Re: [GitHub] incubator-taverna-server pull request: Upgrade Apache Commons Coll...

Thu, 10 Mar 2016 00:56:26 -0800 

Thank you for the pull request! Agree that this should be updated to avoid
the potential deserialization remote code attack vulnerability.

I think we should specify the commons collection version as
${commons.collections.version} so this is fixed across the Taverna
repositories.

https://github.com/apache/incubator-taverna-maven-parent/blob/master/pom.xml#L334

A similar vulnerability exists in Beanshell, which was fixed in 2.0b6 - so
bsh.version should also be upgraded to affect
https://github.com/apache/incubator-taverna-common-activities/blob/master/taverna-beanshell-activity/pom.xml#L90
On 9 Mar 2016 17:00, "gmlewis" <[email protected]> wrote:

> GitHub user gmlewis opened a pull request:
>
>     https://github.com/apache/incubator-taverna-server/pull/1
>
>     Upgrade Apache Commons Collections to v3.2.2
>
>
>     Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of
>     vulnerability that exists. By merely existing on the classpath, this
>     library causes the Java serialization parser for the entire JVM process
>     to go from being a state machine to a turing machine. A turing machine
>     with an exec() function!
>
>     https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
>
> https://commons.apache.org/proper/commons-collections/security-reports.html
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
>
> You can merge this pull request into a Git repository by running:
>
>     $ git pull https://github.com/gmlewis/incubator-taverna-server master
>
> Alternatively you can review and apply these changes as the patch at:
>
>     https://github.com/apache/incubator-taverna-server/pull/1.patch
>
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
>
>     This closes #1
>
> ----
> commit 63fd4831291530ab98078544a7175d728c19681b
> Author: Glenn Lewis <[email protected]>
> Date:   2016-03-09T17:00:38Z
>
>     Upgrade Apache Commons Collections to v3.2.2
>
> ----
>
>
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at [email protected] or file a JIRA ticket
> with INFRA.
> ---
>

Reply via email to