[ https://issues.apache.org/jira/browse/VELTOOLS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mark Symons updated VELTOOLS-169: --------------------------------- Description: Upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9 threat. Old name: commons-collections:commons-collections Current name: org.apache.commons:commons-collections4 Velocity Tools v2.0 uses commons-collections:commons-collections v3.2 commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580. Quoting from v4.1 release notes: {quote} Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are: CloneTransformer ForClosure InstantiateFactory InstantiateTransformer InvokerTransformer PrototypeCloneFactory PrototypeSerializationFactory WhileClosure. {quote} was: Upgrade commons-collections to v4.1 or later to mitigate level 9 threat. Old name: commons-collections:commons-collections Current name: org.apache.commons:commons-collections4 Velocity Tools v2.0 uses commons-collections:commons-collections v3.2 commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580. Quoting from v4.1 release notes: {quote} Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are: CloneTransformer ForClosure InstantiateFactory InstantiateTransformer InvokerTransformer PrototypeCloneFactory PrototypeSerializationFactory WhileClosure. {quote} Summary: Upgrade commons-collections compile dependency to v3.2.2 or v4.1 (was: Upgrade commons-collections compile dependency to 4.1) > Upgrade commons-collections compile dependency to v3.2.2 or v4.1 > ---------------------------------------------------------------- > > Key: VELTOOLS-169 > URL: https://issues.apache.org/jira/browse/VELTOOLS-169 > Project: Velocity Tools > Issue Type: Bug > Components: Build > Affects Versions: 2.0 > Reporter: Mark Symons > Priority: Critical > > Upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9 > threat. > Old name: commons-collections:commons-collections > Current name: org.apache.commons:commons-collections4 > Velocity Tools v2.0 uses commons-collections:commons-collections v3.2 > commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580. > Quoting from v4.1 release notes: > {quote} > Serialization support for unsafe classes in the functor package has been > removed completely as this can be exploited for remote code execution > attacks. Classes considered to be unsafe are: > CloneTransformer > ForClosure > InstantiateFactory > InstantiateTransformer > InvokerTransformer > PrototypeCloneFactory > PrototypeSerializationFactory > WhileClosure. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org