Emmanuel Bourg · Emmanuel Bourg · Emmanuel Bourg · Emmanuel Bourg · Emmanuel Bourg · fa00089c
--- a/README.md
+++ b/README.md
 # Hibernate Validator

-*Version: 4.3.3.Final, 19.05.2016*
+*Version: 4.3.4.Final, 29.05.2018*


 ## What is it?
@@ -40,7 +40,7 @@ Logging will delegate any log requests to that provider.
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-validator</artifactId>
-            <version>4.3.3.Final</version>
+            <version>4.3.4.Final</version>
        </dependency>


@@ -70,7 +70,7 @@ There are more build options available as well. For more information refer to [C
 ## Hibernate Validator URLs

 * [Home Page](http://hibernate.org/validator/)
-* [Downloads](http://www.hibernate.org/subprojects/validator/download.html)
+* [Downloads](http://hibernate.org/validator/releases/4.3/)
 * [Community Info](http://hibernate.org/community/)
 * [Source Code](git://github.com/hibernate/hibernate-validator.git)
 * [Issue Tracking](https://hibernate.atlassian.net/projects/HV)
--- a/annotation-processor/pom.xml
+++ b/annotation-processor/pom.xml
@@ -21,7 +21,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>


--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -30,7 +30,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>


--- a/changelog.txt
+++ b/changelog.txt
 Hibernate Validator Changelog
 =============================

+
+4.3.4.Final (29.05.2018)
+------------------------
+
+** Bug
+    * [HV-1498] - Privilege escalation when running under the security manager
+
 4.3.3.Final (19.05.2016)
 ------------------------


--- a/debian/changelog
+++ b/debian/changelog
+libhibernate-validator-java (4.3.4-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream release
+    - Removed the CVE-2017-7536 patch (fixed upstream)
+  * Fixed the build failure with Java 11 (Closes: #911138)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Wed, 17 Oct 2018 17:16:01 +0200
+
 libhibernate-validator-java (4.3.3-5) unstable; urgency=medium

  * Team upload.

--- a/debian/maven.properties
+++ b/debian/maven.properties
 # test code does not build due to missing jaxb-xjc
 maven.test.skip=true
+maven.compiler.release=8
--- a/debian/patches/01-workaround-maven-repo-helper-bug.patch
+++ b/debian/patches/01-workaround-maven-repo-helper-bug.patch
@@ -7,7 +7,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/pom.xml
 +++ b/pom.xml
-@@ -298,14 +298,6 @@
+@@ -299,14 +299,6 @@
                     <artifactId>maven-jdocbook-plugin</artifactId>
                     <version>2.3.5</version>
                     <extensions>true</extensions>

--- a/debian/patches/05-jaxb-dependency.patch
+++ b/debian/patches/05-jaxb-dependency.patch
+Description: Adds an explicit dependency on JAXB to build with Java 11
+Author: Emmanuel Bourg <ebourg@apache.org>
+Forwarded: no
+--- a/engine/pom.xml
+++ b/engine/pom.xml
+@@ -68,6 +68,11 @@
+             <artifactId>jsoup</artifactId>
+             <optional>true</optional>
+         </dependency>
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>debian</version>
+        </dependency>
+ 
+         <!--
+         Test dependencies
--- a/debian/patches/CVE-2017-7536.patch
+++ b/debian/patches/CVE-2017-7536.patch
-From: Markus Koschany <apo@debian.org>
-Date: Thu, 11 Jan 2018 14:39:09 +0100
-Subject: CVE-2017-7536
-
-Bug-Debian: https://bugs.debian.org/885577
-Origin: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113
---
- .../validator/HibernateValidatorPermission.java    | 29 ++++++++++++++++++++++
- .../validator/internal/engine/ValidatorImpl.java   |  6 +++++
- .../util/privilegedactions/GetDeclaredField.java   |  1 -
- 3 files changed, 35 insertions(+), 1 deletion(-)
- create mode 100644 engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
-
-diff --git a/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
-new file mode 100644
-index 0000000..71b33b7
--- /dev/null
-+++ b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
-@@ -0,0 +1,29 @@
-+/*
-+ * Hibernate Validator, declare and validate application constraints
-+ *
-+ * License: Apache License, Version 2.0
-+ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
-+ */
-+package org.hibernate.validator;
-+
-+import java.security.BasicPermission;
-+
-+/**
-+ * Our specific implementation of {@link BasicPermission} as we cannot define additional {@link RuntimePermission}.
-+ * <p>
-+ * {@code HibernateValidatorPermission} is thread-safe and immutable.
-+ *
-+ * @author Guillaume Smet
-+ */
-+public class HibernateValidatorPermission extends BasicPermission {
-+
-+	public static final HibernateValidatorPermission ACCESS_PRIVATE_MEMBERS = new HibernateValidatorPermission( "accessPrivateMembers" );
-+
-+	public HibernateValidatorPermission(String name) {
-+		super( name );
-+	}
-+
-+	public HibernateValidatorPermission(String name, String actions) {
-+		super( name, actions );
-+	}
-+}
-diff --git a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
-index 02d2b97..00b78e2 100644
--- a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
-+++ b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
-@@ -64,6 +64,7 @@ import org.hibernate.validator.internal.util.privilegedactions.SetAccessibility;
- import org.hibernate.validator.method.MethodConstraintViolation;
- import org.hibernate.validator.method.MethodValidator;
- import org.hibernate.validator.method.metadata.TypeDescriptor;
-+import org.hibernate.validator.HibernateValidatorPermission;
- 
- import static org.hibernate.validator.internal.util.CollectionHelper.newArrayList;
- import static org.hibernate.validator.internal.util.CollectionHelper.newHashMap;
-@@ -1426,6 +1427,11 @@ public class ValidatorImpl implements Validator, MethodValidator {
- 			return member;
- 		}
- 
-+		SecurityManager sm = System.getSecurityManager();
-+		if ( sm != null ) {
-+			sm.checkPermission( HibernateValidatorPermission.ACCESS_PRIVATE_MEMBERS );
-+		}
-+
- 		Class<?> clazz = original.getDeclaringClass();
- 
- 		if ( original instanceof Field ) {
-diff --git a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
-index 3617d63..8db6523 100644
--- a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
-+++ b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
-@@ -41,7 +41,6 @@ public final class GetDeclaredField implements PrivilegedAction<Field> {
- 	public Field run() {
- 		try {
- 			final Field field = clazz.getDeclaredField( fieldName );
-			field.setAccessible( true );
- 			return field;
- 		}
- 		catch ( NoSuchFieldException e ) {
--- a/debian/patches/series
+++ b/debian/patches/series
 01-workaround-maven-repo-helper-bug.patch
 02-jaxb-plugin.patch
 jboss-logging-tools.patch
-CVE-2017-7536.patch
+05-jaxb-dependency.patch
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -20,7 +20,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>


