commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From t.@apache.org
Subject svn commit: r1713850 - in /commons/proper/collections/branches/COLLECTIONS_3_2_X: RELEASE-NOTES.txt src/changes/changes.xml
Date Wed, 11 Nov 2015 14:29:18 GMT
Author: tn
Date: Wed Nov 11 14:29:18 2015
New Revision: 1713850

URL: http://svn.apache.org/viewvc?rev=1713850&view=rev
Log:
Update Release Notes with details about improved fix for COLLECTIONS-580.

Modified:
    commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt
    commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml

Modified: commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt?rev=1713850&r1=1713849&r2=1713850&view=diff
==============================================================================
--- commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt (original)
+++ commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt Wed Nov 11 14:29:18
2015
@@ -12,8 +12,9 @@ This release is JDK1.3 compatible, and d
 This v3.2.2 release is a bugfix release, fixing several bugs present in the previous
 releases of the 3.2 branch. Additionally, this release provides a mitigation for a
 known remote code exploitation via the standard java object serialization mechanism.
-By default, de-serialization of "InvokerTransformer" instances is prohibited and
-will result in an exception. For more details, please refer to COLLECTIONS-580.
+By default, serialization support for unsafe classes in the functor package is
+disabled and will result in an exception when either trying to serialize or de-serialize
+an instance of these classes. For more details, please refer to COLLECTIONS-580.
 
 All users are strongly encouraged to updated to this release.
 
@@ -23,11 +24,14 @@ Changes in this version include:
 CHANGES
 =======
 
-o COLLECTIONS-580:  De-serialization of "InvokerTransformer" is disabled by default as this
-                    can be exploited for remote code execution attacks. To re-enable the
-                    feature the system property
-                    "org.apache.commons.collections.invokertransformer.enableDeserialization"
-                    needs to be set to "true". 
+o COLLECTIONS-580:  Serialization support for unsafe classes in the functor package is
+                    disabled by default as this can be exploited for remote code execution
+                    attacks. To re-enable the feature the system property
+                    "org.apache.commons.collections.enableUnsafeSerialization" needs to be
+                    set to "true".
+                    Classes considered to be unsafe are: CloneTransformer, ForClosure,
+                    InstantiateFactory, InstantiateTransformer, InvokerTransformer,
+                    PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.
 
 BUGFIXES
 ========

Modified: commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml?rev=1713850&r1=1713849&r2=1713850&view=diff
==============================================================================
--- commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml (original)
+++ commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml Wed Nov
11 14:29:18 2015
@@ -21,12 +21,15 @@
   </properties>
   <body>
 
-  <release version="3.2.2" date="20XX-XX-XX" description="This is a bugfix release.">
+  <release version="3.2.2" date="2015-11-18" description="This is a bugfix release.">
     <action issue="COLLECTIONS-580" dev="tn" type="update">
-      De-serialization of "InvokerTransformer" is disabled by default as this
-      can be exploited for remote code execution attacks. To re-enable the
-      feature the system property "org.apache.commons.collections.invokertransformer.enableDeserialization"
+      Serialization support for unsafe classes in the functor package is disabled
+      by default as this can be exploited for remote code execution attacks.
+      To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization"
       needs to be set to "true".
+      Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory,
+      InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory,
+      PrototypeSerializationFactory, WhileClosure.
     </action>
     <action issue="COLLECTIONS-538" dev="tn" type="fix" due-to="Trejkaz">
       "ExtendedProperties" will now use a privileged action to access the



Mime
View raw message