[jira] [Created] (PHOENIX-2749) Upgrade Apache Commons Collections to v3.2.2

Sat, 05 Mar 2016 16:44:00 -0800 

James Taylor created PHOENIX-2749:
-------------------------------------

             Summary: Upgrade Apache Commons Collections to v3.2.2
                 Key: PHOENIX-2749
                 URL: https://issues.apache.org/jira/browse/PHOENIX-2749
             Project: Phoenix
          Issue Type: Bug
            Reporter: James Taylor
             Fix For: 4.8.0


GitHub user jart opened a pull request:

    https://github.com/apache/phoenix/pull/151

    Upgrade Apache Commons Collections to v3.2.2

    Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
    vulnerability that exists. By merely existing on the classpath, this
    library causes the Java serialization parser for the entire JVM process
    to go from being a state machine to a turing machine. A turing machine
    with an exec() function!

    https://commons.apache.org/proper/commons-collections/security-reports.html
    
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

    Also, do consider using Guava in the future.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/jart/phoenix patch-1

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/phoenix/pull/151.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #151

----
commit 634112b1b4c04f02e499878ad98b911f1b8a6e6a
Author: Justine Tunney <[email protected]>
Date:   2016-03-05T19:44:52Z

    Upgrade Apache Commons Collections to v3.2.2

    Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
    vulnerability that exists. By merely existing on the classpath, this
    library causes the Java serialization parser for the entire JVM process
    to go from being a state machine to a turing machine. A turing machine
    with an exec() function!

    https://commons.apache.org/proper/commons-collections/security-reports.html
    
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to