Update to upstream version 1.11.0

2025-07-16 20:47:06 +02:00 · 2025-07-16 20:47:06 +02:00 · 8fc9de4aa2
commit 8fc9de4aa2
parent cfa03076a3
4 changed files with 3 additions and 70 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@
 /commons-beanutils-1.9.2-src.tar.gz
 /commons-beanutils-1.9.3-src.tar.gz
 /commons-beanutils-1.9.4-src.tar.gz
+/commons-beanutils-1.11.0-src.tar.gz
--- a/0001-Fix-CVE-2025-48734.patch
+++ b/0001-Fix-CVE-2025-48734.patch
@ -1,66 +0,0 @@
-From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001
-From: Gary Gregory <garydgregory@gmail.com>
-Date: Sun, 25 May 2025 09:07:32 -0400
-Subject: [PATCH] Fix CVE-2025-48734
-
-Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
---
- .../apache/commons/beanutils/PropertyUtilsBean.java   |  1 +
- .../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
- .../org/apache/commons/beanutils/package-info.java    |  6 ++++++
- 3 files changed, 18 insertions(+)
-
-diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
-index 36eb7f57..04d99576 100644
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
-+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
-@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
-         introspectors.clear();
-         introspectors.add(DefaultBeanIntrospector.INSTANCE);
-         introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
-+        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
-     }
- 
-     /**
-diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
-index bd6b2cdc..cff34969 100644
--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
-+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
-@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
-     public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
-             new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
- 
-+    /**
-+     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
-+     * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
-+     * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
-+     * accessed.
-+     *
-+     * @since 1.11.0
-+     */
-+    public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
-+            Collections.singleton("declaringClass"));
-+
-     /** A set with the names of the properties to be suppressed. */
-     private final Set<String> propertyNames;
- 
-diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
-index 3cb9d34c..ac8d2a1f 100644
--- a/src/main/java/org/apache/commons/beanutils/package-info.java
-+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
-@@ -444,6 +444,12 @@
-  * <code>SUPPRESS_CLASS</code> constant of
-  * <code>SuppressPropertiesBeanIntrospector</code>.</p>
-  *
-+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
-+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
-+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
-+ *
-+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
-+ *
-  * <a name="dynamic"></a>
-  * <h1>3. Dynamic Beans (DynaBeans)</h1>
-  *
-- 
-2.49.0
-
--- a/apache-commons-beanutils.spec
+++ b/apache-commons-beanutils.spec
@ -1,7 +1,7 @@
 %bcond_with bootstrap

 Name:           apache-commons-beanutils
-Version:        1.9.4
+Version:        1.11.0
 Release:        %autorelease
 Summary:        Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
 License:        Apache-2.0
@ -11,8 +11,6 @@ ExclusiveArch:  %{java_arches} noarch

 Source0:        http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz

-Patch:          0001-Fix-CVE-2025-48734.patch
-
 %if %{with bootstrap}
 BuildRequires:  javapackages-bootstrap
 %else
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (commons-beanutils-1.9.4-src.tar.gz) = 6f3d30d02b9a66cf20509bd868c6e2dadb44bb27da1e6b9af7275675e0f3826845a5d4005509dd1eb77a5b2937820c4770a3753daaab072785dcdab0caa69e73
+SHA512 (commons-beanutils-1.11.0-src.tar.gz) = edd930e7f8118d0cceb8647666fe1d5f873f939f858f433cd19985a75c4575455f2a2d339e4bcbf08b3f586c785a60429d4bb33ff6239da8f2c6183c8c318f18