NOTICE.txt

 Apache Commons BeanUtils
-Copyright 2000-2016 The Apache Software Foundation
+Copyright 2000-2019 The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).

RELEASE-NOTES.txt

+              Apache Commons BeanUtils 1.9.4
+                  RELEASE NOTES
+
+The Apache Commons BeanUtils team is pleased to announce the release of Apache Commons BeanUtils 1.9.4
+
+Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
+
+The primary reason for this release is a bugfix for CVE-2014-0114. More specifically, our goal with
+BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not allow class level access. The goal
+in doing this now is to bring 1.9.X into alignment with the same behaviour of the 2.X version line in
+regards to security.
+
+If one would like to opt out of the default behaviour, one could follow the example set out in the
+test class available in src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
+
+Changes in this version include:
+
+Fixed Bugs:
+o BEANUTILS-520:  BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils). Thanks to Melloware.
+
+
+Historical list of changes: https://commons.apache.org/proper/commons-beanutils/changes-report.html
+
+For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports,
+patches, or suggestions for improvement, see the Apache Apache Commons BeanUtils website:
+
+https://commons.apache.org/proper/commons-beanutils/
+
+-----------------------------------------------------------------------------
+
               Apache Commons BeanUtils 1.9.3
                   RELEASE NOTES
 
@@ -285,3 +315,4 @@ The following is a list of the bugs fixed in this release, with their Jira issue
   * [BEANUTILS-373] - MethodUtils is not thread safe because WeakFastHashMap which uses WeakHashMap is not thread-safe
   * [BEANUTILS-371] - Add constructors which have useColumnLabel parameter to ResultSetDynaClass and RowSetDynaClass
 
+

build.xml

@@ -19,7 +19,7 @@
 
 <!--
         "Bean Utilities" component of the Apache Commons Subproject
-        $Id: build.xml 1760679 2016-09-14 11:58:06Z stain $
+        $Id$
 -->
 
 

debian/changelog

+commons-beanutils (1.9.4-1) unstable; urgency=medium
+
+  * New upstream release
+    - Fixes CVE-2019-10086: BeanUtils now enables by default the suppression
+      of the class property in bean introspection
+    - Refreshed the patch
+  * Removed Damien Raude-Morvan from the uploaders (Closes: #889459)
+  * Use salsa.debian.org Vcs-* URLs
+  * Standards-Version updated to 4.4.0
+  * Switch to debhelper level 11
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Sat, 17 Aug 2019 02:51:58 +0200
+
 commons-beanutils (1.9.3-1) unstable; urgency=medium
 
   * New upstream release

debian/compat

-9
+11

debian/control

@@ -2,11 +2,13 @@ Source: commons-beanutils
 Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
-Uploaders: Ludovic Claude <ludovic.claude@laposte.net>,
-           Damien Raude-Morvan <drazzib@debian.org>,
+Uploaders:
+ Ludovic Claude <ludovic.claude@laposte.net>,
  Emmanuel Bourg <ebourg@apache.org>
-Build-Depends: debhelper (>= 9), default-jdk, maven-debian-helper (>= 2.0.2~)
-Build-Depends-Indep: default-jdk-doc,
+Build-Depends:
+ debhelper (>= 11),
+ default-jdk,
+ default-jdk-doc,
  junit4,
  libcommons-collections3-java,
  libcommons-collections3-java-doc,
@@ -15,10 +17,11 @@ Build-Depends-Indep: default-jdk-doc,
  libcommons-parent-java (>= 39),
  libmaven-antrun-plugin-java,
  libmaven-bundle-plugin-java,
-                     libmaven-javadoc-plugin-java
-Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/commons-beanutils.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/commons-beanutils.git
+ libmaven-javadoc-plugin-java,
+ maven-debian-helper (>= 2.0.2~)
+Standards-Version: 4.4.0
+Vcs-Git: https://salsa.debian.org/java-team/commons-beanutils.git
+Vcs-Browser: https://salsa.debian.org/java-team/commons-beanutils
 Homepage: http://commons.apache.org/beanutils/
 
 Package: libcommons-beanutils-java

debian/patches/01-disable-beanmaptestcase.patch

@@ -4,7 +4,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/pom.xml
 +++ b/pom.xml
-@@ -329,6 +329,16 @@
+@@ -367,6 +367,16 @@
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>

debian/rules

@@ -5,6 +5,3 @@
 
 override_dh_installchangelogs:
 	dh_installchangelogs RELEASE-NOTES.txt
-
-get-orig-source:
-	uscan --download-current-version --force-download --no-symlink

pom.xml

@@ -19,12 +19,12 @@
   <parent>
     <groupId>org.apache.commons</groupId>
     <artifactId>commons-parent</artifactId>
-    <version>41</version>
+    <version>47</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <groupId>commons-beanutils</groupId>
   <artifactId>commons-beanutils</artifactId>
-  <version>1.9.3</version>
+  <version>1.9.4</version>
   <name>Apache Commons BeanUtils</name>
 
