[
https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222588#comment-16222588
]
ASF subversion and git services commented on ARTEMIS-1483:
----------------------------------------------------------
Commit ba01bf70734a0aa6ad614b4dfc7a3401dfae3c39 in activemq-artemis's branch
refs/heads/master from [~jbertram]
[ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=ba01bf7 ]
ARTEMIS-1483 upgrade beanutils
> Upgrade beanutils
> -----------------
>
> Key: ARTEMIS-1483
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1483
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.3.0
> Reporter: Mike Hearn
> Assignee: Justin Bertram
> Fix For: 2.4.0
>
>
> In ARTEMIS-309 the version of Apache Commons Collections was upgraded to
> 3.2.2 however, this fix was not sufficient because ACC is also pulled in via
> Apache BeanUtils. This is a potential problem because it is enough for the
> bad library to anywhere on the classpath, so whether Artemis is vulnerable or
> not may depend on the vagaries of classpath ordering (if both versions
> somehow end up in the distribution by mistake).
> BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the
> CVE. If Artemis upgrades to BeanUtils 1.9.3 the problem is resolved.
> We noticed this in our project using the OWASP Dependency Scanner:
> https://www.owasp.org/index.php/OWASP_Dependency_Check
> It'd be a great thing for you guys to start using this wonderful plugin too.
> The reports it generates are excellent.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
