Skip to content

update xercesImpl to 2.12.1 (from 2.12.0)#641

Closed
sseide wants to merge 1 commit intoapache:masterfrom
sseide:fix-xercesimpl
Closed

update xercesImpl to 2.12.1 (from 2.12.0)#641
sseide wants to merge 1 commit intoapache:masterfrom
sseide:fix-xercesimpl

Conversation

@sseide
Copy link
Contributor

@sseide sseide commented Jan 25, 2021

Description

within the current xercesImpl version 2.12.0 a vulnerabilities was found. It is fixed with the update to 2.12.1.

Motivation and Context

Fix potential security problems

How Has This Been Tested?

run gradlew check, first run failed with one library (xstream) having changed as expected, rerun with "-PupdateExpectedJars" switch and "-PchecksumUpdate".
The following executions of gradlew check and gradlew test succeeded now.

The update of the checksum was needed because the signer of the xercesImpl release has changed and a new gpg key was used to sign the maven release? (see https://issues.apache.org/jira/browse/XERCESJ-1724)

Screenshots (if appropriate):

none

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the code style of this project.
  • I have updated the documentation accordingly.

@FSchumacher
Copy link
Contributor

FSchumacher commented Jan 27, 2021

I wonder, if it would be better to use the sha512 sum in this case, as the uploaders pgp key can't be found anywhere.

@vlsi
Copy link
Collaborator

vlsi commented Jan 27, 2021

AFAIK Xerces is ASF project, so the key should be located at http://xerces.apache.org/ somewhere

@vlsi
Copy link
Collaborator

vlsi commented Jan 27, 2021

Ah, the library was published by @apupier somehow manually (see https://issues.apache.org/jira/browse/XERCESJ-1724)
It is sad Xerces PMC does not publish jars to repository.apache.org :-/

On the other hand, the file at Central is the same as the one in the official release:

$ openssl dgst -sha512 Xerces-J-bin.2.12.1.zip
SHA512(Xerces-J-bin.2.12.1.zip)= 318222b084e2882b16d230a70d0811882d2e46b0e63e8262098e952d25c9caebf32b40c0d0a1ed68a787f6dd017b5a4fa805c00889429115462dfb2e268a8b28

# jar from the official release
$ openssl dgst -sha512 xercesImpl.jar
SHA512(xercesImpl.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957

# jar from OSSRH
$ openssl dgst -sha512 xercesImpl-2.12.1.jar
SHA512(xercesImpl-2.12.1.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957

So I agree we should use SHA512, and we should use SHA512 for all other xerces jars.

@asfgit asfgit closed this in 3e0a9aa Feb 11, 2021
@FSchumacher
Copy link
Contributor

FSchumacher commented Feb 11, 2021

Thanks for the PR. A version using the SHA512 checksums has been committed to trunk. It would be great, if you could test next build from trunk or nightly.

@sseide sseide deleted the fix-xercesimpl branch March 5, 2021 14:16
kkalinin pushed a commit to kkalinin/jmeter that referenced this pull request Mar 11, 2021
@FSchumacher @kkalinin
Updated xercesImpl to 2.12.1 (from 2.12.0)
6cc068e 
Based on patch by Stefan Seide (stefan at trilobyte-se.de)

Closes apache#641
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sseide @FSchumacher @vlsi