   <inceptionYear>2000</inceptionYear>
@@ -35,12 +35,40 @@
       <maven.compiler.source>1.6</maven.compiler.source>
       <maven.compiler.target>1.6</maven.compiler.target>
       <commons.componentid>beanutils</commons.componentid>
-      <commons.release.version>1.9.3</commons.release.version>
+      <commons.release.version>1.9.4</commons.release.version>
       <commons.jira.id>BEANUTILS</commons.jira.id>
       <commons.jira.pid>12310460</commons.jira.pid>
       <!-- limit memory size see BEANUTILS-291; allow command-line override -->
       <!-- Originally 25M, increased to 50M to get round Continuum CI build failures -->
       <surefire.argLine>-Xmx50M</surefire.argLine>
+
+      <maven.javadoc.failOnError>false</maven.javadoc.failOnError>
+
+      <commons.scmPubUrl>https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-beanutils</commons.scmPubUrl>
+      <commons.scmPubCheckoutDirectory>site-content</commons.scmPubCheckoutDirectory>
+
+      <checkstyle.plugin.version>3.0.0</checkstyle.plugin.version>
+      <checkstyle.version>8.21</checkstyle.version>
+
+      <commons.pmd-plugin.version>3.8</commons.pmd-plugin.version>
+
+      <spotbugs.plugin.version>3.1.10</spotbugs.plugin.version>
+
+      <commons.jacoco.version>0.8.2</commons.jacoco.version>
+
+      <!-- generate report even if there are binary incompatible changes -->
+      <commons.japicmp.breakBuildOnBinaryIncompatibleModifications>false</commons.japicmp.breakBuildOnBinaryIncompatibleModifications>
+      <!-- 0.12.0 dies with a NullPointerException -->
+      <commons.japicmp.version>0.13.0</commons.japicmp.version>
+      <japicmp.skip>false</japicmp.skip>
+
+      <!-- Commons Release Plugin -->
+      <commons.bc.version>1.9.3</commons.bc.version>
+      <commons.rc.version>RC2</commons.rc.version>
+      <commons.release.isDistModule>true</commons.release.isDistModule>
+      <commons.distSvnStagingUrl>scm:svn:https://dist.apache.org/repos/dist/dev/commons/${commons.componentid}</commons.distSvnStagingUrl>
+      <commons.releaseManagerName>Rob Tompkins</commons.releaseManagerName>
+      <commons.releaseManagerKey>B6E73D84EA4FCC47166087253FAAD2CD5ECBB314</commons.releaseManagerKey>
   </properties>
 
 
@@ -195,6 +223,12 @@
       <timezone>+0</timezone>
       <organization>The Apache Software Foundation</organization>
     </developer>
+    <developer>
+      <id>chtompki</id>
+      <name>Rob Tompkins</name>
+      <email>chtompki@apache.org</email>
+      <organization>The Apache Software Foundation</organization>
+    </developer>
   </developers>
 
   <contributors>
@@ -298,6 +332,10 @@
       <name>Bernhard Seebass</name>
       <email />
     </contributor>
+    <contributor>
+      <name>Melloware</name>
+      <email />
+    </contributor>
   </contributors>
 
   <dependencies>
@@ -432,4 +470,48 @@
         </plugins>
     </reporting>
 
+
+    <profiles>
+      <profile>
+        <id>setup-checkout</id>
+        <activation>
+          <file>
+            <missing>site-content</missing>
+          </file>
+        </activation>
+        <build>
+          <plugins>
+            <plugin>
+              <groupId>org.apache.maven.plugins</groupId>
+              <artifactId>maven-antrun-plugin</artifactId>
+              <executions>
+                <execution>
+                  <id>prepare-checkout</id>
+                  <goals>
+                    <goal>run</goal>
+                  </goals>
+                  <phase>pre-site</phase>
+                  <configuration>
+                    <tasks>
+                      <exec executable="svn">
+                        <arg line="checkout --depth immediates ${commons.scmPubUrl} ${commons.scmPubCheckoutDirectory}"/>
+                      </exec>
+                      <exec executable="svn">
+                        <arg line="update --set-depth exclude ${commons.scmPubCheckoutDirectory}/javadocs"/>
+                      </exec>
+                      <pathconvert pathsep=" " property="dirs">
+                        <dirset dir="${commons.scmPubCheckoutDirectory}" includes="*"/>
+                      </pathconvert>
+                      <exec executable="svn">
+                        <arg line="update --set-depth infinity ${dirs}"/>
+                      </exec>
+                    </tasks>
+                  </configuration>
+                </execution>
+              </executions>
+            </plugin>
+          </plugins>
+        </build>
+      </profile>
+    </profiles>
 </project>

src/changes/changes.xml

@@ -29,6 +29,21 @@
   </properties>
   <body>
 
+    <release version="1.9.4" date="2019-06-12" description="The primary reason for this release is a bugfix for
+CVE-2014-0114. More specifically, our goal with BEANUTILS-520
+is to set the default behaviour of the BeanUtilsBean
+to not allow class level access. The goal in doing this now
+is to bring 1.9.X into alignment with the same behaviour
+of the 2.X version line in regards to security.
+
+If one would like to opt out of the default behaviour, one could follow the
+example set out in the test class available in
+src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.">
+      <action issue="BEANUTILS-520" dev="chtompki" type="fix" due-to="Melloware">
+        BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils).
+      </action>
+    </release>
+
     <release version="1.9.3" date="2016-09-21" description="Bug fix release, now builds with Java 8">
       <action issue="BEANUTILS-433" dev="ggregory" type="update" due-to="Benedikt Ritter, Gary Gregory">
         Update dependency from JUnit 3.8.1 to 4.12.

