From 5e4de27c8e23bf53785f43e8e3cbabd8b9b8e6f8 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 3 Mar 2025 11:57:13 +0100 Subject: [PATCH 1/9] Remove javadoc subpackage --- apache-commons-beanutils.spec | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/apache-commons-beanutils.spec b/apache-commons-beanutils.spec index 34f48f6..9476470 100644 --- a/apache-commons-beanutils.spec +++ b/apache-commons-beanutils.spec @@ -19,6 +19,8 @@ BuildRequires: mvn(commons-collections:commons-collections) BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(org.apache.commons:commons-parent:pom:) %endif +# TODO Remove in Fedora 46 +Obsoletes: %{name}-javadoc < 1.9.4-40 %description The scope of this package is to create a package of Java utility methods @@ -26,12 +28,6 @@ for accessing and modifying the properties of arbitrary JavaBeans. No dependencies outside of the JDK are required, so the use of this package is very lightweight. -%package javadoc -Summary: API documentation for %{name} - -%description javadoc -API documentation for %{name}. - %prep %autosetup -p1 -C sed -i 's/\r//' *.txt @@ -45,7 +41,7 @@ sed -i 's/\r//' *.txt %build # Some tests fail in Koji -%mvn_build -f -- -Dcommons.packageId=beanutils +%mvn_build -j -f -- -Dcommons.packageId=beanutils %install %mvn_install @@ -54,8 +50,5 @@ sed -i 's/\r//' *.txt %doc RELEASE-NOTES.txt %license LICENSE.txt NOTICE.txt -%files javadoc -f .mfiles-javadoc -%license LICENSE.txt NOTICE.txt - %changelog %autochangelog From 8c6396f63c1e29340faf13893b0cf3969b4a739d Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Wed, 26 Mar 2025 08:43:18 +0100 Subject: [PATCH 2/9] Switch to javapackages tests from CentOS Stream GitLab --- plans/javapackages.fmf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plans/javapackages.fmf b/plans/javapackages.fmf index 86bfcea..e39d47c 100644 --- a/plans/javapackages.fmf +++ b/plans/javapackages.fmf @@ -1,7 +1,7 @@ summary: Run javapackages-specific tests discover: how: fmf - url: https://src.fedoraproject.org/tests/javapackages + url: https://gitlab.com/redhat/centos-stream/tests/javapackages.git ref: f42 execute: how: tmt From e758f7dab24ad0061a0a0c9c8fa2ad6274cb8747 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 22 May 2025 13:35:31 +0200 Subject: [PATCH 3/9] Switch javapackages test plan to f43 ref --- plans/javapackages.fmf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plans/javapackages.fmf b/plans/javapackages.fmf index e39d47c..ae17c0c 100644 --- a/plans/javapackages.fmf +++ b/plans/javapackages.fmf @@ -2,6 +2,6 @@ summary: Run javapackages-specific tests discover: how: fmf url: https://gitlab.com/redhat/centos-stream/tests/javapackages.git - ref: f42 + ref: f43 execute: how: tmt From d82ea6e799a41ec570f775d98ba8884c0bef34b0 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Fri, 13 Jun 2025 10:19:16 +0200 Subject: [PATCH 4/9] Fix improper access control vulnerability Resolves: CVE-2025-48734 --- 0001-Fix-CVE-2025-48734.patch | 66 +++++++++++++++++++++++++++++++++++ apache-commons-beanutils.spec | 2 ++ 2 files changed, 68 insertions(+) create mode 100644 0001-Fix-CVE-2025-48734.patch diff --git a/0001-Fix-CVE-2025-48734.patch b/0001-Fix-CVE-2025-48734.patch new file mode 100644 index 0000000..f4f5816 --- /dev/null +++ b/0001-Fix-CVE-2025-48734.patch @@ -0,0 +1,66 @@ +From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001 +From: Gary Gregory +Date: Sun, 25 May 2025 09:07:32 -0400 +Subject: [PATCH] Fix CVE-2025-48734 + +Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc +--- + .../apache/commons/beanutils/PropertyUtilsBean.java | 1 + + .../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++ + .../org/apache/commons/beanutils/package-info.java | 6 ++++++ + 3 files changed, 18 insertions(+) + +diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java +index 36eb7f57..04d99576 100644 +--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java ++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java +@@ -189,6 +189,7 @@ public class PropertyUtilsBean { + introspectors.clear(); + introspectors.add(DefaultBeanIntrospector.INSTANCE); + introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); ++ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS); + } + + /** +diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java +index bd6b2cdc..cff34969 100644 +--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java ++++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java +@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector { + public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = + new SuppressPropertiesBeanIntrospector(Collections.singleton("class")); + ++ /** ++ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for ++ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this ++ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be ++ * accessed. ++ * ++ * @since 1.11.0 ++ */ ++ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector( ++ Collections.singleton("declaringClass")); ++ + /** A set with the names of the properties to be suppressed. */ + private final Set propertyNames; + +diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java +index 3cb9d34c..ac8d2a1f 100644 +--- a/src/main/java/org/apache/commons/beanutils/package-info.java ++++ b/src/main/java/org/apache/commons/beanutils/package-info.java +@@ -444,6 +444,12 @@ + * SUPPRESS_CLASS constant of + * SuppressPropertiesBeanIntrospector.

+ * ++ *

Another problematic property is the {@code enum} "declaredClass" property, ++ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector} ++ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.

++ * ++ *

Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.

