From 7cba9ebddc12e7a1d091556bcaaf9fdca3809c95 Mon Sep 17 00:00:00 2001 From: Matthias Sohn Date: Fri, 26 Dec 2014 12:19:44 +0100 Subject: [PATCH 1/5] Update JGit to 3.4.2.201412180340-r This JGit version mitigates CVE-2014-9390 [1]. [1] https://projects.eclipse.org/projects/technology.jgit/releases/3.4.2 Change-Id: I73503501ede0ac7be740ee4ea78787f60d0a5432 Signed-off-by: Matthias Sohn --- lib/jgit/BUCK | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/lib/jgit/BUCK b/lib/jgit/BUCK index 07671a571f..40cf6e816d 100644 --- a/lib/jgit/BUCK +++ b/lib/jgit/BUCK @@ -1,15 +1,13 @@ include_defs('//lib/maven.defs') -REPO = ECLIPSE -VERS = '3.4.0.201405051725-m7' +VERS = '3.4.2.201412180340-r' maven_jar( name = 'jgit', id = 'org.eclipse.jgit:org.eclipse.jgit:' + VERS, - bin_sha1 = '421e66466c7946b8f5e5a841297fe44d2071ab88', - src_sha1 = '281dd1817e53814ee055e346d572f687688a8463', + bin_sha1 = 'cc501e3db3f5a00713382753d7260ecf2d1fe7fa', + src_sha1 = '19c71b70882b83f4e15a888ff8ef4f2e0507efa0', license = 'jgit', - repository = REPO, unsign = True, deps = [':ewah'], exclude = [ @@ -22,9 +20,8 @@ maven_jar( maven_jar( name = 'jgit-servlet', id = 'org.eclipse.jgit:org.eclipse.jgit.http.server:' + VERS, - sha1 = 'ff19ad93a4e710abcd0a9cce4c388c8b3a3c8b50', + sha1 = '9965a9cbb9673572848dea6d6eecf51d3e7d360c', license = 'jgit', - repository = REPO, deps = [':jgit'], unsign = True, exclude = [ @@ -36,9 +33,8 @@ maven_jar( maven_jar( name = 'jgit-archive', id = 'org.eclipse.jgit:org.eclipse.jgit.archive:' + VERS, - sha1 = '647142e1faad38b4d6d4c4922dce83d890a03c0a', + sha1 = '4232b91d3f6e77aff86894170fdfb68d455906a8', license = 'jgit', - repository = REPO, deps = [':jgit', '//lib/commons:compress', '//lib:tukaani-xz', @@ -53,9 +49,8 @@ maven_jar( maven_jar( name = 'junit', id = 'org.eclipse.jgit:org.eclipse.jgit.junit:' + VERS, - sha1 = 'd6878be134e7dfb7f8e96a537d60f0ec7f637833', + sha1 = '8e69847e02cea0898c31e3a3066c8b4416938593', license = 'DO_NOT_DISTRIBUTE', - repository = REPO, unsign = True, deps = [':jgit'], ) From 9504d009686ea71b78e4ccc3b7fd2b08303f115f Mon Sep 17 00:00:00 2001 From: David Pursehouse Date: Sat, 27 Dec 2014 09:17:06 +0900 Subject: [PATCH 2/5] Set version to 2.9.4 Change-Id: Ie80cfe765beb87e4a856bff21f98ba6cc3fa9bc8 --- VERSION | 2 +- gerrit-extension-api/pom.xml | 2 +- gerrit-plugin-api/pom.xml | 2 +- gerrit-plugin-archetype/pom.xml | 2 +- gerrit-plugin-gwt-archetype/pom.xml | 2 +- gerrit-plugin-gwtui/pom.xml | 2 +- gerrit-plugin-js-archetype/pom.xml | 2 +- gerrit-war/pom.xml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/VERSION b/VERSION index e8fcaf02b4..c9e9a5d821 100644 --- a/VERSION +++ b/VERSION @@ -2,5 +2,5 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = '2.9.3' +GERRIT_VERSION = '2.9.4' diff --git a/gerrit-extension-api/pom.xml b/gerrit-extension-api/pom.xml index 43f39547ce..a53fa36416 100644 --- a/gerrit-extension-api/pom.xml +++ b/gerrit-extension-api/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 2.9.3 + 2.9.4 jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/gerrit-plugin-api/pom.xml b/gerrit-plugin-api/pom.xml index 620e9ca4dd..6baf53a28c 100644 --- a/gerrit-plugin-api/pom.xml +++ b/gerrit-plugin-api/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 2.9.3 + 2.9.4 jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/gerrit-plugin-archetype/pom.xml b/gerrit-plugin-archetype/pom.xml index 73dd9800d8..e1694d2df8 100644 --- a/gerrit-plugin-archetype/pom.xml +++ b/gerrit-plugin-archetype/pom.xml @@ -20,7 +20,7 @@ limitations under the License. com.google.gerrit gerrit-plugin-archetype - 2.9.3 + 2.9.4 Gerrit Code Review - Plugin Archetype Maven Archetype for Gerrit Plugins http://code.google.com/p/gerrit/ diff --git a/gerrit-plugin-gwt-archetype/pom.xml b/gerrit-plugin-gwt-archetype/pom.xml index f0dcf9ec15..e937277460 100644 --- a/gerrit-plugin-gwt-archetype/pom.xml +++ b/gerrit-plugin-gwt-archetype/pom.xml @@ -20,7 +20,7 @@ limitations under the License. com.google.gerrit gerrit-plugin-gwt-archetype - 2.9.3 + 2.9.4 Gerrit Code Review - Web UI GWT Plugin Archetype Maven Archetype for Gerrit Web UI GWT Plugins http://code.google.com/p/gerrit/ diff --git a/gerrit-plugin-gwtui/pom.xml b/gerrit-plugin-gwtui/pom.xml index 1e3316b60d..e4ee7966c9 100644 --- a/gerrit-plugin-gwtui/pom.xml +++ b/gerrit-plugin-gwtui/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-gwtui - 2.9.3 + 2.9.4 jar Gerrit Code Review - Plugin GWT UI Common Classes for Gerrit GWT UI Plugins diff --git a/gerrit-plugin-js-archetype/pom.xml b/gerrit-plugin-js-archetype/pom.xml index 8dcdf736c8..a3b40c2b5b 100644 --- a/gerrit-plugin-js-archetype/pom.xml +++ b/gerrit-plugin-js-archetype/pom.xml @@ -20,7 +20,7 @@ limitations under the License. com.google.gerrit gerrit-plugin-js-archetype - 2.9.3 + 2.9.4 Gerrit Code Review - Web UI JavaScript Plugin Archetype Maven Archetype for Gerrit Web UI JavaScript Plugins http://code.google.com/p/gerrit/ diff --git a/gerrit-war/pom.xml b/gerrit-war/pom.xml index 2d7f6b27c4..7577454f39 100644 --- a/gerrit-war/pom.xml +++ b/gerrit-war/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 2.9.3 + 2.9.4 war Gerrit Code Review - WAR Gerrit WAR From f15ff1a487c6c19381222292294f425c851b75aa Mon Sep 17 00:00:00 2001 From: David Pursehouse Date: Sat, 27 Dec 2014 09:33:44 +0900 Subject: [PATCH 3/5] Release notes for Gerrit 2.9.4 Change-Id: I936cd3f7f162b565badef49a8ec73109d04a9441 --- ReleaseNotes/ReleaseNotes-2.9.4.txt | 33 +++++++++++++++++++++++++++++ ReleaseNotes/index.txt | 1 + 2 files changed, 34 insertions(+) create mode 100644 ReleaseNotes/ReleaseNotes-2.9.4.txt diff --git a/ReleaseNotes/ReleaseNotes-2.9.4.txt b/ReleaseNotes/ReleaseNotes-2.9.4.txt new file mode 100644 index 0000000000..38bf9c650b --- /dev/null +++ b/ReleaseNotes/ReleaseNotes-2.9.4.txt @@ -0,0 +1,33 @@ +Release notes for Gerrit 2.9.4 +============================== + +Download: +link:https://gerrit-releases.storage.googleapis.com/gerrit-2.9.4.war[ +https://gerrit-releases.storage.googleapis.com/gerrit-2.9.4.war] + +Important Notes +--------------- + +*WARNING:* There are no schema changes from +link:ReleaseNotes-2.9.3.html[2.9.3], but when upgrading from an existing site +that was initialized with Gerrit version 2.6 to version 2.9.1 the primary key +column order will be updated for some tables. It is therefore important to +upgrade the site with the `init` program, rather than only copying the .war file +over the existing one. + +It is recommended to run the `init` program in interactive mode. Warnings will +be suppressed in batch mode. + +---- + java -jar gerrit.war init -d site_path +---- + +Bug Fixes +--------- + +* Update JGit to 3.4.2.201412180340-r ++ +This JGit version mitigates +link:http://article.gmane.org/gmane.linux.kernel/1853266[CVE-2014-9390]. See the +link:https://projects.eclipse.org/projects/technology.jgit/releases/3.4.2[JGit release notes] +for further details. diff --git a/ReleaseNotes/index.txt b/ReleaseNotes/index.txt