Upgrade Apache Commons Collections to v3.2.2 #3734

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
@jart
Contributor

jart commented Mar 7, 2016

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Upgrade Apache Commons Collections to v3.2.2
Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Mar 8, 2016

Member

Thanks for the PR! This is now merged into master via 3bbcbaa

PS: I love to give contributors attribution in the release announcement. Do you have a preferred way for me to mention you (i.e. link to Twitter, GitHub profile, Blog, etc)

Member

rwinch commented Mar 8, 2016

Thanks for the PR! This is now merged into master via 3bbcbaa

PS: I love to give contributors attribution in the release announcement. Do you have a preferred way for me to mention you (i.e. link to Twitter, GitHub profile, Blog, etc)

@rwinch rwinch closed this Mar 8, 2016

@rwinch rwinch added this to the 4.1.0 RC1 milestone Mar 8, 2016

@rwinch rwinch self-assigned this Mar 8, 2016

@jart

This comment has been minimized.

Show comment
Hide comment
@jart

jart Mar 8, 2016

Contributor

It's very gracious of you to offer attribution. But really, all I'm doing is grepping through GitHub. If you insist, you can mention me by name and email. You're also welcome to link to my GitHub profile :)

Contributor

jart commented Mar 8, 2016

It's very gracious of you to offer attribution. But really, all I'm doing is grepping through GitHub. If you insist, you can mention me by name and email. You're also welcome to link to my GitHub profile :)

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Mar 8, 2016

Member

@jart I will mention your GitHub profile then. Thanks again for the contribution!

Member

rwinch commented Mar 8, 2016

@jart I will mention your GitHub profile then. Thanks again for the contribution!

@jart

This comment has been minimized.

Show comment
Hide comment
@jart

jart Mar 8, 2016

Contributor

<3

Contributor

jart commented Mar 8, 2016

<3

@jart jart deleted the jart:patch-1 branch Sep 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment