* stable-2.14:
ElasticContainer: Test with versions 5.6.13 and 6.4.3
Upgrade elasticsearch-rest-client to 6.4.3
Bazel: Consume versions directly from lib:versions.bzl in skylib
Change-Id: I2264b3f077799c5a7b9467a3e33606b71c53f174
* stable-2.14:
AbstractChangeNotes: Never open repo when NoteDb is off
dev-contributing: Specify buildifier version 0.17.2
Remove unused dependency on httpcomponents:httpmime
Fix Elasticsearch dependency on httpcore-nio
Upgrade Jetty to 9.3.24.v20180605 to fix several CVEs
[CVE-2018-1000180, CVE-2018-1000613] Upgrade Bouncycastle to 1.60
Adapt PublicKeyStoreTest to work with BouncyCastle 1.60
[CVE-2018-10237]: Upgrade guava to 24.1.1-jre
Stop using CharMatcher.javaLetterOrDigit
project/Index: Assign and ignore unused future
[CVE-2017-12629] Upgrade Lucene to 5.5.5
[CVE-2018-10936] Upgrade postgresql to 42.2.5
[CVE-2015-1832] Upgrade Apache Derby to 10.12.1.1
Set version to 2.14.17-SNAPSHOT
Change-Id: Id35c46871597e8005d63379c3fce1d9113b80ed6
The only consumer of httpmime was Apache Solr, which was removed
in change Ic62ae3103 more than 3 years ago.
Change-Id: I6204dc74cc99a878ac4cac7c777a235544f9f80e
The elasticsearch-rest-client library has an explicit dependency on
version 4.4.5 of httpcore-nio [1], but the version provided by Gerrit
is tied to the same version 4.4.1 as all the other httpcomponents.
Since httpcore-nio is only used by elasticsearch-rest-client, we can
safely provide the required version. We can also restrict visibility
to the elasticsearch package to prevent accidental usage elsewhere.
The same is true for the httpasyncclient component, which we already
provide at the correct version as used by elasticsearch-rest-client,
so also restrict its visibility in the same way.
At the same time, move httpcore-nio and httpasyncclient declarations
up the WORKSPACE file adjacent to the other httpcomponents, and add
a comment to clarify that they are set at explicit versions for ES.
[1] https://search.maven.org/artifact/org.elasticsearch.client/elasticsearch-rest-client/6.4.2/jar
Bug: Issue 9969
Change-Id: Id80f92768667541604df0c53235ea81ecdda9c0e
This upgrade fixes the following CVEs:
- CVE-2017-7656 [1]:
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations),
and 9.4.x (non-default configuration with RFC2616 compliance enabled),
HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method
space URI space version) that declares a version of HTTP/0.9 was accepted
and treated as a 0.9 request. If deployed behind an intermediary that also
accepted and passed through the 0.9 version (but did not act on it), then
the response sent could be interpreted by the intermediary as HTTP/1
headers. This could be used to poison the cache if the server allowed the
origin client to generate arbitrary content in the response.
- CVE-2017-7657 [2]:
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and
9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-
encoding chunks are handled poorly. The chunk length parsing was vulnerable
to an integer overflow. Thus a large chunk size could be interpreted as a
smaller chunk size and content sent as chunk body could be interpreted as a
pipelined request. If Jetty was deployed behind an intermediary that imposed
some authorization and that intermediary allowed arbitrarily large chunks to
be passed on unchanged, then this flaw could be used to bypass the
authorization imposed by the intermediary as the fake pipelined request would
not be interpreted by the intermediary as a request.
- CVE-2017-7658 [3]:
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x
configurations), and 9.4.x (all HTTP/1.x configurations), when presented with
two content-length headers, Jetty ignored the second. When presented with a
content-length and a chunked encoding header, the content-length was ignored
(as per RFC 2616). If an intermediary decided on the shorter length, but still
passed on the longer body, then body content could be interpreted by Jetty as
a pipelined request. If the intermediary was imposing authorization, the fake
pipelined request would bypass that authorization.
- CVE-2017-9735 [4]:
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java,
which makes it easier for remote attackers to obtain access by observing
elapsed times before rejection of incorrect passwords.
