[
https://issues.apache.org/jira/browse/CONNECTORS-1565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16736848#comment-16736848
]
Markus Schuch commented on CONNECTORS-1565:
-------------------------------------------
Thanks for your analysis Karl.
I still vote to proceed with the update, because security scanners will always
report us with the known issue. The version step is minor and the release notes
state that the 3.2.2 is fully compatible with other 3.2 versions.
Seems also not be widely used in our project:
[https://github.com/apache/manifoldcf/search?q=%22org.apache.commons.collections%22&unscoped_q=%22org.apache.commons.collections%22]
What do you think? Should i proceed with the update or close this ticket?
> Upgrade commons-collections to 3.2.2 (CVE-2015-6420)
> ----------------------------------------------------
>
> Key: CONNECTORS-1565
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1565
> Project: ManifoldCF
> Issue Type: Bug
> Components: Framework core
> Affects Versions: ManifoldCF 2.12
> Reporter: Markus Schuch
> Assignee: Markus Schuch
> Priority: Critical
> Fix For: ManifoldCF next
>
>
> We should upgrade commons-collections to 3.2.2 due to a known security issue
> with 3.2.1
> https://commons.apache.org/proper/commons-collections/security-reports.html
> Further reading:
> [http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-andyour-application-have-in-common-this-vulnerability/]
> [https://www.cvedetails.com/cve/CVE-2015-6420/]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
