November 2015 - jbosstools-issues

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt updated JBDS-3560: ----------------------------- Attachment: orbit.R20150519210750_vs_I20151117200049.log.txt orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt p2diff reports comparing Orbit R20150519210750 (currently used in 4.5x.x and 4.60.x TPs) vs I20151117200049: [^orbit.R20150519210750_vs_I20151117200049.log.txt] [^orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt] > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21030) Use newer Easymport (update Neon TP)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21030?page=com.atlassian.jira.plugi... ] Nick Boldt edited comment on JBIDE-21030 at 11/18/15 2:36 PM: -------------------------------------------------------------- See JBIDE-21029, we also want to take newer easymport on 4.4.x was (Author: mickael_istria): See JBIDE-21030, we also want to take newer easymport on 4.4.x > Use newer Easymport (update Neon TP) > ------------------------------------ > > Key: JBIDE-21030 > URL: https://issues.jboss.org/browse/JBIDE-21030 > Project: Tools (JBoss Tools) > Issue Type: Enhancement > Components: easymport, target-platform > Affects Versions: 4.4.0.Alpha1 > Reporter: Mickael Istria > Assignee: Mickael Istria > Fix For: 4.4.0.Alpha1 > > > Newer builds of Easymport framework contain important changes that fixes issues reported against 4.3.0.Final > *Reason:* Use new features and fixes (allowing preview of import plan) > *Project page/sources:* https://wiki.eclipse.org/E4/UI/Smart_Import > *Version:* 0.2.0 > *License and owner:* EPL, Red Hat Inc. > *Original p2 repo:* http://download.eclipse.org/e4/snapshots/org.eclipse.e4.ui/ > *JBoss mirror:* http://download.jboss.org/jbosstools/updates/requirements/e4.ui/0.2.0.v20... > *Include Sources:* Yes > *Affected JBoss Tools components:* jbosstools-playground > *Include in JBDS:* Yes > *Type of dependency:* distribution > *List of bundles added/removed:* > {code} > suggested diff on the .target files > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21029) Use newer Easymport (update Mars TP)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21029?page=com.atlassian.jira.plugi... ] Nick Boldt updated JBIDE-21029: ------------------------------- Fix Version/s: (was: 4.4.0.Alpha1) > Use newer Easymport (update Mars TP) > ------------------------------------ > > Key: JBIDE-21029 > URL: https://issues.jboss.org/browse/JBIDE-21029 > Project: Tools (JBoss Tools) > Issue Type: Enhancement > Components: easymport, target-platform > Affects Versions: 4.3.1.Beta1 > Reporter: Mickael Istria > Assignee: Mickael Istria > Fix For: 4.3.1.Beta1 > > > Newer builds of Easymport framework contain important changes that fixes issues reported against 4.3.0.Final > *Reason:* Use new features and fixes (allowing preview of import plan) > *Project page/sources:* https://wiki.eclipse.org/E4/UI/Smart_Import > *Version:* 0.2.0 > *License and owner:* EPL, Red Hat Inc. > *Original p2 repo:* http://download.eclipse.org/e4/snapshots/org.eclipse.e4.ui/ > *JBoss mirror:* http://download.jboss.org/jbosstools/updates/requirements/e4.ui/0.2.0.v20... > *Include Sources:* Yes > *Affected JBoss Tools components:* jbosstools-playground > *Include in JBDS:* Yes > *Type of dependency:* distribution > *List of bundles added/removed:* > {code} > suggested diff on the .target files > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt commented on JBDS-3560: ---------------------------------- Here's the new jar: http://download.eclipse.org/tools/orbit/downloads/drops/I20151117200049/r... and the old one: http://download.jboss.org/jbosstools/updates/requirements/orbit/R20150519... or their sources: http://download.jboss.org/jbosstools/updates/requirements/orbit/R20150519... http://download.eclipse.org/tools/orbit/downloads/drops/I20151117200049/r... New Orbit mirror: http://download.jboss.org/jbosstools/updates/requirements/orbit/I20151117... > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Rob Stryker (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Rob Stryker commented on JBDS-3560: ----------------------------------- https://bugs.eclipse.org/bugs/show_bug.cgi?id=482134 bug tracking dali's possible exploit > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21012) Why do we deploy JBT components to Nexus snapshots repo?

