Kepler: Issueshttps://projects.ecoinformatics.org/ecoinfo/https://projects.ecoinformatics.org/ecoinfo/ecoinfo/favicon.ico?14691340362016-05-03T18:57:04ZEcoinformatics Redmine
Redmine Bug #7019 (Resolved): cloning problems in NamedObj and AtomicActorhttps://projects.ecoinformatics.org/ecoinfo/issues/70192016-05-03T18:57:04ZDaniel Crawldanielcrawl@gmail.com
<p>I'm attaching a patch to fix cloning issues in NamedObj.java:</p>
<p>// Since _debugListeners is null, _debugging should be<br />// false to avoid error message in _debug()</p>
<p>and AtomicActor.java:</p>
<p>// When super.clone() is called below, attributes that are<br />// contained in this actor are also cloned, which includes<br />// calling methods on these attributes such as setContainer().<br />// These methods may add themselves to the firing listeners<br />// or initializables lists in the newObject clone, so we do<br />// not want to clear these lists in newObject after super.clone().<br />// Instead, save this instance's lists here and restore them after<br />// call super.clone().</p> Bug #6928 (Resolved): Check Kepler for the Apache commons deserialization problems, consider remo...https://projects.ecoinformatics.org/ecoinfo/issues/69282016-01-04T21:21:00ZChristopher Brookscxh@eecs.berkeley.edu
<p>I recently had a Windows machine that was successfully attacked because it was running an old version of Jenkins that was susceptible to an attack via Apache Commons Java deserialization. The email from campus stated:</p>
<blockquote>
<p>"The snort alarms concern an apparent remote attack against a "serious vulnerability in Apache Commons, a library that contains a widely used set of Java components maintained by the Apache Software Foundation, puts thousands of Java applications and servers at risk of remote code execution attacks. The library is used by default in multiple Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS."</p>
</blockquote>
<blockquote>
<p>"Please see"</p>
</blockquote>
<blockquote>
<p><a class="external" href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/">http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/</a></p>
</blockquote>
<blockquote>
<p><a class="external" href="http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html">http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html</a></p>
</blockquote>
<blockquote>
<p><a class="external" href="https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread">https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread</a></p>
</blockquote>
<p>It looks like Kepler includes the library in question:<br /><pre>
bash-3.2$ find . -name "*.jar" | xargs grep -Rl InvokerTransformer
./configuration-manager/lib/jar/commons-collections-3.2.1.jar
</pre></p>
<p>commons-collections-3.2.1.jar contains classes in packages starting with org.apache.commons.collections</p>
<p>However, I believe that the Kepler *.java files are not directly using those classes, below are classes in org.apache.commons that are imported. Note that we are not importing classes from org.apache.commons.collections:</p>
<pre>
bash-3.2$ find . -name "*.java" | xargs grep org.apache.commons | grep import | tr -d '\r' | awk '{print $NF}' | sort | uniq -c | sort -nr
235 org.apache.commons.logging.LogFactory;
235 org.apache.commons.logging.Log;
3 org.apache.commons.io.IOUtils;
3 org.apache.commons.configuration.XMLConfiguration;
2 org.apache.commons.net.ftp.FTP;
2 org.apache.commons.lang.StringEscapeUtils;
2 org.apache.commons.io.FileUtils;
2 org.apache.commons.httpclient.methods.multipart.StringPart;
2 org.apache.commons.httpclient.methods.multipart.Part;
2 org.apache.commons.httpclient.methods.multipart.FilePart;
2 org.apache.commons.httpclient.methods.MultipartPostMethod;
2 org.apache.commons.httpclient.methods.GetMethod;
2 org.apache.commons.httpclient.HttpException;
2 org.apache.commons.httpclient.HttpClient;
2 org.apache.commons.configuration.ConfigurationException;
1 org.apache.commons.lang.time.DateUtils;
1 org.apache.commons.lang.exception.ExceptionUtils;
1 org.apache.commons.io.FilenameUtils;
1 org.apache.commons.configuration.tree.ConfigurationNode;
1 org.apache.commons.configuration.PropertiesConfiguration;
1 org.apache.commons.configuration.HierarchicalConfiguration;
bash-3.2$
</pre>
<p>However, there could be dependencies between jar files used by Kepler and commons-collections-3.2.1.jar.</p>
<p><a class="external" href="https://www.kb.cert.org/vuls/id/576313">https://www.kb.cert.org/vuls/id/576313</a> suggests upgrading to Apache Commons Collections version 3.2.2</p>
<p>However, perhaps we can remove this class?</p>
<p>The log is below:<br /><pre>
bash-3.2$ svn log ./configuration-manager/lib/jar/commons-collections-3.2.1.jar
------------------------------------------------------------------------
r24000 | berkley | 2010-04-27 17:12:36 -0700 (Tue, 27 Apr 2010) | 1 line
changing keywords and eol-style on the repository
------------------------------------------------------------------------
r20925 | berkley | 2009-10-07 15:06:24 -0700 (Wed, 07 Oct 2009) | 1 line
writing tests to show the capabilities of commons and yaml and to compare them
------------------------------------------------------------------------
bash-3.2$
</pre></p> Bug #6634 (Closed): Error message popup not generated when saving to a write protected directory.https://projects.ecoinformatics.org/ecoinfo/issues/66342014-12-17T17:21:21ZArtur Szostakaszostak@partner.eso.org
<p>In the Kepler GUI a message popup window should appear when the saving of a file fails.<br />To reproduce the problem, run the following commands in a POSIX terminal (on Fedora 20 in this case):</p>
<pre><code>curl <a class="external" href="https://code.kepler-project.org/code/kepler/releases/installers/2.4/kepler-2.4-linux.tar.gz">https://code.kepler-project.org/code/kepler/releases/installers/2.4/kepler-2.4-linux.tar.gz</a> | tar xzf -<br /> mkdir my_workspace<br /> chmod -w my_workspace<br /> cp ./kepler-2.4/common-2.4.0/configs/ptolemy/configs/kepler/configuration.xml original_configuration.xml<br /> cat original_configuration.xml | head -n 257 > ./kepler-2.4/common-2.4.0/configs/ptolemy/configs/kepler/configuration.xml<br /> echo " &lt;property name=\"_alternateDefaultOpenDirectory\" value=\"`pwd`/my_workspace\" class=\"ptolemy.kernel.util.StringAttribute\"/&gt;" >> ./kepler-2.4/common-2.4.0/configs/ptolemy/configs/kepler/configuration.xml<br /> cat original_configuration.xml | tail -n 1 >> ./kepler-2.4/common-2.4.0/configs/ptolemy/configs/kepler/configuration.xml<br /> ./kepler-2.4/kepler.sh</code></pre>
<p>Once Kepler has started (you might have to close the initial "welcome"/"upgrade" popup windows), follow these instructions:</p>
<pre><code>Click on the "File->Save" item from the menu bar.<br /> Click on the "OK" button in the "Please enter a name for this workflow" pupup window.<br /> Click on the "Save" button in the "Save" popup window.</code></pre>
<p>No error message popup appears, even though there is a log message in the terminal about "permission denied".</p>