Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update xercesImpl to 2.12.1 (from 2.12.0) #641

Closed
wants to merge 1 commit into from

Conversation

sseide
Copy link
Contributor

@sseide sseide commented Jan 25, 2021

Description

within the current xercesImpl version 2.12.0 a vulnerabilities was found. It is fixed with the update to 2.12.1.

Motivation and Context

Fix potential security problems

How Has This Been Tested?

run gradlew check, first run failed with one library (xstream) having changed as expected, rerun with "-PupdateExpectedJars" switch and "-PchecksumUpdate".
The following executions of gradlew check and gradlew test succeeded now.

The update of the checksum was needed because the signer of the xercesImpl release has changed and a new gpg key was used to sign the maven release? (see https://issues.apache.org/jira/browse/XERCESJ-1724)

Screenshots (if appropriate):

none

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the code style of this project.
  • I have updated the documentation accordingly.

@FSchumacher
Copy link
Contributor

I wonder, if it would be better to use the sha512 sum in this case, as the uploaders pgp key can't be found anywhere.

@vlsi
Copy link
Collaborator

vlsi commented Jan 27, 2021

AFAIK Xerces is ASF project, so the key should be located at http://xerces.apache.org/ somewhere

@vlsi
Copy link
Collaborator

vlsi commented Jan 27, 2021

Ah, the library was published by @apupier somehow manually (see https://issues.apache.org/jira/browse/XERCESJ-1724)
It is sad Xerces PMC does not publish jars to repository.apache.org :-/

On the other hand, the file at Central is the same as the one in the official release:

$ openssl dgst -sha512 Xerces-J-bin.2.12.1.zip
SHA512(Xerces-J-bin.2.12.1.zip)= 318222b084e2882b16d230a70d0811882d2e46b0e63e8262098e952d25c9caebf32b40c0d0a1ed68a787f6dd017b5a4fa805c00889429115462dfb2e268a8b28

# jar from the official release
$ openssl dgst -sha512 xercesImpl.jar
SHA512(xercesImpl.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957
# jar from OSSRH
$ openssl dgst -sha512 xercesImpl-2.12.1.jar
SHA512(xercesImpl-2.12.1.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957

So I agree we should use SHA512, and we should use SHA512 for all other xerces jars.

@asfgit asfgit closed this in 3e0a9aa Feb 11, 2021
@FSchumacher
Copy link
Contributor

Thanks for the PR. A version using the SHA512 checksums has been committed to trunk. It would be great, if you could test next build from trunk or nightly.

@sseide sseide deleted the fix-xercesimpl branch March 5, 2021 14:16
kkalinin pushed a commit to kkalinin/jmeter that referenced this pull request Mar 11, 2021
Based on patch by Stefan Seide (stefan at trilobyte-se.de)

Closes apache#641
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants