Hi guys, I am running an application working with commons-configuration version 1.6 I just noticed a bug in commons-collection.(http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results)
As the older versions (will be changed in 2.0) of commons-configuration are having a runtime dependency to commons-collections I am wondering if they are potentially affected by this bug as well? Commons-configuration version 1.6 uses commons-collections 3.2.1. which still contains the bug. (From 3.2.2. they disabled the classes by default The documentation says only ConfigurationConverter has a dependency to commons-collections (org.apache.commons.collections.ExtendedProperties;). I bet that affected classes by the bug are never referenced and do not run. That looks to me pretty much that using commons-configuration 1.6 is safe, not recommended but safe. Even more because it is not using any Serialization support from commons-collections. Can somebody confirm this? Many thanks joël
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
