GNU bug report logs -
#52421
[PATCH][SECURITY] gnu: java-log4j-api: Update to 2.15.0.
Previous Next
Reported by: Julien Lepiller <julien <at> lepiller.eu>
Date: Sat, 11 Dec 2021 02:19:02 UTC
Severity: normal
Tags: patch
Done: Julien Lepiller <julien <at> lepiller.eu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 52421 in the body.
You can then email your comments to 52421 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 02:19:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Julien Lepiller <julien <at> lepiller.eu>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 11 Dec 2021 02:19:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Guix!
today I learnt about a CVE on log4j. Looking more closely, it seems
that log4j2 has had 3 CVEs (at least 3 are listed on
https://logging.apache.org/log4j/2.x/security.html) and we're
vulnerable to all of them \o/
This series updates to the latest version. Thankfully, log4j keeps a
stable API, so there's no breakage in dependents, but a few
dependencies had to be added/updated.
Information forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 02:24:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 52421 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/java.scm (java-jansi): Update to 2.4.0.
(java-jansi-1): New variable.
(java-jline-2)[inputs]: Use java-jansi-1.
* gnu/packages/groovy.scm (java-groovy-bootstrap)[inputs]: Use java-jansi-1.
---
gnu/packages/groovy.scm | 2 +-
gnu/packages/java.scm | 82 +++++++++++++++++++++++++++++++++++------
2 files changed, 71 insertions(+), 13 deletions(-)
diff --git a/gnu/packages/groovy.scm b/gnu/packages/groovy.scm
index c44a17b59e..382dfe7faf 100644
--- a/gnu/packages/groovy.scm
+++ b/gnu/packages/groovy.scm
@@ -102,7 +102,7 @@ (define java-groovy-bootstrap
("java-asm-util" ,java-asm-util-8)
("java-classpathx-servletapi" ,java-classpathx-servletapi)
("java-commons-cli" ,java-commons-cli)
- ("java-jansi" ,java-jansi)
+ ("java-jansi" ,java-jansi-1)
("java-jline-2" ,java-jline-2)
("java-picocli" ,java-picocli)
("java-xstream" ,java-xstream)))
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 36424ee8b1..51b8bc673d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -12134,15 +12134,78 @@ (define-public java-jansi-native
(define-public java-jansi
(package
(name "java-jansi")
+ (version "2.4.0")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fusesource/jansi")
+ (commit (string-append "jansi-" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1s6fva06990798b5fyxqzr30zwyj1byq5wrm54j2larcydaryggf"))
+ (modules '((guix build utils)))
+ (snippet
+ ;; contains pre-compiled libraries
+ '(delete-file-recursively
+ "src/main/resources/org/fusesource/jansi/internal"))))
+ (build-system ant-build-system)
+ (arguments
+ `(#:jar-name "jansi.jar"
+ #:source-dir "src/main/java"
+ #:test-dir "src/test"
+ #:tests? #f; require junit 3
+ #:phases
+ (modify-phases %standard-phases
+ (add-before 'build 'build-native
+ (lambda* (#:key inputs #:allow-other-keys)
+ (with-directory-excursion "src/main/native"
+ (invoke "gcc" "-c" "jansi_ttyname.c" "-o" "jansi_ttyname.o"
+ (string-append "-I" (assoc-ref inputs "jdk")
+ "/include/linux")
+ "-fPIC" "-O2")
+ (invoke "gcc" "-o" "libjansi.so" "-shared" "jansi_ttyname.o"))))
+ (add-before 'build 'install-native
+ (lambda _
+ (let ((dir (string-append "build/classes/META-INF/org/fusesource/"
+ "jansi/internal/native/"
+ ,(match (%current-system)
+ ("i686-linux" "linux/x86")
+ ("x86_64-linux" "linux/x86_64")
+ ("armhf-linux" "linux/armv7")
+ ("aarch64-linux" "linux/arm64")
+ ("mips64el-linux" "linux/mips64")
+ (_ "unknown-kernel")))))
+ (install-file "src/main/native/libjansi.so" dir))
+ #t))
+ (add-before 'build 'copy-resources
+ (lambda _
+ (copy-recursively "src/main/resources" "build/classes")
+ #t))
+ (add-after 'check 'clear-term
+ (lambda _
+ (invoke "echo" "-e" "\\e[0m")))
+ (replace 'install
+ (install-from-pom "pom.xml")))))
+ (home-page "https://fusesource.github.io/jansi/")
+ (synopsis "Portable ANSI escape sequences")
+ (description "Jansi is a Java library that allows you to use ANSI escape
+sequences to format your console output which works on every platform.")