index a28c7154b5..765a4303ac 100644 --- a/ReleaseNotes/index.txt +++ b/ReleaseNotes/index.txt @@ -4,6 +4,7 @@ Gerrit Code Review - Release Notes [[2_9]] Version 2.9.x ------------- +* link:ReleaseNotes-2.9.4.html[2.9.4] * link:ReleaseNotes-2.9.3.html[2.9.3] * link:ReleaseNotes-2.9.2.html[2.9.2] * link:ReleaseNotes-2.9.1.html[2.9.1] From 8047c4df8b5a552571e3935babc6f2810016c0e9 Mon Sep 17 00:00:00 2001 From: Matthias Sohn Date: Sun, 28 Dec 2014 01:21:12 +0100 Subject: [PATCH 4/5] Update JGit to 3.5.3.201412180710-r This JGit version mitigates CVE-2014-9390 [1]. [1] https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3 Change-Id: I7fa9ae43205afcc30f71578691f0fc30457fbd6b Signed-off-by: Matthias Sohn --- lib/jgit/BUCK | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/jgit/BUCK b/lib/jgit/BUCK index f0ab6299a7..8ddf3f9d01 100644 --- a/lib/jgit/BUCK +++ b/lib/jgit/BUCK @@ -1,12 +1,12 @@ include_defs('//lib/maven.defs') -VERS = '3.5.1.201410131835-r' +VERS = '3.5.3.201412180710-r' maven_jar( name = 'jgit', id = 'org.eclipse.jgit:org.eclipse.jgit:' + VERS, - bin_sha1 = '23b8793639407fcbe2fee8557fb8238d18b2e409', - src_sha1 = '48ae55f9fed45e188177bcf3bf4638eed6bf3aae', + bin_sha1 = '9f3781c7163ee6fa380a4518564a5abb097d9e27', + src_sha1 = 'e6d8548522624ffa3094e43130e5dc958f359187', license = 'jgit', unsign = True, deps = [':ewah'], @@ -20,7 +20,7 @@ maven_jar( maven_jar( name = 'jgit-servlet', id = 'org.eclipse.jgit:org.eclipse.jgit.http.server:' + VERS, - sha1 = 'ee4f9852eb62d9b0785705e4eb40e40035119da7', + sha1 = 'f2678e1feefd8b90b3c47d40ebc2b9426e3b69f4', license = 'jgit', deps = [':jgit'], unsign = True, @@ -33,7 +33,7 @@ maven_jar( maven_jar( name = 'jgit-archive', id = 'org.eclipse.jgit:org.eclipse.jgit.archive:' + VERS, - sha1 = '48ddea0e3f6e78f9696e30dfc257118a446b453c', + sha1 = '66705b6630a89c9e6e7950798ea2d7f8a4a82cd7', license = 'jgit', deps = [':jgit', '//lib/commons:compress', @@ -49,7 +49,7 @@ maven_jar( maven_jar( name = 'junit', id = 'org.eclipse.jgit:org.eclipse.jgit.junit:' + VERS, - sha1 = '1e8a9e7fa493e96ec6c07b9f6f51ed2d2db60b9f', + sha1 = '47e821761059770dfd3f443dc7f14d5381fb6f4f', license = 'DO_NOT_DISTRIBUTE', unsign = True, deps = [':jgit'], From aebb492d9f660e3cbd78aa035c0ca66278a5a6fe Mon Sep 17 00:00:00 2001 From: David Pursehouse Date: Mon, 29 Dec 2014 10:21:11 +0900 Subject: [PATCH 5/5] Update 2.10 release notes - 2.10 includes fixes from 2.9.3 and 2.9.4 - Update JGit version Change-Id: Ib53144a7f2008ab7cf51687e72fce12f84fdac8e --- ReleaseNotes/ReleaseNotes-2.10.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ReleaseNotes/ReleaseNotes-2.10.txt b/ReleaseNotes/ReleaseNotes-2.10.txt index 0a4bcc4ca9..f356cd3d19 100644 --- a/ReleaseNotes/ReleaseNotes-2.10.txt +++ b/ReleaseNotes/ReleaseNotes-2.10.txt @@ -8,8 +8,10 @@ link:https://gerrit-releases.storage.googleapis.com/gerrit-2.10.war[ https://gerrit-releases.storage.googleapis.com/gerrit-2.10.war] Gerrit 2.10 includes the bug fixes done with -link:ReleaseNotes-2.9.1.html[Gerrit 2.9.1] and -link:ReleaseNotes-2.9.2.html[Gerrit 2.9.2]. +link:ReleaseNotes-2.9.1.html[Gerrit 2.9.1], +link:ReleaseNotes-2.9.2.html[Gerrit 2.9.2], +link:ReleaseNotes-2.9.3.html[Gerrit 2.9.3] and +link:ReleaseNotes-2.9.4.html[Gerrit 2.9.4]. These bug fixes are *not* listed in these release notes. Important Notes @@ -677,7 +679,7 @@ Upgrades * Update Jetty to 9.2 -* Update JGit to 3.4.0.201406110918-r +* Update JGit to 3.5.3.201412180710-r * Update log4j to 1.2.17