Release 1.22.1

CHANGELOG.md

@@ -1,4 +1,14 @@
 
+## 1.22.1 (24-06-2024)
+
+### Bugfix: 1
+- [#32811](https://parermine.regione.emilia-romagna.it/issues/32811)  Correzione gestione "log level error" nei casi di errori "non previsti" da "gestiti in verifica firma digitale"
+
+## 1.22.0 (12-06-2024)
+
+### Novità: 1
+- [#32708](https://parermine.regione.emilia-romagna.it/issues/32708) Disattivazione PDF/PADES validation security checks (DSS)
+
 ## 1.21.0 (10-06-2024)
 
 ### Novità: 1

CONTAINER-SCAN-REPORT.md

@@ -1,15 +1,15 @@
 ## Container scan evidence CVE
 <strong>Image name:</strong> registry.ente.regione.emr.it/parer/okd/verifica-firma-eidas:sast
-<br/><strong>Run date:</strong> Mon Jun 10 17:26:01 CEST 2024
-<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/261607">Job</a>
+<br/><strong>Run date:</strong> Mon Jun 24 11:42:47 CEST 2024
+<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/274963">Job</a>
 <br/><strong>CVE founded:</strong> 8
 | CVE | Description | Severity | Solution | 
 |:---:|:---|:---:|:---|
 | [CVE-2024-2961](http://www.openwall.com/lists/oss-security/2024/04/17/9)|The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.|High|Upgrade glibc to 2.28-251.el8_10.1|
-| [CVE-2024-33599](https://access.redhat.com/errata/RHSA-2024:3339)|nscd: Stack-based buffer overflow in netgroup cacheIf the Name Service Cache Daemon's (nscd) fixed size cache is exhaustedby client requests then a subsequent client request for netgroup datamay result in a stack-based buffer overflow.  This flaw was introducedin glibc 2.15 when the cache was added to nscd.This vulnerability is only present in the nscd binary.|High|Upgrade glibc to 2.28-251.el8_10.2|
+| [CVE-2024-33599](https://access.redhat.com/errata/RHSA-2024:3344)|nscd: Stack-based buffer overflow in netgroup cacheIf the Name Service Cache Daemon's (nscd) fixed size cache is exhaustedby client requests then a subsequent client request for netgroup datamay result in a stack-based buffer overflow.  This flaw was introducedin glibc 2.15 when the cache was added to nscd.This vulnerability is only present in the nscd binary.|High|Upgrade glibc to 2.28-251.el8_10.2|
 | [CVE-2024-2961](http://www.openwall.com/lists/oss-security/2024/04/17/9)|The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.|High|Upgrade glibc-common to 2.28-251.el8_10.1|
-| [CVE-2024-33599](https://access.redhat.com/errata/RHSA-2024:3339)|nscd: Stack-based buffer overflow in netgroup cacheIf the Name Service Cache Daemon's (nscd) fixed size cache is exhaustedby client requests then a subsequent client request for netgroup datamay result in a stack-based buffer overflow.  This flaw was introducedin glibc 2.15 when the cache was added to nscd.This vulnerability is only present in the nscd binary.|High|Upgrade glibc-common to 2.28-251.el8_10.2|
+| [CVE-2024-33599](https://access.redhat.com/errata/RHSA-2024:3344)|nscd: Stack-based buffer overflow in netgroup cacheIf the Name Service Cache Daemon's (nscd) fixed size cache is exhaustedby client requests then a subsequent client request for netgroup datamay result in a stack-based buffer overflow.  This flaw was introducedin glibc 2.15 when the cache was added to nscd.This vulnerability is only present in the nscd binary.|High|Upgrade glibc-common to 2.28-251.el8_10.2|
 | [CVE-2024-2961](http://www.openwall.com/lists/oss-security/2024/04/17/9)|The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.|High|Upgrade glibc-minimal-langpack to 2.28-251.el8_10.1|
-| [CVE-2024-33599](https://access.redhat.com/errata/RHSA-2024:3339)|nscd: Stack-based buffer overflow in netgroup cacheIf the Name Service Cache Daemon's (nscd) fixed size cache is exhaustedby client requests then a subsequent client request for netgroup datamay result in a stack-based buffer overflow.  This flaw was introducedin glibc 2.15 when the cache was added to nscd.This vulnerability is only present in the nscd binary.|High|Upgrade glibc-minimal-langpack to 2.28-251.el8_10.2|
+| [CVE-2024-33599](https://access.redhat.com/errata/RHSA-2024:3344)|nscd: Stack-based buffer overflow in netgroup cacheIf the Name Service Cache Daemon's (nscd) fixed size cache is exhaustedby client requests then a subsequent client request for netgroup datamay result in a stack-based buffer overflow.  This flaw was introducedin glibc 2.15 when the cache was added to nscd.This vulnerability is only present in the nscd binary.|High|Upgrade glibc-minimal-langpack to 2.28-251.el8_10.2|
 | [CVE-2023-6597](http://www.openwall.com/lists/oss-security/2024/03/20/5)|An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.|High|Upgrade platform-python to 3.6.8-62.el8_10|
 | [CVE-2023-6597](http://www.openwall.com/lists/oss-security/2024/03/20/5)|An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.|High|Upgrade python3-libs to 3.6.8-62.el8_10|