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21012?page=com.atlassian.jira.plugi... ] Nick Boldt commented on JBIDE-21012: ------------------------------------ Decision on today's call: due to the flaw exposed by Denis' analysis above, we cannot safely use Nexus for deployment of CI builds of JBT components; exceptions continue to be ONLY these two: * JBoss Locus update site zip (doesn't use parent pom; changes infrequently) * Browsersim Standalone zip (isn't an update site; has no downstream deps) So, I will submit a PR to get the automated deployment of the JBT update sites to Nexus disabled in 4.3/9.1 and 4.4/10.0. > Why do we deploy JBT components to Nexus snapshots repo? > -------------------------------------------------------- > > Key: JBIDE-21012 > URL: https://issues.jboss.org/browse/JBIDE-21012 > Project: Tools (JBoss Tools) > Issue Type: Bug > Components: build, updatesite > Affects Versions: 4.3.0.Final, 4.4.0.Alpha1 > Reporter: Nick Boldt > Assignee: Nick Boldt > Fix For: 4.3.1.Beta1, 4.4.0.Alpha1 > > > Currently, we deploy our x.y.z-SNAPSHOT update sites to the JBoss Nexus snapshots repo. > But other than Locus and the Browsersim Standalone zip, we don't ever use these artifacts, so they just: > * eat disk space in Nexus > * consume time/resources in Jenkins > Since we have the custom profile deploy-to-jboss.org in place for all our artifacts, why don't we set *maven.deploy.skip=true* in the parent pom for all the projects (except of course Locus and Browsersim Standalone, which would use maven.deploy.skip=false) ? -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21029) Use newer Easymport (update Mars TP)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21029?page=com.atlassian.jira.plugi... ] Nick Boldt updated JBIDE-21029: ------------------------------- Fix Version/s: 4.4.0.Alpha1 > Use newer Easymport (update Mars TP) > ------------------------------------ > > Key: JBIDE-21029 > URL: https://issues.jboss.org/browse/JBIDE-21029 > Project: Tools (JBoss Tools) > Issue Type: Enhancement > Components: easymport, target-platform > Affects Versions: 4.3.1.Beta1 > Reporter: Mickael Istria > Assignee: Mickael Istria > Fix For: 4.3.1.Beta1, 4.4.0.Alpha1 > > > Newer builds of Easymport framework contain important changes that fixes issues reported against 4.3.0.Final > *Reason:* Use new features and fixes (allowing preview of import plan) > *Project page/sources:* https://wiki.eclipse.org/E4/UI/Smart_Import > *Version:* 0.2.0 > *License and owner:* EPL, Red Hat Inc. > *Original p2 repo:* http://download.eclipse.org/e4/snapshots/org.eclipse.e4.ui/ > *JBoss mirror:* http://download.jboss.org/jbosstools/updates/requirements/e4.ui/0.2.0.v20... > *Include Sources:* Yes > *Affected JBoss Tools components:* jbosstools-playground > *Include in JBDS:* Yes > *Type of dependency:* distribution > *List of bundles added/removed:* > {code} > suggested diff on the .target files > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

by Nick Boldt (JIRA)

[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.... ] Nick Boldt updated JBDS-3560: ----------------------------- Fix Version/s: 9.1.0.Beta1 10.0.0.Alpha1 > Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580) > ------------------------------------------------------------------------- > > Key: JBDS-3560 > URL: https://issues.jboss.org/browse/JBDS-3560 > Project: Developer Studio (JBoss Developer Studio) > Issue Type: Bug > Components: upstream > Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1 > Reporter: Nick Boldt > Assignee: Max Rydahl Andersen > Fix For: 9.1.0.Beta1, 10.0.0.Alpha1 > > Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png > > > This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580 > Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21029) Use newer Easymport (update Mars TP)

by Mickael Istria (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21029?page=com.atlassian.jira.plugi... ] Mickael Istria commented on JBIDE-21029: ---------------------------------------- TP to consume new update: https://github.com/jbosstools/jbosstools-target-platforms/pull/176 CC [~nickboldt] > Use newer Easymport (update Mars TP) > ------------------------------------ > > Key: JBIDE-21029 > URL: https://issues.jboss.org/browse/JBIDE-21029 > Project: Tools (JBoss Tools) > Issue Type: Enhancement > Components: easymport, target-platform > Affects Versions: 4.3.1.Beta1 > Reporter: Mickael Istria > Assignee: Mickael Istria > Fix For: 4.3.1.Beta1 > > > Newer builds of Easymport framework contain important changes that fixes issues reported against 4.3.0.Final > *Reason:* Use new features and fixes (allowing preview of import plan) > *Project page/sources:* https://wiki.eclipse.org/E4/UI/Smart_Import > *Version:* 0.2.0 > *License and owner:* EPL, Red Hat Inc. > *Original p2 repo:* http://download.eclipse.org/e4/snapshots/org.eclipse.e4.ui/ > *JBoss mirror:* http://download.jboss.org/jbosstools/updates/requirements/e4.ui/0.2.0.v20... > *Include Sources:* Yes > *Affected JBoss Tools components:* jbosstools-playground > *Include in JBDS:* Yes > *Type of dependency:* distribution > *List of bundles added/removed:* > {code} > suggested diff on the .target files > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JBIDE-21029) Use newer Easymport (update Mars TP)

by Mickael Istria (JIRA)

[ https://issues.jboss.org/browse/JBIDE-21029?page=com.atlassian.jira.plugi... ] Mickael Istria updated JBIDE-21029: ----------------------------------- Git Pull Request: https://github.com/jbosstools/jbosstools-target-platforms/pull/170, https://github.com/jbosstools/jbosstools-target-platforms/pull/176 (was: https://github.com/jbosstools/jbosstools-target-platforms/pull/170) > Use newer Easymport (update Mars TP) > ------------------------------------ > > Key: JBIDE-21029 > URL: https://issues.jboss.org/browse/JBIDE-21029 > Project: Tools (JBoss Tools) > Issue Type: Enhancement > Components: easymport, target-platform > Affects Versions: 4.3.1.Beta1 > Reporter: Mickael Istria > Assignee: Mickael Istria > Fix For: 4.3.1.Beta1 > > > Newer builds of Easymport framework contain important changes that fixes issues reported against 4.3.0.Final > *Reason:* Use new features and fixes (allowing preview of import plan) > *Project page/sources:* https://wiki.eclipse.org/E4/UI/Smart_Import > *Version:* 0.2.0 > *License and owner:* EPL, Red Hat Inc. > *Original p2 repo:* http://download.eclipse.org/e4/snapshots/org.eclipse.e4.ui/ > *JBoss mirror:* http://download.jboss.org/jbosstools/updates/requirements/e4.ui/0.2.0.v20... > *Include Sources:* Yes > *Affected JBoss Tools components:* jbosstools-playground > *Include in JBDS:* Yes > *Type of dependency:* distribution > *List of bundles added/removed:* > {code} > suggested diff on the .target files > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

10 years, 4 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jbosstools-issues November 2015