+ (license license:asl2.0)))
+
+(define-public java-jansi-1
+ (package
+ (inherit java-jansi)
(version "1.16")
(source (origin
- (method url-fetch)
- (uri (string-append "https://github.com/fusesource/jansi/archive/"
- "jansi-project-" version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fusesource/jansi")
+ (commit (string-append "jansi-project-" version))))
+ (file-name (git-file-name "jansi" version))
(sha256
(base32
- "11kh3144i3fzp21dpy8zg52mjmsr214k7km9p8ly0rqk2px0qq2z"))))
- (build-system ant-build-system)
+ "0ikk0x352gh30b42qn1jd89xwsjj0mavrc5kms7fss15bd8vsayx"))))
(arguments
`(#:jar-name "jansi.jar"
#:source-dir "jansi/src/main/java"
@@ -12173,12 +12236,7 @@ (define-public java-jansi
`(("java-jansi-native" ,java-jansi-native)))
(native-inputs
`(("java-junit" ,java-junit)
- ("java-hamcrest-core" ,java-hamcrest-core)))
- (home-page "https://fusesource.github.io/jansi/")
- (synopsis "Portable ANSI escape sequences")
- (description "Jansi is a Java library that allows you to use ANSI escape
-sequences to format your console output which works on every platform.")
- (license license:asl2.0)))
+ ("java-hamcrest-core" ,java-hamcrest-core)))))
(define-public java-jboss-el-api-spec
(package
@@ -12541,7 +12599,7 @@ (define-public java-jline-2
`(#:jdk ,icedtea-8
,@(package-arguments java-jline)))
(inputs
- `(("java-jansi" ,java-jansi)
+ `(("java-jansi" ,java-jansi-1)
("java-jansi-native" ,java-jansi-native)))
(native-inputs
`(("java-powermock-modules-junit4" ,java-powermock-modules-junit4)
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 02:24:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 52421 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/java.scm (java-jctools-core-1): New variable.
---
gnu/packages/java.scm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 51b8bc673d..f37baabd37 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -11350,6 +11350,33 @@ (define-public java-lmax-disruptor
message queues or resource locking.")
(license license:asl2.0)))
+(define-public java-jctools-core-1
+ (package
+ (name "java-jctools-core")
+ (version "1.2.1")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/JCTools/JCTools")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "105my29nwd4djvdllmq8s3jdzbyplbkxzwmddxiiilb4yqr1pghb"))))
+ (build-system ant-build-system)
+ (arguments
+ `(#:jar-name "java-jctools-core.jar"
+ #:source-dir "jctools-core/src/main/java"
+ #:test-dir "jctools-core/src/test"))
+ (native-inputs
+ `(("java-junit" ,java-junit)
+ ("java-hamcrest-all" ,java-hamcrest-all)))
+ (home-page "https://github.com/JCTools/JCTools")
+ (synopsis "Concurrency Tools for Java")
+ (description "This library implement concurrent data structures that are
+not natively available in Java.")
+ (license license:asl2.0)))
+
(define-public java-commons-bcel
(package
(name "java-commons-bcel")
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 02:24:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 52421 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/java.scm (java-conversant-disruptor): New variable.
---
gnu/packages/java.scm | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index f37baabd37..192105008f 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -11350,6 +11350,41 @@ (define-public java-lmax-disruptor
message queues or resource locking.")
(license license:asl2.0)))
+(define-public java-conversant-disruptor
+ (package
+ (name "java-conversant-disruptor")
+ (version "1.2.19")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/conversant/disruptor")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0gx1dm7sfg7pa05cs4qby10gfcplai5b5lf1f7ik1a76dh3vhl0g"))))
+ (build-system ant-build-system)
+ (arguments
+ `(#:jar-name "java-conversant-disruptor.jar"
+ #:source-dir "src/main/java"
+ #:phases
+ (modify-phases %standard-phases
+ (add-before 'build 'copy-resources
+ (lambda _
+ (copy-recursively "src/main/resources" "build/classes")))
+ (add-before 'build 'remove-module
+ (lambda _
+ (delete-file "src/main/java/module-info.java"))))))
+ (native-inputs
+ `(("java-junit" ,java-junit)))
+ (home-page "https://github.com/conversant/disruptor")
+ (synopsis "High performance intra-thread communication")
+ (description "Conversant Disruptor is the highest performing intra-thread
+transfer mechanism available in Java. Conversant Disruptor is an implementation
+of this type of ring buffer that has almost no overhead and that exploits a
+particularly simple design.")
+ (license license:asl2.0)))
+
(define-public java-jctools-core-1
(package
(name "java-jctools-core")
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 02:24:03 GMT)
Full text and
rfc822 format available.
Message #17 received at 52421 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/java.scm (java-lmax-disruptor): Update to 3.4.4.
---
gnu/packages/java.scm | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 192105008f..785e9f13e2 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -11318,15 +11318,16 @@ (define-public java-bouncycastle
(define-public java-lmax-disruptor
(package
(name "java-lmax-disruptor")
- (version "3.3.7")
+ (version "3.4.4")
(source (origin
- (method url-fetch)
- (uri (string-append "https://github.com/LMAX-Exchange/disruptor/"
- "archive/" version ".tar.gz"))
- (file-name (string-append name "-" version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/LMAX-Exchange/disruptor")
+ (commit version)))
+ (file-name (git-file-name name version))
(sha256
(base32
- "17da2gwj5abnlsfgn2xqjk5lgzbg4vkb0hdv2dvc8r2fx4bi7w3g"))))
+ "02c5kp3n8a73dq9ay7ar53s1k3x61z9yzc5ikqb03m6snr1wpfqn"))))
(build-system ant-build-system)
(arguments
`(#:jar-name "java-lmax-disruptor.jar"
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 02:24:03 GMT)
Full text and
rfc822 format available.
