Take Commons Collections v3.2.1 off classpath

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function! https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ Signed-off-by: Luke Inman-Semerau <luke.semerau@gmail.com>
SeleniumHQ · Mar 10, 2016 · 0bf56ed · 0bf56ed
1 parent f740b80
commit 0bf56ed
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/java/client/.classpath b/java/client/.classpath
@@ -25,7 +25,7 @@
 	<classpathentry kind="lib" path="/third-party/java/css/sac-1.3.jar"/>
 	<classpathentry kind="lib" path="/third-party/java/commons/commons-lang3-3.4.jar" sourcepath="/third-party/java/commons/commons-lang3-3.4-sources.jar"/>
 	<classpathentry kind="lib" path="/third-party/java/httpcomponents/httpmime-4.5.jar" sourcepath="/third-party/java/httpcomponents/httpmime-4.5-sources.jar"/>
-	<classpathentry kind="lib" path="/third-party/java/commons-collections/commons-collections-3.2.1.jar" sourcepath="/third-party/java/commons-collections/commons-collections-3.2.1-sources.jar"/>
+	<classpathentry kind="lib" path="/third-party/java/commons-collections/commons-collections-3.2.2.jar" sourcepath="/third-party/java/commons-collections/commons-collections-3.2.2-sources.jar"/>
 	<classpathentry kind="lib" path="/third-party/java/cssparser/cssparser-0.9.18.jar"/>
 	<classpathentry kind="lib" path="/third-party/java/xerces/xercesImpl-2.11.0.jar" sourcepath="/third-party/java/xerces/xercesImpl-2.11.0-sources.jar"/>
 	<classpathentry kind="lib" path="/third-party/java/xalan/xalan-2.7.2.jar"/>