[WFLY-16771] Remove bcel from jboss/xalan-j binaries (Fix CVE-2022-34… #7
Conversation
|
Put a hold on this; I got test failures with it. |
bstansberry
force-pushed
the
WFLY-16771
branch
4 times, most recently
from
0501c66
to
609dbc6
Compare
| For example: | ||
|
|
||
| export CLASSPATH=~/.m2/repository/org/jboss/spec/javax/ejb/jboss-ejb-api_3.2_spec/2.0.0.Final/jboss-ejb-api_3.2_spec-2.0.0.Final.jar: \ | ||
| ~/.m2/repository/org/jboss/spec/javax/servlet/jboss-servlet-api_4.0_spec/2.0.0.Final/jboss-servlet-api_4.0_spec-2.0.0.Final.jar |
There was a problem hiding this comment.
I happen to have javax.servlet api in:
~/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
~/.m2/repository/javax/servlet/javax.servlet-api/4.0.1/javax.servlet-api-4.0.1.jar
There was a problem hiding this comment.
Everyone will have different jars I'm sure, especially if they occasionally delete their maven repo. No change needed really.
There was a problem hiding this comment.
+1.
I went with the spec fork GAVs as the example just because it's more likely a typical WildFly dev would have those vs having the javax.* Eclipse artifacts.
Thanks, will wait. |
…:xalan binary (Fix CVE-2022-34169) Change the TransformerFactory to one that does not require BCEL
bstansberry
force-pushed
the
WFLY-16771
branch
from
609dbc6
to
f5fb279
Compare
| @@ -1 +1 @@ | |||
| org.apache.xalan.xsltc.trax.TransformerFactoryImpl | |||
| org.apache.xalan.processor.TransformerFactoryImpl | |||
There was a problem hiding this comment.
Note this change, which I believe means a change in the default TransformerFactory for WF users. (I could be wrong.) The new value here is the one EAP has been using for many years. The existing value uses BCEL, which is not present in the xalan-j.jar that EAP ships.
|
@scottmarlow The test issues I mentioned previously are resolved. |
…169)
https://issues.redhat.com/browse/WFLY-16771
Also https://issues.redhat.com/browse/WFLY-16782