Stian Soiland-Reyes created TAVERNA-934:
-------------------------------------------
Summary: Security fix: Upgrade Commons Collections
Key: TAVERNA-934
URL: https://issues.apache.org/jira/browse/TAVERNA-934
Project: Apache Taverna
Issue Type: Bug
Components: Taverna Language, Taverna Maven Parent, Taverna Server
Reporter: Stian Soiland-Reyes
Priority: Critical
As raised by Glenn Lewis in
https://github.com/apache/incubator-taverna-server/pull/1
we use a Commons Collections 3.2.1 which has a CVSS 10.0 remote code execution
vulnerability.
This affects anyone who has Commons Collection on the classpath - basically
through Maven dependencies at would mean also anyone who has the Taverna SCUFL2
API on the classpath.
This does not affect just Taverna Server - but also indirectly as Commons
Collection is also a transitive dependency, e.g. from commons-beanutils:
{code}
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:test
[INFO] | +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] | \- commons-collections:commons-collections:jar:3.2.1:test
{code}
Thus we should update taverna-maven-parent - perhaps to have a
<dependencyManagement> section - to force a newer version of
commons-collections across the board.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
