Emmanuel Bourg · Emmanuel Bourg · Emmanuel Bourg · Emmanuel Bourg · Emmanuel Bourg · Emmanuel Bourg
--- a/debian/changelog
+++ b/debian/changelog
+axis (1.4-28) unstable; urgency=medium
+
+  * Fixed the build failure with Java 11 (Closes: #911187)
+  * Fixed CVE-2018-8032: Cross-site scripting (XSS) attack in the default
+    servlet/services (Closes: #905328)
+  * Fixed the generation of the javadoc
+  * Standards-Version updated to 4.2.1
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Mon, 03 Dec 2018 08:25:51 +0100
+
 axis (1.4-27) unstable; urgency=medium

  * Team upload.

--- a/debian/control
+++ b/debian/control
@@ -18,7 +18,7 @@ Build-Depends:
 libservlet3.1-java,
 libwsdl4j-java,
 maven-repo-helper
-Standards-Version: 4.1.4
+Standards-Version: 4.2.1
 Vcs-Git: https://salsa.debian.org/java-team/axis.git
 Vcs-Browser: https://salsa.debian.org/java-team/axis
 Homepage: http://ws.apache.org/axis/

--- a/debian/patches/CVE-2018-8032.patch
+++ b/debian/patches/CVE-2018-8032.patch
+Description: Correctly escape namespace URIs in namespace declarations (CVE-2018-8032)
+Origin: backport, https://svn.apache.org/r1831943
+--- a/src/org/apache/axis/encoding/SerializationContext.java
+++ b/src/org/apache/axis/encoding/SerializationContext.java
+@@ -1176,12 +1176,13 @@
+                         sb.append(':');
+                         sb.append(map.getPrefix());
+                     }
+-                    if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
+                    String qname = sb.toString();
+                    if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
+                         writer.write(' ');
+-                        sb.append("=\"");
+-                        sb.append(map.getNamespaceURI());
+-                        sb.append('"');
+-                        writer.write(sb.toString());
+                        writer.write(qname);
+                        writer.write("=\"");
+                        getEncoder().writeEncoded(writer, map.getNamespaceURI());
+                        writer.write('"');
+                     }
+                 }
+             }
--- a/debian/patches/java11-compatibility.patch
+++ b/debian/patches/java11-compatibility.patch
+Description: Fixes the build failure with Java 11
+Author: Emmanuel Bourg <ebourg@apache.org>
+Forwarded: no
+--- a/build.xml
+++ b/build.xml
+@@ -94,6 +94,32 @@
+     </depend>  
+     <javac srcdir="${src.dir}" destdir="${build.dest}"  nowarn="${nowarn}" debug="${debug}"
+       encoding="iso-8859-1"
+      deprecation="${deprecation}"
+      source="${source}"
+      target="${target}"
+      classpathref="classpath">
+      <include name="**/org/apache/axis/Constants.java"/>
+      <include name="**/org/apache/axis/Handler.java"/>
+      <include name="**/org/apache/axis/MessageContext.java"/>
+      <include name="**/org/apache/axis/components.logger.LogFactory.java"/>
+      <include name="**/org/apache/axis/utils.ClassUtils.java"/>
+      <include name="org.apache.axis.AxisFault"/>
+      <include name="org.apache.axis.handlers.soap.SOAPService"/>
+      <include name="org.apache.axis.utils.Messages"/>
+      <bootclasspath refid="boot.classpath"/>
+    </javac>
+    <!-- Compile the CORBA and EJB providers with Java 7 compatibility -->
+    <javac srcdir="${src.dir}" destdir="${build.dest}"  nowarn="${nowarn}" debug="${debug}"
+      encoding="iso-8859-1"
+      deprecation="${deprecation}"
+      release="7"
+      classpathref="classpath">
+      <include name="**/*CORBAProvider.java" />
+      <include name="**/EJBProvider.java" />
+      <bootclasspath refid="boot.classpath"/>
+    </javac>
+    <javac srcdir="${src.dir}" destdir="${build.dest}"  nowarn="${nowarn}" debug="${debug}"
+      encoding="iso-8859-1"
+       deprecation="${deprecation}" 
+       source="${source}"
+       target="${target}"
--- a/debian/patches/java9-compatibility.patch
+++ b/debian/patches/java9-compatibility.patch
@@ -11,6 +11,14 @@ Forwarded: no
       <exclude name="**/old/**/*" />
       <exclude name="**/bak/**"/>
       <exclude name="**/org/apache/axis/components/net/JDK14*.java" unless="jdk14.jsse.present"/>
+@@ -373,6 +374,7 @@
+              source="${source}"
+              bottom="Copyright &#169; ${year} Apache Web Services Project. All Rights Reserved."
+              encoding="iso-8859-1"
+             excludepackagenames="org.apache.axis.enum"
+     />
+   </target>
+ 
 --- a/src/org/apache/axis/types/UnsignedInt.java
 +++ b/src/org/apache/axis/types/UnsignedInt.java
 @@ -25,7 +25,7 @@

--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,5 @@ CVE-2014-3596.patch
 ant-compatibility.patch
 javadoc-encoding.patch
 java9-compatibility.patch
+java11-compatibility.patch
+CVE-2018-8032.patch
--- a/debian/watch
+++ b/debian/watch
 version=3
 opts=uversionmangle=s/_/./ \
-http://archive.apache.org/dist/ws/axis/1_4/ axis-src-(.*).tar.gz 
+https://archive.apache.org/dist/ws/axis/1_4/ axis-src-(.*).tar.gz