[resteasy/f20] Fix for CVE-2014-3490
Ade Lee
vakwetu at fedoraproject.org
Wed Dec 10 20:33:06 UTC 2014
commit 89f9af2560b9397fc4ef46393652e414a3fbdb4d
Author: Ade Lee <alee at redhat.com>
Date: Wed Dec 10 15:23:31 2014 -0500
Fix for CVE-2014-3490
0002-resteasy-cve-2014-3490.patch | 19 +++++++++++++++++++
resteasy.spec | 7 ++++++-
2 files changed, 25 insertions(+), 1 deletions(-)
---
diff --git a/0002-resteasy-cve-2014-3490.patch b/0002-resteasy-cve-2014-3490.patch
new file mode 100644
index 0000000..6b7cfc0
--- /dev/null
+++ b/0002-resteasy-cve-2014-3490.patch
@@ -0,0 +1,19 @@
+diff -up Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java.p3 Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java
+--- Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java.p3 2014-12-10 15:12:58.764395277 -0500
++++ Resteasy-3.0.6.Final/jaxrs/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-12-10 15:14:47.509416651 -0500
+@@ -154,6 +154,7 @@ public class ExternalEntityUnmarshaller
+ XMLReader xmlReader = sp.getXMLReader();
+ xmlReader.setFeature("http://xml.org/sax/features/validation", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ SAXSource saxSource = new SAXSource(xmlReader, source);
+ return delegate.unmarshal(saxSource);
+ }
+@@ -198,6 +199,7 @@ public class ExternalEntityUnmarshaller
+ XMLReader xmlReader = sp.getXMLReader();
+ xmlReader.setFeature("http://xml.org/sax/features/validation", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ ((SAXSource) source).setXMLReader(xmlReader);
+ return delegate.unmarshal(source, declaredType);
+ }
diff --git a/resteasy.spec b/resteasy.spec
index 3ba975d..74539d0 100644
--- a/resteasy.spec
+++ b/resteasy.spec
@@ -3,7 +3,7 @@
Name: resteasy
Version: 3.0.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Framework for RESTful Web services and Java applications
License: ASL 2.0 and CDDL
URL: http://www.jboss.org/resteasy
@@ -11,6 +11,7 @@ Source0: https://github.com/resteasy/Resteasy/archive/%{namedversion}.tar.gz
# Support for mime4j 0.7.2
Patch0: 0001-Mime4j-0.7.2-support.patch
+Patch1: 0002-resteasy-cve-2014-3490.patch
BuildArch: noarch
@@ -150,6 +151,7 @@ native2ascii -encoding UTF8 ${f} ${f}
done
%patch0 -p1
+%patch1 -p1
%build
%mvn_build -f
@@ -176,6 +178,9 @@ done
%doc jaxrs/License.html
%changelog
+* Wed Dec 10 2014 Ade Lee <alee at eredhat.com> - 3.0.6-3
+- Add fix for CVE-2014-3490
+
* Tue Jan 14 2014 Marek Goldmann <mgoldman at redhat.com> - 3.0.6-2
- Support for Netty 4 in Rawhide
More information about the scm-commits
mailing list