RELEASE-NOTES.md

@@ -1,4 +1,4 @@
-## 1.21.0 (10-06-2024)
+## 1.22.1 (24-06-2024)
 
-### Novità: 1
-- [#32690](https://parermine.regione.emilia-romagna.it/issues/32690)  Introduzione di logica centralizzata per invocazione revocation URL via "single client instance" (DSS)
+### Bugfix: 1
+- [#32811](https://parermine.regione.emilia-romagna.it/issues/32811)  Correzione gestione "log level error" nei casi di errori "non previsti" da "gestiti in verifica firma digitale"

pom.xml

@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>verifica-firma-eidas</artifactId>
-	<version>1.21.1-SNAPSHOT</version>
+	<version>1.22.2-SNAPSHOT</version>
 	<packaging>${packaging.type}</packaging>
 	<name>Verifica Firma EIDAS</name>
 	<description>Progetto per effettuare firme e validazioni con librerie DSS (EIDAS)</description>

src/main/java/it/eng/parer/eidas/core/bean/CommonsDataHttpClient.java

@@ -1,3 +1,19 @@
+/*
+ * Engineering Ingegneria Informatica S.p.A.
+ *
+ * Copyright (C) 2023 Regione Emilia-Romagna
+ * <p/>
+ * This program is free software: you can redistribute it and/or modify it under the terms of
+ * the GNU Affero General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ * <p/>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU Affero General Public License for more details.
+ * <p/>
+ * You should have received a copy of the GNU Affero General Public License along with this program.
+ * If not, see <https://www.gnu.org/licenses/>.
+ */
 
 package it.eng.parer.eidas.core.bean;
 
@@ -763,8 +779,9 @@ private HttpClientConnectionManager getConnectionManager() {
         final PoolingHttpClientConnectionManager connectionManager = builder.build();
         connectionManager.setDefaultConnectionConfig(connectionConfigBuilder.build());
 
-        LOG.debug("PoolingHttpClientConnectionManager: max total: {}", connectionManager.getMaxTotal());
-        LOG.debug("PoolingHttpClientConnectionManager: max per route: {}", connectionManager.getDefaultMaxPerRoute());
+        LOG.atDebug().log("PoolingHttpClientConnectionManager: max total: {}", connectionManager.getMaxTotal());
+        LOG.atDebug().log("PoolingHttpClientConnectionManager: max per route: {}",
+                connectionManager.getDefaultMaxPerRoute());
 
         return connectionManager;
     }
@@ -782,22 +799,22 @@ private SSLConnectionSocketFactory getConnectionSocketFactoryHttps() {
 
             final TrustStrategy trustStrategy = getTrustStrategy();
             if (trustStrategy != null) {
-                LOG.debug("Set the TrustStrategy");
+                LOG.atDebug().log("Set the TrustStrategy");
                 sslContextBuilder.loadTrustMaterial(null, trustStrategy);
             }
 
             final KeyStore sslTrustStore = getSSLTrustStore();
             if (sslTrustStore != null) {
-                LOG.debug("Set the SSL trust store as trust materials");
+                LOG.atDebug().log("Set the SSL trust store as trust materials");
                 sslContextBuilder.loadTrustMaterial(sslTrustStore, trustStrategy);
             }
 
             final KeyStore sslKeystore = getSSLKeyStore();
             if (sslKeystore != null) {
-                LOG.debug("Set the SSL keystore as key materials");
+                LOG.atDebug().log("Set the SSL keystore as key materials");
                 sslContextBuilder.loadKeyMaterial(sslKeystore, sslKeystorePassword);
                 if (loadKeyStoreAsTrustMaterial) {
-                    LOG.debug("Set the SSL keystore as trust materials");
+                    LOG.atDebug().log("Set the SSL keystore as trust materials");
                     sslContextBuilder.loadTrustMaterial(sslKeystore, trustStrategy);
                 }
             }

src/main/java/it/eng/parer/eidas/core/bean/CustomDataLoaderExt.java

@@ -120,7 +120,7 @@ default byte[] customLdapGet(String urlString) {
     /* apache dataHttpClient management */
 
     default byte[] customPost(String url, byte[] content) {
-        logger().debug("Fetching data via POST from url {}", url);
+        logger().atDebug().log("Fetching data via POST from url {}", url);
 
         HttpPost httpRequest = null;
         // The length for the InputStreamEntity is needed, because some receivers (on
@@ -156,6 +156,8 @@ default byte[] customPost(String url, byte[] content) {
     }
 
     default byte[] customHttpGet(String url) {
+        logger().atDebug().log("Fetching data via GET from url {}", url);
+
         HttpGet httpRequest = null;
 
         try {
@@ -189,7 +191,7 @@ default ContentType toContentTypeExt(String contentTypeString) {
     public Logger logger();
 
     /*
-     * define standard getter & setter (inherint from {@link CommonsDataLoader})
+     * define standard getter & setter (inherit from {@link CommonsDataLoader})
      */
 
     public byte[] execute(final CloseableHttpClient client, final HttpUriRequest httpRequest) throws IOException;