[
https://issues.apache.org/jira/browse/TAVERNA-934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stian Soiland-Reyes updated TAVERNA-934:
----------------------------------------
Fix Version/s: language 0.16.0
> Security fix: Upgrade Commons Collections
> -----------------------------------------
>
> Key: TAVERNA-934
> URL: https://issues.apache.org/jira/browse/TAVERNA-934
> Project: Apache Taverna
> Issue Type: Bug
> Components: Taverna Language, Taverna Maven Parent, Taverna Server
> Reporter: Stian Soiland-Reyes
> Assignee: Stian Soiland-Reyes
> Priority: Critical
> Labels: security
> Fix For: language 0.16.0, server 3.1.0, parent 3
>
>
> As raised by Glenn Lewis in
> https://github.com/apache/incubator-taverna-server/pull/1
> we use a Commons Collections 3.2.1 which has a CVSS 10.0 remote code
> execution vulnerability.
> This affects anyone who has Commons Collection on the classpath - basically
> through Maven dependencies at would mean also anyone who has the Taverna
> SCUFL2 API on the classpath.
> This does not affect just Taverna Server - but also indirectly as Commons
> Collection is also a transitive dependency, e.g. from commons-beanutils:
> {code}
> [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:test
> [INFO] | +- commons-logging:commons-logging:jar:1.1.1:compile
> [INFO] | \- commons-collections:commons-collections:jar:3.2.1:test
> {code}
> Thus we should update taverna-maven-parent - perhaps to have a
> <dependencyManagement> section - to force a newer version of
> commons-collections across the board.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
