[jira] [Resolved] (PHOENIX-2749) Upgrade Apache Commons Collections to v3.2.2

Sat, 05 Mar 2016 17:00:07 -0800 

     [ 
https://issues.apache.org/jira/browse/PHOENIX-2749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Taylor resolved PHOENIX-2749.
-----------------------------------
    Resolution: Fixed

> Upgrade Apache Commons Collections to v3.2.2
> --------------------------------------------
>
>                 Key: PHOENIX-2749
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-2749
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: James Taylor
>             Fix For: 4.8.0
>
>
> GitHub user jart opened a pull request:
>     https://github.com/apache/phoenix/pull/151
>     Upgrade Apache Commons Collections to v3.2.2
>     Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
>     vulnerability that exists. By merely existing on the classpath, this
>     library causes the Java serialization parser for the entire JVM process
>     to go from being a state machine to a turing machine. A turing machine
>     with an exec() function!
>     
> https://commons.apache.org/proper/commons-collections/security-reports.html
>     
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
>     Also, do consider using Guava in the future.
> You can merge this pull request into a Git repository by running:
>     $ git pull https://github.com/jart/phoenix patch-1
> Alternatively you can review and apply these changes as the patch at:
>     https://github.com/apache/phoenix/pull/151.patch
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
>     This closes #151
> ----
> commit 634112b1b4c04f02e499878ad98b911f1b8a6e6a
> Author: Justine Tunney <[email protected]>
> Date:   2016-03-05T19:44:52Z
>     Upgrade Apache Commons Collections to v3.2.2
>     Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
>     vulnerability that exists. By merely existing on the classpath, this
>     library causes the Java serialization parser for the entire JVM process
>     to go from being a state machine to a turing machine. A turing machine
>     with an exec() function!
>     
> https://commons.apache.org/proper/commons-collections/security-reports.html
>     
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to