Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Apache Commons Collections to v3.2.2 #3734

Closed
wants to merge 1 commit into from

Conversation

@jart
Copy link
Contributor

@jart jart commented Mar 7, 2016

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
@rwinch
Copy link
Member

@rwinch rwinch commented Mar 8, 2016

Thanks for the PR! This is now merged into master via 3bbcbaa

PS: I love to give contributors attribution in the release announcement. Do you have a preferred way for me to mention you (i.e. link to Twitter, GitHub profile, Blog, etc)

@rwinch rwinch closed this Mar 8, 2016
@rwinch rwinch added this to the 4.1.0 RC1 milestone Mar 8, 2016
@rwinch rwinch self-assigned this Mar 8, 2016
@jart
Copy link
Contributor Author

@jart jart commented Mar 8, 2016

It's very gracious of you to offer attribution. But really, all I'm doing is grepping through GitHub. If you insist, you can mention me by name and email. You're also welcome to link to my GitHub profile :)

@rwinch
Copy link
Member

@rwinch rwinch commented Mar 8, 2016

@jart I will mention your GitHub profile then. Thanks again for the contribution!

@jart
Copy link
Contributor Author

@jart jart commented Mar 8, 2016

<3

@jart jart deleted the patch-1 branch Sep 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants