Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8C8FD200D2D for ; Fri, 27 Oct 2017 17:54:07 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 8B4E71609E9; Fri, 27 Oct 2017 15:54:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DB4B6160BF4 for ; Fri, 27 Oct 2017 17:54:06 +0200 (CEST) Received: (qmail 93239 invoked by uid 500); 27 Oct 2017 15:54:06 -0000 Mailing-List: contact issues-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list issues@activemq.apache.org Received: (qmail 93229 invoked by uid 99); 27 Oct 2017 15:54:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Oct 2017 15:54:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 5251F18081D for ; Fri, 27 Oct 2017 15:54:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id T3YBeFLGN_yJ for ; Fri, 27 Oct 2017 15:54:04 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id DD0595FCD4 for ; Fri, 27 Oct 2017 15:54:03 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 311CEE0F1C for ; Fri, 27 Oct 2017 15:54:03 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 7C276212FA for ; Fri, 27 Oct 2017 15:54:00 +0000 (UTC) Date: Fri, 27 Oct 2017 15:54:00 +0000 (UTC) From: "Justin Bertram (JIRA)" To: issues@activemq.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (ARTEMIS-1483) Upgrade beanutils MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 27 Oct 2017 15:54:07 -0000 [ https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Bertram resolved ARTEMIS-1483. ------------------------------------- Resolution: Fixed > Upgrade beanutils > ----------------- > > Key: ARTEMIS-1483 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1483 > Project: ActiveMQ Artemis > Issue Type: Bug > Affects Versions: 2.3.0 > Reporter: Mike Hearn > Assignee: Justin Bertram > Fix For: 2.4.0 > > > In ARTEMIS-309 the version of Apache Commons Collections was upgraded to 3.2.2 however, this fix was not sufficient because ACC is also pulled in via Apache BeanUtils. This is a potential problem because it is enough for the bad library to anywhere on the classpath, so whether Artemis is vulnerable or not may depend on the vagaries of classpath ordering (if both versions somehow end up in the distribution by mistake). > BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the CVE. If Artemis upgrades to BeanUtils 1.9.3 the problem is resolved. > We noticed this in our project using the OWASP Dependency Scanner: > https://www.owasp.org/index.php/OWASP_Dependency_Check > It'd be a great thing for you guys to start using this wonderful plugin too. The reports it generates are excellent. -- This message was sent by Atlassian JIRA (v6.4.14#64029)