build.gradle

@@ -40,7 +40,7 @@ configure(allprojects) { project ->
 	ext.ejbVersion           = "3.0"
 	ext.fileuploadVersion    = "1.3.3"
 	ext.freemarkerVersion    = "2.3.23"
-	ext.groovyVersion        = "2.4.13"
+	ext.groovyVersion        = "2.4.15"
 	ext.gsonVersion          = "2.8.2"
 	ext.guavaVersion         = "20.0"
 	ext.hamcrestVersion      = "1.3"
@@ -52,7 +52,7 @@ configure(allprojects) { project ->
 	ext.hsqldbVersion        = "2.3.4"
 	ext.httpasyncVersion     = "4.1.3"
 	ext.httpclientVersion    = "4.5.5"
-	ext.jackson2Version      = "2.8.11"
+	ext.jackson2Version      = "2.8.11.2"
 	ext.jasperreportsVersion = "6.2.1"  // our tests fail with JR-internal NPEs against 6.2.2 and higher
 	ext.javamailVersion      = "1.5.6"
 	ext.jettyVersion         = "9.3.14.v20161028"  // as of 9.3.15, Jetty has hard Servlet 3.1 requirement
@@ -62,20 +62,20 @@ configure(allprojects) { project ->
 	ext.jtaVersion           = "1.2"
 	ext.junitVersion         = "4.12"
 	ext.log4jVersion         = "1.2.17"
-	ext.nettyVersion         = "4.1.20.Final"
+	ext.nettyVersion         = "4.1.29.Final"
 	ext.okhttpVersion        = "2.7.5"
 	ext.okhttp3Version       = "3.8.1"
 	ext.openjpaVersion       = "2.4.2"
 	ext.poiVersion           = "3.14"
 	ext.reactorVersion       = "2.0.8.RELEASE"
 	ext.romeVersion          = "1.7.4"
-	ext.slf4jVersion         = "1.7.21"
+	ext.slf4jVersion         = "1.7.25"
 	ext.snakeyamlVersion     = "1.17"
-	ext.snifferVersion       = "1.15"
+	ext.snifferVersion       = "1.16"
 	ext.testngVersion        = "6.9.10"
 	ext.tiles2Version        = "2.2.2"
 	ext.tiles3Version        = "3.0.7"
-	ext.tomcatVersion        = "8.5.27"
+	ext.tomcatVersion        = "8.5.33"
 	ext.tyrusVersion         = "1.3.5"  // constrained by WebLogic 12.1.3 support
 	ext.undertowVersion      = "1.3.33.Final"
 	ext.xmlunitVersion       = "1.6"
@@ -316,7 +316,7 @@ project("spring-core") {
 					}
 					// Repackage net.sf.cglib => org.springframework.cglib
 					rule(pattern: "net.sf.cglib.**", result: "org.springframework.cglib.@1")
-					// As mentioned above, transform cglib"s internal asm dependencies from
+					// As mentioned above, transform cglib's internal asm dependencies from
 					// org.objectweb.asm => org.springframework.asm. Doing this counts on the
 					// the fact that Spring and cglib depend on the same version of asm!
 					rule(pattern: "org.objectweb.asm.**", result: "org.springframework.asm.@1")
@@ -704,7 +704,7 @@ project("spring-web") {
 		optional("com.squareup.okhttp:okhttp:${okhttpVersion}")
 		optional("com.squareup.okhttp3:okhttp:${okhttp3Version}")
 		optional("com.fasterxml.jackson.core:jackson-databind:${jackson2Version}")
-		optional("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:${jackson2Version}")
+		optional("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.8.11")
 		optional("com.google.code.gson:gson:${gsonVersion}")
 		optional("com.rometools:rome:${romeVersion}")
 		optional("org.eclipse.jetty:jetty-servlet:${jettyVersion}") {
@@ -720,12 +720,13 @@ project("spring-web") {
 		testCompile(project(":spring-context-support"))  // for JafMediaTypeFactory
 		testCompile("xmlunit:xmlunit:${xmlunitVersion}")
 		testCompile("org.slf4j:slf4j-jcl:${slf4jVersion}")
+		testCompile("org.skyscreamer:jsonassert:1.4.0")
 		testCompile("org.apache.taglibs:taglibs-standard-jstlel:1.2.1") {
 			exclude group: "org.apache.taglibs", module: "taglibs-standard-spec"
 		}
-		testCompile("com.fasterxml.jackson.datatype:jackson-datatype-joda:${jackson2Version}")
-		testCompile("com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${jackson2Version}")
-		testCompile("com.fasterxml.jackson.module:jackson-module-kotlin:${jackson2Version}")
+		testCompile("com.fasterxml.jackson.datatype:jackson-datatype-joda:2.8.11")
+		testCompile("com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.8.11")
+		testCompile("com.fasterxml.jackson.module:jackson-module-kotlin:2.8.11.1")
     	testCompile("com.squareup.okhttp3:mockwebserver:${okhttp3Version}")
 		testRuntime("com.sun.mail:javax.mail:${javamailVersion}")
 	}
@@ -836,7 +837,7 @@ project("spring-webmvc") {
 			exclude group: "org.springframework", module: "spring-context"
 		}
 		optional("com.fasterxml.jackson.core:jackson-databind:${jackson2Version}")
-		optional("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:${jackson2Version}")
+		optional("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.8.11")
 		optional("com.rometools:rome:${romeVersion}")
 		optional("javax.el:javax.el-api:2.2.5")
 		optional("org.apache.tiles:tiles-api:${tiles3Version}")

debian/changelog

+libspring-java (4.3.19-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream release
+    - Fixes CVE-2018-1270, CVE-2018-1272 and CVE-2018-1275 (Closes: #895114)
+    - Refreshed the patches
+    - Updated the Maven rules
+  * Fixed the compatibility with the version of SnakeYAML in Debian
+  * Replaced debian/orig-tar.sh with the File-Excluded field in debian/copyright
+  * Standards-Version updated to 4.2.1
+  * Use salsa.debian.org Vcs-* URLs
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Fri, 05 Oct 2018 14:19:52 +0200
+
 libspring-java (4.3.14-1) unstable; urgency=high
 
   * Team upload.

debian/control

@@ -84,9 +84,9 @@ Build-Depends-Indep: bsh,
                      maven-repo-helper (>= 1.9~),
                      testng (>= 6.9.12-2~),
                      velocity
-Standards-Version: 4.1.3
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/libspring-java.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/libspring-java.git
+Standards-Version: 4.2.1
+Vcs-Git: https://salsa.debian.org/java-team/libspring-java.git
+Vcs-Browser: https://salsa.debian.org/java-team/libspring-java
 Homepage: http://projects.spring.io/spring-framework/
 
 Package: libspring-core-java

debian/copyright

@@ -2,6 +2,10 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: Spring Framework
 Upstream-Contact: SpringSource Inc.
 Source: http://springframework.org/download
+Files-Excluded: *.jar
+                .settings
+                gradlew*
+                gradle/wrapper/*
 
 Files: *
 Copyright: 2002-2011, the original author or authors

debian/maven.ignoreRules

 com.ibm.websphere uow * * * *
 com.github.ben-manes.caffeine caffeine * * * *
 com.h2database h2 * * * *
+org.glassfish.tyrus * * * * *
 org.hibernate hibernate-annotations * * * *
 io.spring.gradle docbook-reference-plugin * * * *
+io.undertow * * * * *
 javax.money money-api * * * *
 com.squareup.okhttp okhttp * * * *
 com.squareup.okhttp3 okhttp * * * *

debian/maven.rules

@@ -18,6 +18,7 @@ javax.websocket javax.websocket-api * * * *
 junit junit * s/.*/4.x/ * *
 log4j log4j * s/.*/1.2.x/ * *
 org.apache.tomcat s/catalina/tomcat-catalina/ * s/.*/8.x/ * *
+org.apache.tomcat tomcat-websocket * s/.*/8.x/ * *
 org.codehaus.castor s/castor/castor-xml/ * s/.*/debian/ * *
 s/org.codehaus.fabric3.api/org.apache.geronimo.specs/ s/commonj/geronimo-commonj_1.1_spec/ * s/.*/debian/ * *
 org.eclipse.jetty* * * s/.*/9.x/ * *

debian/orig-tar.sh

-#!/bin/sh -e
-
-# called by uscan with '--upstream-version' <version> <file>
-VERSION=$2
-DIR=spring-framework-$VERSION
-TAR=../libspring-java_$VERSION.orig.tar.xz
-
-mkdir $DIR
-tar -xf $3 --strip-components=1 -C $DIR
-rm $3
-XZ_OPT=--best tar cJvf $TAR \
-    --exclude '*.jar' \
-    --exclude '*.class' \
-    --exclude '.settings' \
-    --exclude '.project' \
-    --exclude '.classpath' \
-    --exclude 'gradlew*' \
-    --exclude 'gradle/wrapper/*' \
-    $DIR
-rm -rf $DIR

debian/patches/0022-ignore-docbook-reference-plugin.patch

@@ -4,7 +4,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/build.gradle
 +++ b/build.gradle
-@@ -1155,7 +1155,6 @@
+@@ -1156,7 +1156,6 @@
  	description = "Spring Framework"
  
  	apply plugin: "org.asciidoctor.convert"
@@ -12,7 +12,7 @@ Forwarded: not-needed
  	apply plugin: "groovy"
  