Message #20 received at 52421 <at> debbugs.gnu.org (full text, mbox):
Includes fixes for CVE-2017-5645, CVE-2020-9488 and CVE-2021-44228.
* gnu/packages/java.scm (java-log4j-api): Update to 2.15.0.
(java-log4j-core, java-log4j-1.2-api)[inputs]: Adjust accordingly.
---
gnu/packages/java.scm | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 785e9f13e2..d295077113 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -7840,14 +7840,14 @@ (define-public java-javax-mail
(define-public java-log4j-api
(package
(name "java-log4j-api")
- (version "2.4.1")
+ (version "2.15.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://apache/logging/log4j/" version
"/apache-log4j-" version "-src.tar.gz"))
(sha256
(base32
- "0j5p9gik0jysh37nlrckqbky12isy95cpwg2gv5fas1rcdqbraxd"))))
+ "0h4ndw096h9cql0kyi1zd0ymp8hqxc1jdgdxkn0kxf8vd9b4dx14"))))
(build-system ant-build-system)
(arguments
`(#:tests? #f ; tests require unpackaged software
@@ -7869,6 +7869,7 @@ (define-public java-log4j-api
`(("java-osgi-core" ,java-osgi-core)
("java-hamcrest-core" ,java-hamcrest-core)
("java-junit" ,java-junit)))
+ (properties '((cpe-name . "log4j")))
(home-page "https://logging.apache.org/log4j/2.x/")
(synopsis "API module of the Log4j logging framework for Java")
(description
@@ -7886,7 +7887,11 @@ (define-public java-log4j-core
("java-log4j-api" ,java-log4j-api)
("java-mail" ,java-mail)
("java-jboss-jms-api-spec" ,java-jboss-jms-api-spec)
+ ("java-conversant-disruptor" ,java-conversant-disruptor)
("java-lmax-disruptor" ,java-lmax-disruptor)
+ ("java-jctools-core" ,java-jctools-core-1)
+ ("java-stax2-api" ,java-stax2-api)
+ ("java-jansi" ,java-jansi)
("java-kafka" ,java-kafka-clients)
("java-datanucleus-javax-persistence" ,java-datanucleus-javax-persistence)
("java-fasterxml-jackson-annotations" ,java-fasterxml-jackson-annotations)
@@ -7934,6 +7939,7 @@ (define-public java-log4j-1.2-api
(inputs
`(("log4j-api" ,java-log4j-api)
("log4j-core" ,java-log4j-core)
+ ("java-jboss-jms-api-spec" ,java-jboss-jms-api-spec)
("osgi-core" ,java-osgi-core)
("eclipse-osgi" ,java-eclipse-osgi)
("java-lmax-disruptor" ,java-lmax-disruptor)))))
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 21:09:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 52421 <at> debbugs.gnu.org (full text, mbox):
Hi,
Julien Lepiller <julien <at> lepiller.eu> skribis:
> today I learnt about a CVE on log4j. Looking more closely, it seems
> that log4j2 has had 3 CVEs (at least 3 are listed on
> https://logging.apache.org/log4j/2.x/security.html) and we're
> vulnerable to all of them \o/
>
> This series updates to the latest version. Thankfully, log4j keeps a
> stable API, so there's no breakage in dependents, but a few
> dependencies had to be added/updated.
I had a quick look and it all LGTM.
Thanks for taking care of it!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#52421; Package
guix-patches.
(Sat, 11 Dec 2021 21:10:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 52421 <at> debbugs.gnu.org (full text, mbox):
Julien Lepiller <julien <at> lepiller.eu> skribis:
> + (home-page "https://github.com/JCTools/JCTools")
> + (synopsis "Concurrency Tools for Java")
Lowercase “tools”.
> + (description "This library implement concurrent data structures that are
“implements”
Ludo’.
Reply sent
to
Julien Lepiller <julien <at> lepiller.eu>:
You have taken responsibility.
(Sun, 12 Dec 2021 18:26:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Julien Lepiller <julien <at> lepiller.eu>:
bug acknowledged by developer.
(Sun, 12 Dec 2021 18:26:03 GMT)
Full text and
rfc822 format available.
Message #31 received at 52421-done <at> debbugs.gnu.org (full text, mbox):
Thanks for the review. I added remarks from IRC and pushed the update
as 5259513d5e5a918bb44b87ab7a562621cc78c945 to
d5cfca23e30a9166d49faf0b48cca3ee27699f7a.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 10 Jan 2022 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 158 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.