--- a/documentation/pom.xml
+++ b/documentation/pom.xml
@@ -21,7 +21,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>


--- a/engine/pom.xml
+++ b/engine/pom.xml
@@ -21,7 +21,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>


--- a/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
+++ b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
+/*
+* JBoss, Home of Professional Open Source
+* Copyright 2018, Red Hat, Inc. and/or its affiliates, and individual contributors
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+* http://www.apache.org/licenses/LICENSE-2.0
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.hibernate.validator;
+
+import java.security.BasicPermission;
+
+/**
+ * Our specific implementation of {@link BasicPermission} as we cannot define additional {@link RuntimePermission}.
+ * <p>
+ * {@code HibernateValidatorPermission} is thread-safe and immutable.
+ *
+ * @author Guillaume Smet
+ */
+public class HibernateValidatorPermission extends BasicPermission {
+
+	public static final HibernateValidatorPermission ACCESS_PRIVATE_MEMBERS = new HibernateValidatorPermission( "accessPrivateMembers" );
+
+	public HibernateValidatorPermission(String name) {
+		super( name );
+	}
+
+	public HibernateValidatorPermission(String name, String actions) {
+		super( name, actions );
+	}
+}
--- a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
+++ b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
@@ -41,6 +41,7 @@
 import javax.validation.groups.Default;
 import javax.validation.metadata.BeanDescriptor;

+import org.hibernate.validator.HibernateValidatorPermission;
 import org.hibernate.validator.internal.engine.groups.Group;
 import org.hibernate.validator.internal.engine.groups.GroupWithInheritance;
 import org.hibernate.validator.internal.engine.groups.Sequence;
@@ -1426,6 +1427,11 @@ private Member getAccessible(Member original) {
 			return member;
 		}

+		SecurityManager sm = System.getSecurityManager();
+		if ( sm != null ) {
+			sm.checkPermission( HibernateValidatorPermission.ACCESS_PRIVATE_MEMBERS );
+		}
+
 		Class<?> clazz = original.getDeclaringClass();

 		if ( original instanceof Field ) {

--- a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
+++ b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
@@ -41,7 +41,6 @@ private GetDeclaredField(Class<?> clazz, String fieldName) {
 	public Field run() {
 		try {
 			final Field field = clazz.getDeclaredField( fieldName );
-			field.setAccessible( true );
 			return field;
 		}
 		catch ( NoSuchFieldException e ) {

--- a/integration/pom.xml
+++ b/integration/pom.xml
@@ -21,7 +21,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>


--- a/performance/pom.xml
+++ b/performance/pom.xml
@@ -21,7 +21,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>


--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@

    <groupId>org.hibernate</groupId>
    <artifactId>hibernate-validator-parent</artifactId>
-    <version>4.3.3.Final</version>
+    <version>4.3.4.Final</version>
    <packaging>pom</packaging>

    <name>Hibernate Validator Aggregator</name>

--- a/tck-runner/pom.xml
+++ b/tck-runner/pom.xml
@@ -21,7 +21,7 @@
    <parent>
        <artifactId>hibernate-validator-parent</artifactId>
        <groupId>org.hibernate</groupId>
-        <version>4.3.3.Final</version>
+        <version>4.3.4.Final</version>
        <relativePath>../pom.xml</relativePath>
    </parent>