Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EC48618492 for ; Wed, 18 Nov 2015 22:38:11 +0000 (UTC) Received: (qmail 87756 invoked by uid 500); 18 Nov 2015 22:38:11 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 87645 invoked by uid 500); 18 Nov 2015 22:38:11 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 87500 invoked by uid 500); 18 Nov 2015 22:38:11 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 87467 invoked by uid 99); 18 Nov 2015 22:38:11 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Nov 2015 22:38:11 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 2522A2C1F6E for ; Wed, 18 Nov 2015 22:38:11 +0000 (UTC) Date: Wed, 18 Nov 2015 22:38:11 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-9053) CloudStack is dependent upon a vulnerable version of Commons Collections MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15012220#comment-15012220 ] ASF GitHub Bot commented on CLOUDSTACK-9053: -------------------------------------------- GitHub user DaanHoogland opened a pull request: https://github.com/apache/cloudstack/pull/1089 CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580 cloustack is not vulnerable but as the classes are in they might be used in the future so we upgrade to prevent accidental vulnerabilities. integration test against master going on. You can merge this pull request into a Git repository by running: $ git pull https://github.com/DaanHoogland/cloudstack CLOUDSTACK-9053 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/1089.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1089 ---- commit d40d3498a6faa62fb8dc0df4d4e14b07a8363cb3 Author: Daan Hoogland Date: 2015-11-18T21:54:25Z CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580 cloustack is not vulnerable but as the classes are in they might be used in the future so we upgrade to prevent accidental vulnerabilities. ---- > CloudStack is dependent upon a vulnerable version of Commons Collections > ------------------------------------------------------------------------ > > Key: CLOUDSTACK-9053 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9053 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Reporter: John Kinsella > > COLLECTIONS-580 was brought to our attention today. Current versions of Apache Commons Collections contain a serialization/unserialization vulnerability which may result in remote code execution. > CloudStack does not seem to use the specific vulnerable class InvokerTransformer, so in theory we could recommend pulling that class from the jars/wars, but still looking to see what else we can do... -- This message was sent by Atlassian JIRA (v6.3.4#6332)