November 2015 - jbosstools-issues

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt edited comment on JBDS-3560 at 11/18/15 3:07 PM: ------------------------------------------------------------ PR for 4.60.x branch: https://github.com/jbosstools/jbosstools-target-platforms/pull/177 PR for 4.51.x branch: https://github.com/jbosstools/jbosstools-target-platforms/pull/178 PR for 4.50.x branch: https://github.com/jbosstools/jbosstools-target-platforms/pull/179 was (Author: nickboldt): PR for 4.60.x branch: https://github.com/jbosstools/jbosstools-target-platforms/pull/177 > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt updated JBDS-3560: ----------------------------- Git Pull Request: https://github.com/jbosstools/jbosstools-target-platforms/pull/177, https://github.com/jbosstools/jbosstools-target-platforms/pull/178, https://github.com/jbosstools/jbosstools-target-platforms/pull/179 (was: https://github.com/jbosstools/jbosstools-target-platforms/pull/177) > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21105) Remove BIRT?

by Alexey Kazakov (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21105?page=com.atlassian.jira.plugi... ] Alexey Kazakov commented on JBIDE-21105: ---------------------------------------- If it depends on 9.2.9 or higher then it will compile. But will it work with 9.3.*? > Remove BIRT? > ------------ > > Key: JBIDE-21105 > URL: https://issues.jboss.org/browse/JBIDE-21105 > Project: Tools (JBoss Tools) > Issue Type: Sub-task > Components: birt, target-platform > Affects Versions: 4.4.0.Alpha1 > Reporter: Nick Boldt > Assignee: Nick Boldt > Fix For: 4.4.0.Alpha1 > > Attachments: birt-4.5-vs-mars-interim.txt, birt-4.5-vs-mars-interim_summary.txt, birt-depends-on-jetty-deploy-929.png, birt-depends-on-jetty-osgi-boot-929.png, eclipse-after-birt.png > > > {quote} > (2015-11-17 11:42:50) kmarmaliykov: nickboldt: I look into neon M3 and see that there is no jetty 9.2.9 there > (2015-11-17 11:43:18) nickboldt: kmarmaliykov: yes, 9.2.9 is from Birt site > (2015-11-17 11:43:21) nickboldt: because Birt needs it > (2015-11-17 11:43:33) nickboldt: but there's no Birt for Neon yet so we have to include the Birt for Mars > (2015-11-17 11:43:37) maxandersen: nickboldt: akazakov: are you talking about having birt in Neon ? > (2015-11-17 11:43:44) maxandersen: afaik birt is dead. > (2015-11-17 11:43:53) maxandersen: won't participate in neon release afaik. > (2015-11-17 11:43:56) nickboldt: maxandersen: so we should remove birt from JBT 4.4? > (2015-11-17 11:44:24) maxandersen: well, check first if birt is actually in neon. if it is not the decision is very easy. > (2015-11-17 11:44:38) akazakov: +1 > (2015-11-17 11:45:36) maxandersen: if it is in, then lets talk options. but if birt requires us to jump through too many hoops its not worth keeping it in. > (2015-11-17 11:45:55) nickboldt: birt 4.5.0.v201506092134 is in Neon from 201511131000 (M3) - http://download.eclipse.org/releases/neon/201511131000/ > (2015-11-17 11:47:08) nickboldt: and there's a newer birt 4.5.0.v201510231925 (same major.minor.service, newer datestamp) in http://download.eclipse.org/birt/update-site/mars-interim/ > {quote} > So, yesterday as part of updates for JBIDE-20976, I pulled a new BIRT mirror here: > http://download.jboss.org/jbosstools/updates/requirements/birt/4.5.0.v201... > But we could also just use the old one from Mars.0: > http://download.jboss.org/jbosstools/updates/requirements/birt/4.5.0.v201... > Or we could remove support for BIRT and its webtools / charting integration entirely from JBT 4.4.0.Alpha1, since as Max says BIRT is at EOL. > *DISCUSS*. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt updated JBDS-3560: ----------------------------- Git Pull Request: https://github.com/jbosstools/jbosstools-target-platforms/pull/177 > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt updated JBDS-3560: ----------------------------- Status: New (was: New) > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by CDW Engine (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] CDW Engine updated JBDS-3560: ----------------------------- > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt updated JBDS-3560: ----------------------------- Status: New (was: New) Target Release: 10.0.0.GA PR: https://github.com/jbosstools/jbosstools-target-platforms/pull/177 > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt edited comment on JBDS-3560 at 11/18/15 3:02 PM: ------------------------------------------------------------ PR for 4.60.x branch: https://github.com/jbosstools/jbosstools-target-platforms/pull/177 was (Author: nickboldt): PR: https://github.com/jbosstools/jbosstools-target-platforms/pull/177 > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21105) Remove BIRT?

