521736 – dev-java/jcs requires vulnerable version of dev-java/xmlrpc

Bug 521736 - dev-java/jcs requires vulnerable version of dev-java/xmlrpc

Summary: dev-java/jcs requires vulnerable version of dev-java/xmlrpc

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Java (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Java team

URL:
Whiteboard:
Keywords:

Depends on:	551992
Blocks:
	Show dependency tree

Reported:	2014-08-30 13:41 UTC by Johann Schmitz (ercpe) (RETIRED)
Modified:	2015-06-15 15:53 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johann Schmitz (ercpe) (RETIRED) gentoo-dev

2014-08-30 13:41:02 UTC

Even the latest code in SVN (http://svn.apache.org/viewvc/commons/proper/jcs/trunk/src/experimental/org/apache/commons/jcs/auxiliary/lateral/xmlrpc/LateralXMLRPCReceiver.java?view=markup) uses the pre-3 implementation of org.apache.xmlrpc.WebServer.

In dev-java/xmlrpc-3.x the WebServer was moved to org.apache.xmlrpc.webserver and it's public API has changed. Don't know if we can safely drop the "experimental" part from jcs.

Reproducible: Always

Comment 1 Patrice Clement gentoo-dev

2015-06-15 09:55:01 UTC

+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> jcs-2.0.ebuild:
+  Update xmlrpc dependency to xmlrpc:3 wrt to bug 521736. Drop ppc.
+

jcs-2.0 now depends on the new version of xmlrpc.

Comment 2 Patrice Clement gentoo-dev

2015-06-15 15:53:09 UTC

+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -jcs-1.2.7.9-r1.ebuild,
+  -jcs-1.3-r1.ebuild:
+  Remove vulnerable versions. Fix security bug 385811.
+