[
https://issues.apache.org/jira/browse/VALIDATOR-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14280113#comment-14280113
]
Sebb commented on VALIDATOR-357:
--------------------------------
I'm not sure that just updating the version of BeanUtils will make any
difference to the security, unless the validator code is also changed to
allow/force BeanUtils to activate the special new BeanInspector. If Validator
does not need the class loader, then it should be safe to always use the new
inspector. Otherwise, either Validator has to provide a way to customise the
BeanInspector and/or Validator Javadoc must make it clear that the validation
has to be done by the caller.
> Upgrade BeanUtils
> -----------------
>
> Key: VALIDATOR-357
> URL: https://issues.apache.org/jira/browse/VALIDATOR-357
> Project: Commons Validator
> Issue Type: New Feature
> Components: Framework
> Affects Versions: 1.1.3 Release, 1.2.0 Release, 1.3.0 Release, 1.3.1
> Release, 1.4.0 Release, 1.4.1 Release
> Reporter: David Dillard
> Priority: Minor
>
> Validator 1.41 depends on BeanUtils 1.8.3. This has a "potential security
> issue", see
> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
> Also, see http://www.cvedetails.com/cve-details.php?t=1&cve_id=cve-2014-0114
> Even if this issue doesn't affect Validator, BeanUtils should be upgraded so
> that issue issue doesn't affect other users of BeanUtils given the screwy way
> some builders (e.g. Maven) resolve conflicting dependencies.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
