mvn_package ":test-all-jaxb" test +%mvn_package ":test-jackson-jaxb-coexistence" test +%mvn_package ":resteasy-jaxrs-testsuite" test +%mvn_package ":async-http-servlet-3.0" optional +%mvn_package ":asynch-http-servlet-3.0-pom" optional +%mvn_package ":http-adapter-pom" optional +%mvn_package ":jose-jwt" optional +%mvn_package ":resteasy-bom" optional +%mvn_package ":resteasy-cache-core" optional +%mvn_package ":resteasy-cache-pom" optional +%mvn_package ":resteasy-cdi" optional +%mvn_package ":resteasy-crypto" optional +%mvn_package ":resteasy-guice" optional +%mvn_package ":resteasy-html" optional +%mvn_package ":resteasy-jdk-http" optional +%mvn_package ":resteasy-jsapi" optional +%mvn_package ":resteasy-keystone-core" optional +%mvn_package ":resteasy-servlet-initializer" optional +%mvn_package ":resteasy-spring" optional +%mvn_package ":resteasy-undertow" optional +%mvn_package ":security-pom" optional +%mvn_package ":tjws" optional + +%if 0%{?fedora} > 20 +%mvn_package ":resteasy-netty4" optional +%else +%mvn_package ":resteasy-netty" optional +%endif # Disable unnecesary modules %pom_disable_module examples jaxrs/pom.xml @@ -139,6 +291,10 @@ rm jaxrs/resteasy-spring/src/main/java/org/jboss/resteasy/springmvc/JettyLifecyc %pom_remove_dep "org.mortbay.jetty:jetty" jaxrs/resteasy-spring/pom.xml %pom_add_dep "org.eclipse.jetty:jetty-server" jaxrs/resteasy-spring/pom.xml +%pom_remove_plugin com.atlassian.maven.plugins:maven-clover2-plugin jaxrs/pom.xml +%pom_remove_plugin com.atlassian.maven.plugins:maven-clover2-plugin jaxrs/resteasy-jaxrs/pom.xml + + # Fixing JDK7 ASCII issues files=' jaxrs/resteasy-jsapi/src/main/java/org/jboss/resteasy/jsapi/JSAPIWriter.java @@ -152,6 +308,10 @@ done %patch0 -p1 %patch1 -p0 +%patch2 -p1 + +# additional gId:aId for jaxrs-api +%mvn_alias ":jaxrs-api" "org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_1.1_spec" %build %mvn_build -f @@ -169,15 +329,65 @@ find -name "resteasy-*-jandex.jar" | while read f; do install -pm 644 ${f} %{buildroot}%{_javadir}/%{name}/$(basename -s "-%{namedversion}-jandex.jar" $f)-jandex.jar done -%files -f .mfiles -%dir %{_javadir}/%{name} -%{_javadir}/%{name}/*jandex.jar +%files %doc jaxrs/License.html jaxrs/README.html - +%files jaxrs-api -f .mfiles-jaxrs-api +%files core -f .mfiles-core +%dir %{_javadir}/%{name} +%{_javadir}/%{name}/resteasy-jaxrs-jandex.jar +%files atom-provider -f .mfiles-atom-provider +%{_javadir}/%{name}/resteasy-atom-provider-jandex.jar +%files fastinfoset-provider -f .mfiles-fastinfoset-provider +%{_javadir}/%{name}/resteasy-fastinfoset-provider-jandex.jar +%files jackson-provider -f .mfiles-jackson-provider +%{_javadir}/%{name}/resteasy-jackson-provider-jandex.jar +%files jackson2-provider -f .mfiles-jackson2-provider +%{_javadir}/%{name}/resteasy-jackson2-provider-jandex.jar +%files jaxb-provider -f .mfiles-jaxb-provider +%{_javadir}/%{name}/resteasy-jaxb-provider-jandex.jar +%files jettison-provider -f .mfiles-jettison-provider +%{_javadir}/%{name}/resteasy-jettison-provider-jandex.jar +%files json-p-provider -f .mfiles-json-p-provider +%{_javadir}/%{name}/resteasy-json-p-provider-jandex.jar +%files multipart-provider -f .mfiles-multipart-provider +%{_javadir}/%{name}/resteasy-multipart-provider-jandex.jar +%files validator-provider-11 -f .mfiles-validator-provider-11 +%{_javadir}/%{name}/resteasy-validator-provider-11-jandex.jar +%files yaml-provider -f .mfiles-yaml-provider +%{_javadir}/%{name}/resteasy-yaml-provider-jandex.jar +%files client -f .mfiles-client +%{_javadir}/%{name}/resteasy-client-jandex.jar +%files optional -f .mfiles-optional +%{_javadir}/%{name}/resteasy-cache-core-jandex.jar +%{_javadir}/%{name}/resteasy-cdi-jandex.jar +%{_javadir}/%{name}/resteasy-crypto-jandex.jar +%{_javadir}/%{name}/resteasy-guice-jandex.jar +%{_javadir}/%{name}/resteasy-html-jandex.jar +%{_javadir}/%{name}/resteasy-jdk-http-jandex.jar +%{_javadir}/%{name}/resteasy-jsapi-jandex.jar +%{_javadir}/%{name}/resteasy-keystone-core-jandex.jar +%{_javadir}/%{name}/resteasy-servlet-initializer-jandex.jar +%{_javadir}/%{name}/resteasy-undertow-jandex.jar +%if 0%{?fedora} > 20 +%{_javadir}/%{name}/resteasy-netty4-jandex.jar +%else +%{_javadir}/%{name}/resteasy-netty-jandex.jar +%endif +%files test -f .mfiles-test +%{_javadir}/%{name}/resteasy-jaxrs-testsuite-jandex.jar %files javadoc -f .mfiles-javadoc %doc jaxrs/License.html + + %changelog +* Fri Dec 5 2014 Ade Lee - 3.0.6-7 +- Refactor into subpackages. +- Change build requires to mvn() format + +* Mon Sep 29 2014 Ade Lee - 3.0.6-6 +- Add fix for CVE-2014-3490 + * Tue Jun 24 2014 Ade Lee - 3.0.6-5 - Replace broken dependencies junit4-> junit - Add patch to handle new bouncycastle API in version 1.50