  	// apply plugin: "detect-split-packages"
-@@ -1169,13 +1168,6 @@
+@@ -1170,13 +1169,6 @@
  		attributes 'spring-version': project.version, 'revnumber': project.version, 'docinfo': ""
  	}
  
@@ -26,7 +26,7 @@ Forwarded: not-needed
  	afterEvaluate {
  		tasks.findAll { it.name.startsWith("reference") }.each{ it.dependsOn.add("asciidoctor") }
  	}
-@@ -1249,7 +1241,7 @@
+@@ -1250,7 +1242,7 @@
  		}
  	}
  
@@ -35,7 +35,7 @@ Forwarded: not-needed
  		group = "Distribution"
  		baseName = "spring-framework"
  		classifier = "docs"
-@@ -1263,10 +1255,6 @@
+@@ -1264,10 +1256,6 @@
  		from (api) {
  			into "javadoc-api"
  		}

debian/patches/0028-disable-jdiff-report.patch

@@ -3,7 +3,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/build.gradle
 +++ b/build.gradle
-@@ -1158,7 +1158,7 @@
+@@ -1159,7 +1159,7 @@
  	apply plugin: "groovy"
  
  	// apply plugin: "detect-split-packages"

debian/patches/0035-ignore-asciidoctor-plugin.patch

@@ -3,7 +3,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/build.gradle
 +++ b/build.gradle
-@@ -1154,24 +1154,11 @@
+@@ -1155,24 +1155,11 @@
  configure(rootProject) {
  	description = "Spring Framework"
  

debian/patches/0037-ignore-sonar-plugin.patch

@@ -14,7 +14,7 @@ Forwarded: not-needed
  ext {
  	linkHomepage = 'https://projects.spring.io/spring-framework'
  	linkCi = 'https://build.spring.io/browse/SPR'
-@@ -1137,20 +1133,6 @@
+@@ -1138,20 +1134,6 @@
  	}
  }
  
@@ -35,7 +35,7 @@ Forwarded: not-needed
  configure(rootProject) {
  	description = "Spring Framework"
  
-@@ -1366,21 +1348,6 @@
+@@ -1367,21 +1349,6 @@
  
  }
  

debian/patches/0039-openjpa-compatibility.patch

@@ -3,7 +3,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/build.gradle
 +++ b/build.gradle
-@@ -765,6 +765,7 @@
+@@ -766,6 +766,7 @@
  			exclude group: 'org.apache.geronimo.specs', module: 'geronimo-jta_1.1_spec'
  			exclude group: 'org.apache.geronimo.specs', module: 'geronimo-jms_1.1_spec'
  		}

debian/patches/0043-ignore-okhttp.patch

@@ -3,7 +3,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/build.gradle
 +++ b/build.gradle
-@@ -742,6 +742,14 @@
+@@ -743,6 +743,14 @@
      	testCompile("com.squareup.okhttp3:mockwebserver:${okhttp3Version}")
  		testRuntime("com.sun.mail:javax.mail:${javamailVersion}")
  	}

debian/patches/0044-ignore-httpunit.patch

@@ -3,7 +3,7 @@ Author: Emmanuel Bourg <ebourg@apache.org>
 Forwarded: not-needed
 --- a/build.gradle
 +++ b/build.gradle
-@@ -1060,6 +1060,15 @@
+@@ -1061,6 +1061,15 @@
  		testRuntime("log4j:log4j:${log4jVersion}")
  	}
  