- CVE-2018-12536 [5]:
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default
Error Handling, when an intentionally bad query arrives that doesn't match a
dynamic url-pattern, and is eventually handled by the DefaultServlet's static
file serving, the bad characters can trigger a
java.nio.file.InvalidPathException which includes the full path to the base
resource directory that the DefaultServlet and/or webapp is using. If this
InvalidPathException is then handled by the default Error Handler, the
InvalidPathException message is included in the error response, revealing the
full server path to the requesting system.
[1] https://nvd.nist.gov/vuln/detail/CVE-2017-7656
[2] https://nvd.nist.gov/vuln/detail/CVE-2017-7657
[3] https://nvd.nist.gov/vuln/detail/CVE-2017-7658
[4] https://nvd.nist.gov/vuln/detail/CVE-2017-9735
[5] https://nvd.nist.gov/vuln/detail/CVE-2018-12536
Bug: Issue 9952
Change-Id: I1ebb91406b88289e3803ffb1d5049ea7352c695c
This upgrade fixes CVE-2018-1000180 [1]:
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier
have a flaw in the Low-level interface to RSA key pair generator,
specifically RSA Key Pairs generated in low-level API with added
certainty may have less M-R tests than expected. This appears to be
fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
and CVE-2018-1000613 [2]:
Bouncy Castle Java Cryptography APIs version prior to version 1.60
contains a CWE-470: Use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT
private key deserialization that can result in Deserializing an
XMSS/XMSS^MT private key can result in the execution of unexpected
code. This attack appear to be exploitable via a handcrafted private
key can include references to unexpected classes which will be picked
up from the class path for the executing application. This
vulnerability appears to have been fixed in 1.60 and later.
Bouncycastle 1.57 introduced generics in its APIs. Remove the casts
and @SuppressWarnings("unchecked") annotations that are not necessary
any more.
[1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000180
[2] https://nvd.nist.gov/vuln/detail/CVE-2018-1000613
Bug: Issue 9952
Change-Id: I9b25b1568ac7da555de96d82c597b3dff47966c6
This upgrade fixes CVE-2018-10237 [1]:
Unbounded memory allocation in Google Guava 11.0 through 24.x before
24.1.1 allows remote attackers to conduct denial of service attacks
against servers that depend on this library and deserialize attacker-
provided data, because the AtomicDoubleArray class (when serialized
with Java serialization) and the CompoundOrdering class (when
serialized with GWT serialization) perform eager allocation without
appropriate checks on what a client has sent and whether the data size
is reasonable.
[1] https://nvd.nist.gov/vuln/detail/CVE-2018-10237
This also adds dependency on j2objc-annotations to prevent the following
warning during the build:
INFO: From Building java/com/google/gerrit/lucene/liblucene.jar (12 source files):
warning: unknown enum constant ReflectionSupport$Level.FULL
reason: class file for com.google.j2objc.annotations.ReflectionSupport$Level not found
Bug: Issue 9952
Change-Id: Iea79ee7d93c4b7c85479b5ec01ee07e19beed611
This upgrade fixes CVE-2018-10936 [1]:
A weakness was found in postgresql-jdbc before version 42.2.5. It was
possible to provide an SSL Factory and not check the host name if a
host name verifier was not provided to the driver. This could lead to
a condition where a man-in-the-middle attacker could masquerade as a
trusted server by providing a certificate for the wrong host, as long
as it was signed by a trusted CA.
[1] https://nvd.nist.gov/vuln/detail/CVE-2018-10936
Bug: Issue 9952
Change-Id: I32972ae466a7876c221e6b678ffddcf3ca5a5a10
This upgrade fixes CVE-2015-1832 [1]:
XML external entity (XXE) vulnerability in the SqlXmlUtil code in
Apache Derby before 10.12.1.1, when a Java Security Manager is not
in place, allows context-dependent attackers to read arbitrary files
or cause a denial of service (resource consumption) via vectors
involving XmlVTI and the XML datatype.
[1] https://nvd.nist.gov/vuln/detail/CVE-2015-1832
Bug: Issue 9952
Change-Id: I632d3048c21baece089affdd01e2e7782dbaebc6
* stable-2.14:
Update JGit to 4.7.5.201810051826-r
ElasticContainer: Use Elasticsearch 6.4.2 for V6_4 tests
Upgrade elasticsearch-rest-client to 6.4.2
Upgrade jackson-core to 2.9.7
Change-Id: Ia3e641679225e4897825e003e0ddb3ba764c0b50
This is a cherry-pick of stable-2.15 recently merged commit f69a822.
