[
https://issues.apache.org/jira/browse/VELTOOLS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Symons updated VELTOOLS-169:
---------------------------------
Description:
Remove commons-collection dependency, ot upgrade commons-collections to v3.2.2
or v4.1 or later to mitigate level 9 threat.
Old name: commons-collections:commons-collections
Current name: org.apache.commons:commons-collections4
Velocity Tools v2.0 uses commons-collections:commons-collections v3.2
commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580.
Quoting from v4.1 release notes:
{quote}Serialization support for unsafe classes in the functor package has been
removed completely as this can be exploited for remote code execution attacks.
Classes considered to be unsafe are:
CloneTransformer
ForClosure
InstantiateFactory
InstantiateTransformer
InvokerTransformer
PrototypeCloneFactory
PrototypeSerializationFactory
WhileClosure.
{quote}
was:
Upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9
threat.
Old name: commons-collections:commons-collections
Current name: org.apache.commons:commons-collections4
Velocity Tools v2.0 uses commons-collections:commons-collections v3.2
commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580.
Quoting from v4.1 release notes:
{quote}
Serialization support for unsafe classes in the functor package has been
removed completely as this can be exploited for remote code execution attacks.
Classes considered to be unsafe are:
CloneTransformer
ForClosure
InstantiateFactory
InstantiateTransformer
InvokerTransformer
PrototypeCloneFactory
PrototypeSerializationFactory
WhileClosure.
{quote}
Summary: Upgrade or remove commons-collections compile dependency
(was: Upgrade commons-collections compile dependency to v3.2.2 or v4.1)
> Upgrade or remove commons-collections compile dependency
> --------------------------------------------------------
>
> Key: VELTOOLS-169
> URL: https://issues.apache.org/jira/browse/VELTOOLS-169
> Project: Velocity Tools
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.0
> Reporter: Mark Symons
> Assignee: Claude Brisson
> Priority: Critical
>
> Remove commons-collection dependency, ot upgrade commons-collections to
> v3.2.2 or v4.1 or later to mitigate level 9 threat.
> Old name: commons-collections:commons-collections
> Current name: org.apache.commons:commons-collections4
> Velocity Tools v2.0 uses commons-collections:commons-collections v3.2
> commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580.
> Quoting from v4.1 release notes:
> {quote}Serialization support for unsafe classes in the functor package has
> been removed completely as this can be exploited for remote code execution
> attacks. Classes considered to be unsafe are:
> CloneTransformer
> ForClosure
> InstantiateFactory
> InstantiateTransformer
> InvokerTransformer
> PrototypeCloneFactory
> PrototypeSerializationFactory
> WhileClosure.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
