[JBoss JIRA] (JBDS-3562) Prepare for 9.0.1 (9.0.0 with patched EAP 6.4.0 BZ1281963 / CVE-2015-7501)

Monday, 7 December 2015

    [
https://issues.jboss.org/browse/JBDS-3562?page=com.atlassian.jira.plugin....
] 

Martin Malina commented on JBDS-3562:
-------------------------------------

Thanks for the details, Nick.
I compared jboss-devstudio-9.0.0.GA-installer-eap.jar and
jboss-devstudio-9.0.0.GA-CVE-2015-7501-installer-eap.jar and found this:

1. Different version of Google.gson - I'm fine with your explanation above.

2. Tons of changes in html pages inside
org.eclipse.wst.jsdt.doc_1.4.101.v201507140011.jar

One example:
{code}
diff -r 1/reference/api/serialized-form.html 2/reference/api/serialized-form.html
5c5
< <!-- Generated by javadoc (1.8.0_51) on Tue Sep 08 03:49:06 EDT 2015 -->
---
...
 <!-- Generated by javadoc (1.8.0_51) on Tue Sep 15 03:05:36 EDT
2015 --> 8c8
< <meta name="date" content="2015-09-08">
---
...
 <meta name="date" content="2015-09-15">
{code}
So it's not exactly the same build of the package, but I'm not really concerned
about that.

3. Differences in EAP
This one is interesting. Of course there is the .overlay dir with the path. But for some
reason the original commons-collections jars have different md5 sum:
{code}
MD5 (commons/commons-collections-3.2.1.redhat-3.jar) = 2d336af47bc6e8b6b35c930143b3b65c
MD5 (commons-cve/commons-collections-3.2.1.redhat-3.jar) =
4e7ee802e16b13d42343cd789c6baaf7
{code}
When I extract them both and then compare again using diff, it is exactly the same. I
don't know why is that. In the past the patch mechanism would cripple the original
jar, but I don't think it does that anymore. Anyway, I'm not worried about this,
because the old jar is not used when the patch is applied.

I smoke tested the new build and didn't see any problems.

...
 Prepare for 9.0.1 (9.0.0 with patched EAP 6.4.0 BZ1281963 /
CVE-2015-7501)
 --------------------------------------------------------------------------

                 Key: JBDS-3562
                 URL: https://issues.jboss.org/browse/JBDS-3562
             Project: Developer Studio (JBoss Developer Studio)
          Issue Type: Bug
          Components: build
    Affects Versions: 9.0.1.GA
            Reporter: Nick Boldt
            Assignee: Nick Boldt
             Fix For: 9.0.1.GA

         Attachments: 900GAvs901GA_B6.p2diff.txt,
JBDS900GA-respin_diffs__EAP640-BZ1281963.png,
JBDS900GA-respin_diffs__google.gson_JBDSTPvsJBDSCentralTP.png,
JBDS900GA-respin_diffs__google.gson_JBDSTPvsJBDSCentralTP_210_refs.png,
JBDS900GA-respin_diffs__google.gson_JBDSTPvsJBDSCentralTP_224_refs.png,
JBDS900GA-respin_diffs__o.e.jst.plugins.manifest.mf.png,
JBDS900GA-respin_diffs__p2director.manifest.mf.png,
JBDS900GA-respin_diffs__plugins_including_gson2.1.0vs.2.2.4.png,
JBDS900GA-respin_diffs__readme.txt.png

 Tracker JIRA to house things to do to prepare for 9.0.1 / 9.1.0 branches & builds.
 Because JBDS 9.0.0 includes the compromised version of
 apache.commons.collections (JBDS-3560, JBDS-3561), we need to at some point respin it,
which
 will include:
 a) updated JBT/JBDS target platforms 4.50.1.* and 4.51.1.*
 b) repin of JBDS update sites and installer jars
 To that end, I've created the following new branches:
 https://github.com/jbosstools/jbosstools-target-platforms/commits/4.50.1.x
 https://github.com/jbosstools/jbosstools-target-platforms/commits/4.51.1.x
 And I've bumped the version of the target platforms in the 4.50.x and
 4.51.x branches to 4.50.2.Beta1-SNAPSHOT and 4.51.2.Beta1-SNAPSHOT,
 respectively.
 JBDS is now at version 9.1.0 in the 4.3.x branch and 9.0.1 in the
 4.3.1.x branch.
 https://github.com/jbdevstudio/jbdevstudio-product/commits/jbosstools-4.3...
 (new, 9.0.1)
 https://github.com/jbdevstudio/jbdevstudio-product/commits/jbosstools-4.3.x
 (updated to 9.1.0)
 So, now we just need to ensure that the correct BUILD_ALIAS (CR1 for
 9.0.1, Beta1 for 9.1.0) and target platforms are used. 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006