This pick assumes that Elasticsearch 6.x.y is still also maintained for
the stable-2.14 branch.
According to the release notes [1] this release does not include
any client fixes. This is just to keep up to date with the latest
version.
[1] https: //www.elastic.co/guide/en/elasticsearch/reference/current/release-notes-6.4.2.html
Change-Id: I3fe434416537625f8963baec85bfabb7c735bed7
There have been several releases since 2.6.6 including many bug
fixes and security fixes.
jackson-core is only used by the Elasticsearch integration; update
the BUILD file to explicitly restrict visibility to that package.
Change-Id: I27fc60caf51721d885776a9eea478c2ec0cea2cf
* stable-2.14:
Update jruby to 9.1.17 and asciidoctorj to v1.5.7
Elasticsearch: Ensure request URI is always prefixed with "/"
AbstractElasticIndex: Factor out more variants of {post,perform}Request
rest-api-projects: Fix "unterminated listing block" warning
config-gerrit: Fix "invalid reference: database.h2.cachesize" warning
Bazel: Specify name for downloaded file to http_file starlark rule
Set version to 2.14.14-SNAPSHOT
Change-Id: I8a3bf774120fadea7c52871047b99631e2a798de
In I44ca2ecfea6 native http_file was replaced with Starlark rule. During
this migration the original file name was lost and hard coded to file
named "downloaded". The closure_js_library expects files with .js suffix
as source files, so that we had to add an intermediate rename step to
make it work gain.
In context of this feature request: [1] downloaded_file_path was added
to the http_file rule: [2] so that we can use it now and can remove the
intermediate renaming step.
The aformentioned fix was included in 0.17.1 and we already have that
version as the minimum required Bazel version, so that we can clean that
up now.
[1] https://github.com/bazelbuild/bazel/issues/5633
[2] https://github.com/bazelbuild/bazel/pull/5647
Change-Id: Ia00e5d7b4eb9c18be808b290ac299e658ab33b9a
* stable-2.14:
ElasticContainer: Use Elasticsearch 6.4.1 for V6_4 tests
AbstractDaemonTest: Don't delete common server path too early
Fix toolchain definitions for bazel 0.17.1
Bazel: Bump baseline to 0.17.1
Change-Id: Ied727b76e0bc13ab8cb8d20372514edacc56e70f
* stable-2.14:
Add support for Elasticsearch 6.4.0
Upgrade elasticsearch-rest-client to 6.4.0
ElasticVersion: Say 'Unsupported' rather than 'Invalid'
Change-Id: Id68197d3f4a43e19711581366ed234cb420957d9
* stable-2.14:
InitSshd: Use correct flag to set empty passphrase
SshSession: Specify charset in constructor of Scanner
Specify charset in constructors of InputStreamReader
Update JGit dependencies to fix building from source
Change-Id: I994d9d26bb7a1b1333a6380fb81126c1e8dc026d
Depends on [1] which harmonizes JGit's dependency names to align with
the names used in Gerrit since change I1e75690fe. Without [2], the
build will fail with errors like:
"no such package '@commons_compress//jar'"
Also move the 'hamcrest-library' dependency out of WORKSPACE into the
jgit rules where it will be added conditionally.
[1] https://git.eclipse.org/r/#/c/128354/
Change-Id: I33be13e7f36ec2bcacbb9eb0983c88c6f3082097
* stable-2.14:
Fix http_archive rule in WORKSPACE
ConfigInfoImpl: Return raw byte value for effective value
TransferConfig: Move getEffectiveMaxObjectSizeLimit to ProjectState
Change-Id: Ib58995f7f6db32e2585c285b3d3dceb6b358848f
Building the Eclipse project on Mac failed for me with:
ERROR: /Users/ekempin/git/gerrit/WORKSPACE:15:1: //external:io_bazel_rules_closure: no such attribute 'url' in 'http_archive' rule
ERROR: /Users/ekempin/git/gerrit/WORKSPACE:15:1: //external:io_bazel_rules_closure: missing value for mandatory attribute 'urls' in 'http_archive' rule
Change-Id: I03620a3eaf74138c15ff205dbcb349fcb7845f46
Signed-off-by: Edwin Kempin <ekempin@google.com>
Besides the usual bug fixes and optimizations, the more recent versions
implement missing features like being able to set network timeouts to
avoid connections hung due to network disruptions [1].