++ * + * + *

3. Dynamic Beans (DynaBeans)

+ * +-- +2.49.0 + diff --git a/apache-commons-beanutils.spec b/apache-commons-beanutils.spec index 9476470..042d66c 100644 --- a/apache-commons-beanutils.spec +++ b/apache-commons-beanutils.spec @@ -11,6 +11,8 @@ ExclusiveArch: %{java_arches} noarch Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz +Patch: 0001-Fix-CVE-2025-48734.patch + %if %{with bootstrap} BuildRequires: javapackages-bootstrap %else From cfa03076a34c048a0dbd03422e7ca90d43a7e939 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Sun, 13 Jul 2025 09:22:51 +0200 Subject: [PATCH 5/9] Build with OpenJDK 25 --- apache-commons-beanutils.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache-commons-beanutils.spec b/apache-commons-beanutils.spec index 042d66c..3bdefa8 100644 --- a/apache-commons-beanutils.spec +++ b/apache-commons-beanutils.spec @@ -16,7 +16,7 @@ Patch: 0001-Fix-CVE-2025-48734.patch %if %{with bootstrap} BuildRequires: javapackages-bootstrap %else -BuildRequires: maven-local +BuildRequires: maven-local-openjdk25 BuildRequires: mvn(commons-collections:commons-collections) BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(org.apache.commons:commons-parent:pom:) From 8fc9de4aa2aba722e86b86f396b3e125a8b2a5c3 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Wed, 16 Jul 2025 20:47:06 +0200 Subject: [PATCH 6/9] Update to upstream version 1.11.0 --- .gitignore | 1 + 0001-Fix-CVE-2025-48734.patch | 66 ----------------------------------- apache-commons-beanutils.spec | 4 +-- sources | 2 +- 4 files changed, 3 insertions(+), 70 deletions(-) delete mode 100644 0001-Fix-CVE-2025-48734.patch diff --git a/.gitignore b/.gitignore index 805a6ba..ee29c7b 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /commons-beanutils-1.9.2-src.tar.gz /commons-beanutils-1.9.3-src.tar.gz /commons-beanutils-1.9.4-src.tar.gz +/commons-beanutils-1.11.0-src.tar.gz diff --git a/0001-Fix-CVE-2025-48734.patch b/0001-Fix-CVE-2025-48734.patch deleted file mode 100644 index f4f5816..0000000 --- a/0001-Fix-CVE-2025-48734.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001 -From: Gary Gregory -Date: Sun, 25 May 2025 09:07:32 -0400 -Subject: [PATCH] Fix CVE-2025-48734 - -Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc ---- - .../apache/commons/beanutils/PropertyUtilsBean.java | 1 + - .../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++ - .../org/apache/commons/beanutils/package-info.java | 6 ++++++ - 3 files changed, 18 insertions(+) - -diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java -index 36eb7f57..04d99576 100644 ---- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java -+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java -@@ -189,6 +189,7 @@ public class PropertyUtilsBean { - introspectors.clear(); - introspectors.add(DefaultBeanIntrospector.INSTANCE); - introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); -+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS); - } - - /** -diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java -index bd6b2cdc..cff34969 100644 ---- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java -+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java -@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector { - public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = - new SuppressPropertiesBeanIntrospector(Collections.singleton("class")); - -+ /** -+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for -+ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this -+ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be -+ * accessed. -+ * -+ * @since 1.11.0 -+ */ -+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector( -+ Collections.singleton("declaringClass")); -+ - /** A set with the names of the properties to be suppressed. */ - private final Set propertyNames; - -diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java -index 3cb9d34c..ac8d2a1f 100644 ---- a/src/main/java/org/apache/commons/beanutils/package-info.java -+++ b/src/main/java/org/apache/commons/beanutils/package-info.java -@@ -444,6 +444,12 @@ - * SUPPRESS_CLASS constant of - * SuppressPropertiesBeanIntrospector.

- * -+ *

Another problematic property is the {@code enum} "declaredClass" property, -+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector} -+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.

-+ * -+ *

Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.

-+ * - * - *

3. Dynamic Beans (DynaBeans)

- * --- -2.49.0 - diff --git a/apache-commons-beanutils.spec b/apache-commons-beanutils.spec index 3bdefa8..bec5454 100644 --- a/apache-commons-beanutils.spec +++ b/apache-commons-beanutils.spec @@ -1,7 +1,7 @@ %bcond_with bootstrap Name: apache-commons-beanutils -Version: 1.9.4 +Version: 1.11.0 Release: %autorelease Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans License: Apache-2.0 @@ -11,8 +11,6 @@ ExclusiveArch: %{java_arches} noarch Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz -Patch: 0001-Fix-CVE-2025-48734.patch - %if %{with bootstrap} BuildRequires: javapackages-bootstrap %else diff --git a/sources b/sources index bbd675e..3e3bede 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (commons-beanutils-1.9.4-src.tar.gz) = 6f3d30d02b9a66cf20509bd868c6e2dadb44bb27da1e6b9af7275675e0f3826845a5d4005509dd1eb77a5b2937820c4770a3753daaab072785dcdab0caa69e73 +SHA512 (commons-beanutils-1.11.0-src.tar.gz) = edd930e7f8118d0cceb8647666fe1d5f873f939f858f433cd19985a75c4575455f2a2d339e4bcbf08b3f586c785a60429d4bb33ff6239da8f2c6183c8c318f18 From 6703cb136a7cbce59fd64be3bfa27987cda6b770 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 17:05:06 +0000 Subject: [PATCH 7/9] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 92b1573ffb16acf28f8fb650ba5b18bcae703645 Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Tue, 29 Jul 2025 19:00:14 +0200 Subject: [PATCH 8/9] Rebuilt for java-25-openjdk as preffered jdk https://fedoraproject.org/wiki/Changes/Java25AndNoMoreSystemJdk Note, that since f43, you should be always explicit on what jdk to use. This commit should do exactly that. From 9e12dfe850fed63563adcbee80695e05548fd4fb Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 16 Jan 2026 03:46:17 +0000 Subject: [PATCH 9/9] Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild