Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E53BE200D29 for ; Thu, 26 Oct 2017 19:10:04 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E3F091609E5; Thu, 26 Oct 2017 17:10:04 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 398A21609E8 for ; Thu, 26 Oct 2017 19:10:04 +0200 (CEST) Received: (qmail 98316 invoked by uid 500); 26 Oct 2017 17:10:03 -0000 Mailing-List: contact issues-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list issues@activemq.apache.org Received: (qmail 98307 invoked by uid 99); 26 Oct 2017 17:10:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Oct 2017 17:10:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A0A591A00FA for ; Thu, 26 Oct 2017 17:10:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.501 X-Spam-Level: X-Spam-Status: No, score=-99.501 tagged_above=-999 required=6.31 tests=[KAM_NUMSUBJECT=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id z4DZfisymDXk for ; Thu, 26 Oct 2017 17:10:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 1D63C5F5B8 for ; Thu, 26 Oct 2017 17:10:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 66A4AE00B3 for ; Thu, 26 Oct 2017 17:10:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 26944212F5 for ; Thu, 26 Oct 2017 17:10:00 +0000 (UTC) Date: Thu, 26 Oct 2017 17:10:00 +0000 (UTC) From: "Mike Hearn (JIRA)" To: issues@activemq.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ARTEMIS-1483) Upgrade beanutils to fix CVE 2015-6420 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 26 Oct 2017 17:10:05 -0000 [ https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220801#comment-16220801 ] Mike Hearn commented on ARTEMIS-1483: ------------------------------------- It may be that Maven is auto-upgrading the dependency of BeanUtils too. I guess it depends on the build tool used and configuration. The dependency scanner plugin is useful though and this should be a one-line fix. > Upgrade beanutils to fix CVE 2015-6420 > -------------------------------------- > > Key: ARTEMIS-1483 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1483 > Project: ActiveMQ Artemis > Issue Type: Bug > Reporter: Mike Hearn > Assignee: Justin Bertram > > In ARTEMIS-309 the version of Apache Commons Collections was upgraded to 3.2.2 however, this fix was not sufficient because ACC is also pulled in via Apache BeanUtils. This is a potential problem because it is enough for the bad library to anywhere on the classpath, so whether Artemis is vulnerable or not may depend on the vagaries of classpath ordering (if both versions somehow end up in the distribution by mistake). > BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the CVE. If Artemis upgrades to BeanUtils 1.9.3 the problem is resolved. > We noticed this in our project using the OWASP Dependency Scanner: > https://www.owasp.org/index.php/OWASP_Dependency_Check > It'd be a great thing for you guys to start using this wonderful plugin too. The reports it generates are excellent. -- This message was sent by Atlassian JIRA (v6.4.14#64029)