Hi Julian, the references to the "unstable" versions are unfortunate, but they don't have impact of the operation. also, all the test pass so far. the only user of commons-collections is vault-cli, and I don't think that this is vulnerable to the serilization vulnerability. oak is not included at all, only parts of jackrabbit-2.13.7 in the command line client for the davex interoperability. here's the list of bundled libraries in vault-cli:
commons-cli-2.0-mahout.jar commons-codec-1.10.jar commons-collections-3.2.1.jar commons-io-2.4.jar commons-jci-fam-1.0.jar commons-logging-1.0.3.jar commons-logging-api-1.1.jar diffutils-1.2.1.jar guava-15.0.jar httpclient-4.5.2.jar httpcore-4.4.4.jar httpmime-4.5.2.jar jackrabbit-api-2.13.7.jar jackrabbit-jcr-client-2.13.7.jar jackrabbit-jcr-commons-2.13.7.jar jackrabbit-jcr2spi-2.13.7.jar jackrabbit-spi-2.13.7.jar jackrabbit-spi-commons-2.13.7.jar jackrabbit-spi2dav-2.13.7.jar jackrabbit-webdav-2.13.7.jar jcl-over-slf4j-1.5.8.jar jcr-2.0.jar jline-0.9.94.jar log4j-1.2.12.jar org.apache.sling.commons.osgi-2.0.6.jar org.apache.sling.jcr.api-2.0.6.jar slf4j-api-1.5.8.jar slf4j-log4j12-1.5.8.jar however, if you think this is really a no go, please indicate which versions you would use, and I will update them for the next the release, if the vote fails. thanks. regards, toby btw: there should be a mechanism to mark libraries as invalid/revoked so that they can't be referenced by other projects. On Fri, Mar 10, 2017 at 8:08 PM, Julian Reschke <[email protected]> wrote: > On 2017-03-10 07:39, Julian Reschke wrote: > >> On 2017-03-10 04:05, Tobias Bocanegra wrote: >> >>> ... >>> >> >> [X] -1 Do not release this package because... >> >> ...it references unstable releases of Jackrabbit and Oak. >> > > ...it also uses commons-collections 3.2.1... (< > https://www.cvedetails.com/vulnerability-list/vendor_id-45 > /product_id-32731/version_id-187982/Apache-Commons-Collections-3.2.1.html>). > Should be 3.2.2. > > Best regards, Julian > >