by Snjezana Peco (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21105?page=com.atlassian.jira.plugi... ] Snjezana Peco commented on JBIDE-21105: --------------------------------------- Birt requires Jetty >= 2.9.2. > Remove BIRT? > ------------ > > Key: JBIDE-21105 > URL: https://issues.jboss.org/browse/JBIDE-21105 > Project: Tools (JBoss Tools) > Issue Type: Sub-task > Components: birt, target-platform > Affects Versions: 4.4.0.Alpha1 > Reporter: Nick Boldt > Assignee: Nick Boldt > Fix For: 4.4.0.Alpha1 > > Attachments: birt-4.5-vs-mars-interim.txt, birt-4.5-vs-mars-interim_summary.txt, birt-depends-on-jetty-deploy-929.png, birt-depends-on-jetty-osgi-boot-929.png, eclipse-after-birt.png > > > {quote} > (2015-11-17 11:42:50) kmarmaliykov: nickboldt: I look into neon M3 and see that there is no jetty 9.2.9 there > (2015-11-17 11:43:18) nickboldt: kmarmaliykov: yes, 9.2.9 is from Birt site > (2015-11-17 11:43:21) nickboldt: because Birt needs it > (2015-11-17 11:43:33) nickboldt: but there's no Birt for Neon yet so we have to include the Birt for Mars > (2015-11-17 11:43:37) maxandersen: nickboldt: akazakov: are you talking about having birt in Neon ? > (2015-11-17 11:43:44) maxandersen: afaik birt is dead. > (2015-11-17 11:43:53) maxandersen: won't participate in neon release afaik. > (2015-11-17 11:43:56) nickboldt: maxandersen: so we should remove birt from JBT 4.4? > (2015-11-17 11:44:24) maxandersen: well, check first if birt is actually in neon. if it is not the decision is very easy. > (2015-11-17 11:44:38) akazakov: +1 > (2015-11-17 11:45:36) maxandersen: if it is in, then lets talk options. but if birt requires us to jump through too many hoops its not worth keeping it in. > (2015-11-17 11:45:55) nickboldt: birt 4.5.0.v201506092134 is in Neon from 201511131000 (M3) - http://download.eclipse.org/releases/neon/201511131000/ > (2015-11-17 11:47:08) nickboldt: and there's a newer birt 4.5.0.v201510231925 (same major.minor.service, newer datestamp) in http://download.eclipse.org/birt/update-site/mars-interim/ > {quote} > So, yesterday as part of updates for JBIDE-20976, I pulled a new BIRT mirror here: > http://download.jboss.org/jbosstools/updates/requirements/birt/4.5.0.v201... > But we could also just use the old one from Mars.0: > http://download.jboss.org/jbosstools/updates/requirements/birt/4.5.0.v201... > Or we could remove support for BIRT and its webtools / charting integration entirely from JBT 4.4.0.Alpha1, since as Max says BIRT is at EOL. > *DISCUSS*. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt edited comment on JBDS-3560 at 11/18/15 2:53 PM: ------------------------------------------------------------ p2diff reports comparing Orbit R20150519210750 (currently used in 4.5x.x and 4.60.x TPs) vs I20151117200049: {code}p2diff http://download.jboss.org/jbosstools/updates/requirements/orbit/R20150519... http://download.jboss.org/jbosstools/updates/requirements/orbit/I20151117... | tee orbit.R20150519210750_vs_I20151117200049.log.txt{code} [^orbit.R20150519210750_vs_I20151117200049.log.txt] {code}p2diff -onlylatest http://download.jboss.org/jbosstools/updates/requirements/orbit/R20150519... http://download.jboss.org/jbosstools/updates/requirements/orbit/I20151117... | tee orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt{code} [^orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt] was (Author: nickboldt): p2diff reports comparing Orbit R20150519210750 (currently used in 4.5x.x and 4.60.x TPs) vs I20151117200049: [^orbit.R20150519210750_vs_I20151117200049.log.txt] [^orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt] > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jbosstools-issues November 2015