[
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018476#comment-15018476
]
Brian Martin commented on VELOCITY-869:
---------------------------------------
Please note that Commons Collections is designed to deserialize code. The "fix"
is to add an option to disable that, which each implementing software needs to
consider. Further, just having Commons Collections in your software does not
necessarily mean you are, or are not, vulnerable. Each application must assess
if they allow users to send code to be deserialized to that library (its
intended function), and if that crosses privilege boundaries are not.
So just upgrading to 3.2.2 doesn't mean you are necessarily fixing a vuln, and
the presence of that software doesn't necessarily mean you were vulnerable in
the first place. =)
> Vulnerability in dependency: commons-collections:3.2.1
> ------------------------------------------------------
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
> Issue Type: Bug
> Components: Build
> Affects Versions: 1.7
> Reporter: Ryan Blue
> Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections,
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed,
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad
> version. Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
