ipf icon indicating copy to clipboard operation
ipf copied to clipboard
verified publisher icon krasserm

Upgrade Apache Commons Collections to v3.2.2

Open gmlewis opened this issue 9 years ago • 1 comments

Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

gmlewis avatar Mar 09 '16 16:03 gmlewis

Hello Glenn,

IPF development has been moved to https://github.com/oehf/ipf a few years ago.
Of course, we have opportunely upgraded Apache commons-collections there.

Thank you very much and best regards Dmytro

unixoid avatar Mar 09 '16 19:03 unixoid