Author: jleroux
Date: Thu Mar 24 12:12:11 2016
New Revision: 1736434
URL:
http://svn.apache.org/viewvc?rev=1736434&view=revLog:
Fixes "Update XStream lib to prevent XML External Entity (XXE) Processing" -
https://issues.apache.org/jira/browse/OFBIZ-6959The XStream team has released the 1.4.9 stable version in March 15, 2016
This version fixes the XML External Entity (XXE) Processing security issue
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_ProcessingSince OFBiz uses the DomDriver, with Java 6 at least in supported releases, OFBiz seems not really vulnerable
https://x-stream.github.io/faq.html#Security_XXEVulnerability, but better to be safe than sorry, notably for not OOTB uses...
Added:
ofbiz/trunk/framework/base/lib/xstream-1.4.9.jar (with props)
Removed:
ofbiz/trunk/framework/base/lib/xstream-1.4.6.jar
Modified:
ofbiz/trunk/.classpath
ofbiz/trunk/LICENSE
Modified: ofbiz/trunk/.classpath
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/.classpath?rev=1736434&r1=1736433&r2=1736434&view=diff==============================================================================
--- ofbiz/trunk/.classpath (original)
+++ ofbiz/trunk/.classpath Thu Mar 24 12:12:11 2016
@@ -58,7 +58,6 @@
<classpathentry kind="lib" path="framework/base/lib/xml-apis-1.4.01.jar"/>
<classpathentry kind="lib" path="framework/base/lib/xml-apis-ext-1.3.04.jar"/>
<classpathentry kind="lib" path="framework/base/lib/xpp3-1.1.4c.jar"/>
- <classpathentry kind="lib" path="framework/base/lib/xstream-1.4.6.jar"/>
<classpathentry kind="lib" path="framework/base/lib/zxing-core-3.2.0.jar"/>
<classpathentry kind="lib" path="framework/base/lib/ant/ant-1.9.0-ant-apache-bsf.jar"/>
<classpathentry kind="lib" path="framework/base/lib/commons/commons-beanutils-core-1.8.3.jar"/>
@@ -203,5 +202,6 @@
<classpathentry kind="lib" path="framework/catalina/lib/tomcat-7.0.68-tomcat-util.jar"/>
<classpathentry kind="lib" path="framework/catalina/lib/tomcat-extras-7.0.68-tomcat-juli-adapters.jar"/>
<classpathentry kind="lib" path="framework/catalina/lib/tomcat-extras-7.0.68-tomcat-juli.jar"/>
+ <classpathentry kind="lib" path="framework/base/lib/xstream-1.4.9.jar"/>
<classpathentry kind="output" path="bin"/>
</classpath>
Modified: ofbiz/trunk/LICENSE
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/LICENSE?rev=1736434&r1=1736433&r2=1736434&view=diff==============================================================================
--- ofbiz/trunk/LICENSE (original)
+++ ofbiz/trunk/LICENSE Thu Mar 24 12:12:11 2016
@@ -450,7 +450,7 @@ framework/base/lib/httpunit-1.7.jar
framework/base/lib/ical4j-1.0-rc2.jar
framework/base/lib/javolution-5.4.3.jar
framework/base/lib/xpp3-1.1.4c.jar
-framework/base/lib/xstream-1.4.6.jar
+framework/base/lib/xstream-1.4.9.jar
framework/base/lib/esapi-2.1.0.jar
framework/base/lib/scripting/antlr-2.7.6.jar
framework/base/lib/scripting/asm-3.2.jar
Added: ofbiz/trunk/framework/base/lib/xstream-1.4.9.jar
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/xstream-1.4.9.jar?rev=1736434&view=auto==============================================================================
Binary file - no diff available.
Propchange: ofbiz/trunk/framework/base/lib/xstream-1.4.9.jar
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Locked
