[jbosstools-issues] [JBoss JIRA] (JBDS-3562) Prepare for 9.0.1 (9.0.0 with patched EAP 6.4.0 BZ1281963 / CVE-2015-7501)

Martin Malina (JIRA) issues at jboss.org
Mon Dec 7 08:04:00 EST 2015 

    [ https://issues.jboss.org/browse/JBDS-3562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13137626#comment-13137626 ] 

Martin Malina commented on JBDS-3562:
-------------------------------------

Thanks for the details, Nick.
I compared jboss-devstudio-9.0.0.GA-installer-eap.jar and jboss-devstudio-9.0.0.GA-CVE-2015-7501-installer-eap.jar and found this:

1. Different version of Google.gson - I'm fine with your explanation above.

2. Tons of changes in html pages inside org.eclipse.wst.jsdt.doc_1.4.101.v201507140011.jar

One example:
{code}
diff -r 1/reference/api/serialized-form.html 2/reference/api/serialized-form.html
5c5
< <!-- Generated by javadoc (1.8.0_51) on Tue Sep 08 03:49:06 EDT 2015 -->
---
> <!-- Generated by javadoc (1.8.0_51) on Tue Sep 15 03:05:36 EDT 2015 -->
8c8
< <meta name="date" content="2015-09-08">
---
> <meta name="date" content="2015-09-15">
{code}
So it's not exactly the same build of the package, but I'm not really concerned about that.

3. Differences in EAP
This one is interesting. Of course there is the .overlay dir with the path. But for some reason the original commons-collections jars have different md5 sum:
{code}
MD5 (commons/commons-collections-3.2.1.redhat-3.jar) = 2d336af47bc6e8b6b35c930143b3b65c
MD5 (commons-cve/commons-collections-3.2.1.redhat-3.jar) = 4e7ee802e16b13d42343cd789c6baaf7
{code}
When I extract them both and then compare again using diff, it is exactly the same. I don't know why is that. In the past the patch mechanism would cripple the original jar, but I don't think it does that anymore. Anyway, I'm not worried about this, because the old jar is not used when the patch is applied.

I smoke tested the new build and didn't see any problems.

> Prepare for 9.0.1 (9.0.0 with patched EAP 6.4.0 BZ1281963 / CVE-2015-7501)
> --------------------------------------------------------------------------
>
>                 Key: JBDS-3562
>                 URL: https://issues.jboss.org/browse/JBDS-3562
>             Project: Developer Studio (JBoss Developer Studio)
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 9.0.1.GA
>            Reporter: Nick Boldt
>            Assignee: Nick Boldt
>             Fix For: 9.0.1.GA
>
>         Attachments: 900GAvs901GA_B6.p2diff.txt, JBDS900GA-respin_diffs__EAP640-BZ1281963.png, JBDS900GA-respin_diffs__google.gson_JBDSTPvsJBDSCentralTP.png, JBDS900GA-respin_diffs__google.gson_JBDSTPvsJBDSCentralTP_210_refs.png, JBDS900GA-respin_diffs__google.gson_JBDSTPvsJBDSCentralTP_224_refs.png, JBDS900GA-respin_diffs__o.e.jst.plugins.manifest.mf.png, JBDS900GA-respin_diffs__p2director.manifest.mf.png, JBDS900GA-respin_diffs__plugins_including_gson2.1.0vs.2.2.4.png, JBDS900GA-respin_diffs__readme.txt.png
>
>
> Tracker JIRA to house things to do to prepare for 9.0.1 / 9.1.0 branches & builds.
> Because JBDS 9.0.0 includes the compromised version of
> apache.commons.collections (JBDS-3560, JBDS-3561), we need to at some point respin it, which
> will include:
> a) updated JBT/JBDS target platforms 4.50.1.* and 4.51.1.*
> b) repin of JBDS update sites and installer jars
> To that end, I've created the following new branches:
> https://github.com/jbosstools/jbosstools-target-platforms/commits/4.50.1.x
> https://github.com/jbosstools/jbosstools-target-platforms/commits/4.51.1.x
> And I've bumped the version of the target platforms in the 4.50.x and
> 4.51.x branches to 4.50.2.Beta1-SNAPSHOT and 4.51.2.Beta1-SNAPSHOT,
> respectively.
> JBDS is now at version 9.1.0 in the 4.3.x branch and 9.0.1 in the
> 4.3.1.x branch.
> https://github.com/jbdevstudio/jbdevstudio-product/commits/jbosstools-4.3.1.x
> (new, 9.0.1)
> https://github.com/jbdevstudio/jbdevstudio-product/commits/jbosstools-4.3.x
> (updated to 9.1.0)
> So, now we just need to ensure that the correct BUILD_ALIAS (CR1 for
> 9.0.1, Beta1 for 9.1.0) and target platforms are used.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jbosstools-issues mailing list