[1] https://github.com/pgjdbc/pgjdbc/pull/849
Change-Id: Idb8b0376fc24b1d050b72057303c551d36fa931b
* stable-2.14:
Minor improvements in receive.maxObjectSizeLimit documentation
Bazel: Consume rules_closure from HEAD
Bump auto-value to 1.6.2
Change-Id: I401942a40c5001300f77f9437d342001cd42e619
Now, that both changes were merged, consume rules_closure from HEAD
and avoid patching it during the build: [1].
[1] d1c92e34f2
Change-Id: I5afeccb17e4ef76b2ec86f9f8b7f2741bf8d4e93
* stable-2.14:
Set version to 2.14.11
Upgrade elasticsearch-rest-client to 6.3.2
StalenessChecker: URLDecode project name before checking staleness
AbstractQueryChangesTest: Add a test with project name that requires URL encoding
Upgrade Dropwizard Metrics to 4.0.3
Upgrade JGit to 4.7.2.201807261330-r
Fix typos in documentation of 'List Files' REST API element
Change-Id: Ie19c82d34971264780d636843ccd76438f23a76e
This version includes several bug fixes, but most are related to
the server rather than the client. This upgrade is only to make
sure we're using the latest version.
Refer to the release notes [1] for details.
Also update the test container to test against version 6.3.2.
[1] https://www.elastic.co/guide/en/elasticsearch/reference/current/release-notes-6.3.2.html
Change-Id: I80e65f4fe267cf487fddb759b3914e54e31164f3
There are no specific fixes that we need in this version - in fact
most of the changes are related to tests - so this upgrade is only
to align to the latest version.
Change-Id: I6e01398a05859b411fdbcd7db388e3061f866f53
* stable-2.14:
GerritServer: save gerrit.config before site init
ReindexIT: remove unnecessary method throws clause
RestSession#postWithHeader: Make parameter order consistent with #putWithHeader
Bump guice version to 4.2.0
Change-Id: Ibdedb3281414a140b214cb8c9006754cff542d25
The new version provides better support for Java 9 and improves
performance. Multibindings artifact is now included in the guice
core artifact. The full release notes is here: [1].
[1] https://github.com/google/guice/wiki/Guice42
Change-Id: I208d53ce1cf9b99ed8f03ae34470e95c3b8f71ce
(cherry picked from commit 1fa7774d237d0ea864b9f03b6551fd1ebef0c619)
This dependency is not used in gerrit core. The only reason it's
included in WORKSPACE is because core replication plugin depends on it
and there is no way in Bazel to consume external dependency in core
plugin without defining this dependency in WORKSPACE file.
It turns out, that gitblit-plugin also depends on commons-io, but on the
newer version. Sync the versions to the same version used by gitblit.
Change-Id: Iae3545df95b23439d3c7fd385bfeae482d6d60ac
(cherry picked from commit 6488535f737cdce5feeca2550ce402d803d4d5a9)
This dependency is not used in gerrit core. The only reason it's
included in WORKSPACE is because core replication plugin depends on it
and there is no way in Bazel to consume external dependency in core
plugin without defining this dependency in WORKSPACE file.
It turns out, that gitblit-plugin also depends on commons-io, but on the
newer version. Sync the versions to the same version used by gitblit.
Change-Id: Iae3545df95b23439d3c7fd385bfeae482d6d60ac
Support for 6.3.0 was added in 2.14.9 but we overlooked upgrading
the REST client to the same version.
Change-Id: Ifc681fa07759715cc876e71dbfc9490b2b096c9d
* stable-2.14:
Elasticsearch: Adapt version discovery for version 6
AbstractIndexTests#assertQuery: Rename to assertChangeQuery
ProjectConfig#saveLabelSections: Save "branch" values
Upgrade testcontainers to version 1.8.0
Change-Id: I073b569e2cdb551030c1d5e233005417f4f5f16c
