Skip to content

Upgrade Apache Commons Collections to v3.2.2 #3734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jart wants to merge 1 commit into from
Closed

Upgrade Apache Commons Collections to v3.2.2 #3734

jart wants to merge 1 commit into from

Conversation

@jart
Copy link
Contributor

@jart jart commented Mar 7, 2016

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
@jart
Upgrade Apache Commons Collections to v3.2.2
af812af 
Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
@rwinch
Copy link
Member

rwinch commented Mar 8, 2016

Thanks for the PR! This is now merged into master via 3bbcbaa

PS: I love to give contributors attribution in the release announcement. Do you have a preferred way for me to mention you (i.e. link to Twitter, GitHub profile, Blog, etc)
@rwinch rwinch closed this Mar 8, 2016
@rwinch rwinch added in: build An issue in the build type: enhancement A general enhancement labels Mar 8, 2016
@rwinch rwinch added this to the 4.1.0 RC1 milestone Mar 8, 2016
@rwinch rwinch self-assigned this Mar 8, 2016
@jart
Copy link
Contributor Author

jart commented Mar 8, 2016

It's very gracious of you to offer attribution. But really, all I'm doing is grepping through GitHub. If you insist, you can mention me by name and email. You're also welcome to link to my GitHub profile :)
@rwinch
Copy link
Member

rwinch commented Mar 8, 2016

@jart I will mention your GitHub profile then. Thanks again for the contribution!
@jart
Copy link
Contributor Author

jart commented Mar 8, 2016

<3
@jart jart deleted the patch-1 branch September 13, 2017 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

in: build An issue in the build type: enhancement A general enhancement

2 participants

@jart @rwinch