src/main/java/org/apache/commons/beanutils/BaseDynaBeanMapDecorator.java

@@ -47,7 +47,7 @@ import java.util.Set;
  *
  * @param <K> the type of the keys in the decorated map
  * @since BeanUtils 1.9.0
- * @version $Id: BaseDynaBeanMapDecorator.java 1746219 2016-05-31 05:05:09Z ggregory $
+ * @version $Id$
  */
 public abstract class BaseDynaBeanMapDecorator<K> implements Map<K, Object> {
 

src/main/java/org/apache/commons/beanutils/BasicDynaBean.java

@@ -37,7 +37,7 @@ import java.util.Map;
  * successfully serialized and deserialized <strong>ONLY</strong> if all
  * property values are <code>Serializable</code>.</p>
  *
- * @version $Id: BasicDynaBean.java 1747095 2016-06-07 00:27:52Z ggregory $
+ * @version $Id$
  */
 
 public class BasicDynaBean implements DynaBean, Serializable {

src/main/java/org/apache/commons/beanutils/BasicDynaClass.java

@@ -33,7 +33,7 @@ import java.util.HashMap;
  * constructor of its own that accepts a <code>DynaClass</code>.  This is
  * used to associate the DynaBean instance with this DynaClass.</p>
  *
- * @version $Id: BasicDynaClass.java 1747095 2016-06-07 00:27:52Z ggregory $
+ * @version $Id$
  */
 
 public class BasicDynaClass implements DynaClass, Serializable {

src/main/java/org/apache/commons/beanutils/BeanAccessLanguageException.java

@@ -23,7 +23,7 @@ package org.apache.commons.beanutils;
  * to subclass to create custom exceptions whenever appropriate.
  *
  * @since 1.7
- * @version $Id: BeanAccessLanguageException.java 1632171 2014-10-15 20:15:17Z ggregory $
+ * @version $Id$
  */
 
 public class BeanAccessLanguageException extends IllegalArgumentException {

src/main/java/org/apache/commons/beanutils/BeanComparator.java

@@ -44,7 +44,7 @@ import org.apache.commons.collections.comparators.ComparableComparator;
  * </p>
  *
  * @param <T> the type of beans to be compared by this {@code Comparator}
- * @version $Id: BeanComparator.java 1632171 2014-10-15 20:15:17Z ggregory $
+ * @version $Id$
  */
 public class BeanComparator<T> implements Comparator<T>, Serializable {
 

src/main/java/org/apache/commons/beanutils/BeanIntrospectionData.java

@@ -39,7 +39,7 @@ import java.util.Map;
  * required by the {@code BeanUtils} library is also stored here.
  * </p>
  *
- * @version $Id: BeanIntrospectionData.java 1632171 2014-10-15 20:15:17Z ggregory $
+ * @version $Id$
  * @since 1.9.1
  */
 class BeanIntrospectionData {

src/main/java/org/apache/commons/beanutils/BeanIntrospector.java

@@ -33,7 +33,7 @@ import java.beans.IntrospectionException;
  * code bases using non-standard conventions for accessing properties.
  * </p>
  *
- * @version $Id: BeanIntrospector.java 1540359 2013-11-09 18:10:52Z oheger $
+ * @version $Id$
  * @since 1.9
  */
 public interface BeanIntrospector {

src/main/java/org/apache/commons/beanutils/BeanMap.java

@@ -43,7 +43,7 @@ import org.apache.commons.collections.keyvalue.AbstractMapEntry;
  * If an exception occurs during attempts to get or set a property then the
  * property is considered non existent in the Map
  *
- * @version $Id: BeanMap.java 1746219 2016-05-31 05:05:09Z ggregory $
+ * @version $Id$
  */
 public class BeanMap extends AbstractMap<Object, Object> implements Cloneable {
 

src/main/java/org/apache/commons/beanutils/BeanPredicate.java

@@ -28,7 +28,7 @@ import java.lang.reflect.InvocationTargetException;
  * to the result of calling the given property getter.
  * </p>
  *
- * @version $Id: BeanPredicate.java 1632171 2014-10-15 20:15:17Z ggregory $
+ * @version $Id$
  */
 public class BeanPredicate implements Predicate {
 

src/main/java/org/apache/commons/beanutils/BeanPropertyValueChangeClosure.java

@@ -75,7 +75,7 @@ import java.lang.reflect.InvocationTargetException;
  *    </li>
  * </ul>
  *
- * @version $Id: BeanPropertyValueChangeClosure.java 1632171 2014-10-15 20:15:17Z ggregory $
+ * @version $Id$
  * @see org.apache.commons.beanutils.PropertyUtils
  * @see org.apache.commons.collections.Closure
  */