[
https://issues.apache.org/jira/browse/BEANUTILS-520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16910012#comment-16910012
]
Gary Gregory commented on BEANUTILS-520:
----------------------------------------
Since this is a major release, with a new package name, we should consider
carefully what we want to change in the API before forging ahead.
For example, do we want to keep publishing Commons Collections object in the
API or should we change the API to be only based on the JRE's Collections APIs?
Are there deprecated APIs we should remove?
Are there changes to interfaces we want to make?
And so on.
Gary
> BeanUtils2 mitigate CVE-2014-0114
> ---------------------------------
>
> Key: BEANUTILS-520
> URL: https://issues.apache.org/jira/browse/BEANUTILS-520
> Project: Commons BeanUtils
> Issue Type: Improvement
> Components: Bean / Property Utils
> Affects Versions: 1.9.3
> Reporter: Melloware
> Assignee: Rob Tompkins
> Priority: Major
> Labels: security
> Fix For: 1.9.4, 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> https://nvd.nist.gov/vuln/detail/CVE-2014-0114
> Due to the above CVE in 1.9.2 they added a Suppression but it is still being
> marked as a security risk through most major checks from OWASP and Sonatype
> IQ.
> "commons-beanutils added a SuppressPropertiesBeanIntrospector which includes
> a specialized instance of itself as the SUPPRESS_CLASS constant beginning in
> version 1.9.2 that specifically suppresses the class property. +However, this
> fix is not enabled by default.+"
> For BeanUtils2 why not make this the default and have people "enable" it if
> it they want to get the feature.
> Thanks for your consideration.
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
