[
https://issues.apache.org/jira/browse/VELOCITY-853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16520120#comment-16520120
]
Peter Janssen commented on VELOCITY-853:
----------------------------------------
commons-collections contains the following CVE's:
||CVE||description||severity||package||
|CVE-2017-15708|CWE-74 Improper Neutralization of Special Elements in Output
Used by a Downstream Component ('Injection')|High
(7.5)|commons-collections-3.2.1.jar|
|CVE-2015-6420|CWE-502 Deserialization of Untrusted Data|High
(7.5)|commons-collections-3.2.1.jar|
> Upgrade dependency to commons-collections4
> ------------------------------------------
>
> Key: VELOCITY-853
> URL: https://issues.apache.org/jira/browse/VELOCITY-853
> Project: Velocity
> Issue Type: Wish
> Components: Engine
> Affects Versions: 1.7.x, 1.7
> Reporter: Ilia Sretenskii
> Priority: Major
> Fix For: 1.7.x
>
>
> *org.apache.velocity:velocity:1.7* depends on
> *commons-collections:commons-collections:3.2.1*
> https://github.com/apache/velocity-engine/blob/1.7/pom.xml
> *org.apache.velocity:velocity:1.7.x* depends on
> *commons-collections:commons-collections:3.2.1* also
> https://github.com/apache/velocity-engine/blob/1.7.x/pom.xml
> Please upgrade dependency to *org.apache.commons:commons-collections4:4.0*
> That will allow using generics in collections classes.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