debian/patches/0048-snakeyaml-compatibility.patch

+Description: Fixes the compatibility with the version of SnakeYAML in Debian
+Origin: backport, https://github.com/spring-projects/spring-framework/commit/138b0d0bbdf65b0da181a06e5fc79cda05fb1e71
+--- a/spring-beans/src/main/java/org/springframework/beans/factory/config/YamlProcessor.java
++++ b/spring-beans/src/main/java/org/springframework/beans/factory/config/YamlProcessor.java
+@@ -18,7 +18,6 @@
+ 
+ import java.io.IOException;
+ import java.io.Reader;
+-import java.util.AbstractMap;
+ import java.util.Arrays;
+ import java.util.Collection;
+ import java.util.Collections;
+@@ -26,14 +25,11 @@
+ import java.util.List;
+ import java.util.Map;
+ import java.util.Properties;
+-import java.util.Set;
+ 
+ import org.apache.commons.logging.Log;
+ import org.apache.commons.logging.LogFactory;
++import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.Yaml;
+-import org.yaml.snakeyaml.constructor.Constructor;
+-import org.yaml.snakeyaml.nodes.MappingNode;
+-import org.yaml.snakeyaml.parser.ParserException;
+ import org.yaml.snakeyaml.reader.UnicodeReader;
+ 
+ import org.springframework.core.CollectionFactory;
+@@ -141,9 +137,14 @@
+ 
+ 	/**
+ 	 * Create the {@link Yaml} instance to use.
++	 * <p>The default implementation sets the "allowDuplicateKeys" flag to {@code false},
++	 * enabling built-in duplicate key handling in SnakeYAML 1.18+.
++	 * @see LoaderOptions#setAllowDuplicateKeys(boolean)
+ 	 */
+ 	protected Yaml createYaml() {
+-		return new Yaml(new StrictMapAppenderConstructor());
++		LoaderOptions options = new LoaderOptions();
++		options.setAllowDuplicateKeys(false);
++		return new Yaml(options);
+ 	}
+ 
+ 	private boolean process(MatchCallback callback, Yaml yaml, Resource resource) {
+@@ -387,45 +388,4 @@
+ 		FIRST_FOUND
+ 	}
+ 
+-
+-	/**
+-	 * A specialized {@link Constructor} that checks for duplicate keys.
+-	 */
+-	protected static class StrictMapAppenderConstructor extends Constructor {
+-
+-		// Declared as public for use in subclasses
+-		public StrictMapAppenderConstructor() {
+-			super();
+-		}
+-
+-		@Override
+-		protected Map<Object, Object> constructMapping(MappingNode node) {
+-			try {
+-				return super.constructMapping(node);
+-			}
+-			catch (IllegalStateException ex) {
+-				throw new ParserException("while parsing MappingNode",
+-						node.getStartMark(), ex.getMessage(), node.getEndMark());
+-			}
+-		}
+-
+-		@Override
+-		protected Map<Object, Object> createDefaultMap() {
+-			final Map<Object, Object> delegate = super.createDefaultMap();
+-			return new AbstractMap<Object, Object>() {
+-				@Override
+-				public Object put(Object key, Object value) {
+-					if (delegate.containsKey(key)) {
+-						throw new IllegalStateException("Duplicate key: " + key);
+-					}
+-					return delegate.put(key, value);
+-				}
+-				@Override
+-				public Set<Entry<Object, Object>> entrySet() {
+-					return delegate.entrySet();
+-				}
+-			};
+-		}
+-	}
+-
+ }

debian/patches/series

@@ -16,3 +16,4 @@
 0045-ignore-caffeine.patch
 0046-jruby-compatibility.patch
 0047-ejb-api-compatibility.patch
+0048-snakeyaml-compatibility.patch

debian/rules

@@ -37,6 +37,3 @@ override_dh_auto_install:
 	# Install the spring-aspects artifact in the aop package
 	mh_installpom -plibspring-aop-java --relocate=org.springframework:spring-aspects:3.x spring-aspects/build/debian/spring-aspects.pom
 	mh_installjar -plibspring-aop-java -nspring3-aspects --usj-version=3.x --java-lib spring-aspects/build/debian/spring-aspects.pom spring-aspects/build/libs/spring-aspects*.jar
-
-get-orig-source:
-	uscan --download-current-version --rename --force-download

debian/watch

 version=3
-opts=dversionmangle=s/\.RELEASE// \
-https://github.com/spring-projects/spring-framework/tags .*/v([\d\.]+).RELEASE.tar.gz debian debian/orig-tar.sh
+opts=repack,compression=xz,dversionmangle=s/\.RELEASE// \
+https://github.com/spring-projects/spring-framework/tags .*/v([\d\.]+).RELEASE.tar.gz

gradle.properties

-version=4.3.14.RELEASE
+version=4.3.19.RELEASE

spring-aop/src/main/java/org/springframework/aop/MethodMatcher.java

 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -48,10 +48,11 @@ import java.lang.reflect.Method;
 public interface MethodMatcher {
 
 	/**
-	 * Perform static checking whether the given method matches. If this
-	 * returns {@code false} or if the {@link #isRuntime()} method
-	 * returns {@code false}, no runtime check (i.e. no.
-	 * {@link #matches(java.lang.reflect.Method, Class, Object[])} call) will be made.
+	 * Perform static checking whether the given method matches.
+	 * <p>If this returns {@code false} or if the {@link #isRuntime()}
+	 * method returns {@code false}, no runtime check (i.e. no
+	 * {@link #matches(java.lang.reflect.Method, Class, Object[])} call)
+	 * will be made.
 	 * @param method the candidate method
 	 * @param targetClass the target class (may be {@code null}, in which case
 	 * the candidate class must be taken to be the method's declaring class)