cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9053) CloudStack is dependent upon a vulnerable version of Commons Collections
Date Fri, 20 Nov 2015 09:43:11 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15015508#comment-15015508
] 

ASF subversion and git services commented on CLOUDSTACK-9053:
-------------------------------------------------------------

Commit 401693eafbe940c8fc349eec950779cf3e3f2717 in cloudstack's branch refs/heads/4.6 from
[~remibergsma]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=401693e ]

Merge pull request #1089 from DaanHoogland/CLOUDSTACK-9053

CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580  cloustack is not vulnerable but as
the classes are in they might
  be used in the future so we upgrade to prevent accidental
  vulnerabilities.

unit tests in master succeeded. unit tests on 4.6 passed. integration tests going on.

* pr/1089:
  CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580

Signed-off-by: Remi Bergsma <github@remi.nl>


> CloudStack is dependent upon a vulnerable version of Commons Collections
> ------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9053
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9053
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: John Kinsella
>
> COLLECTIONS-580 was brought to our attention today. Current versions of Apache Commons
Collections contain a serialization/unserialization vulnerability which may result in remote
code execution.
> CloudStack does not seem to use the specific vulnerable class InvokerTransformer, so
in theory we could recommend pulling that class from the jars/wars, but still looking to see
what else we can do...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message