commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <>
Subject [VOTE] Release Commons Collections 3.2.2 Based on RC1
Date Mon, 09 Nov 2015 22:37:05 GMT
Hi all,

in order to provide a work-around for the known remote code exploit via
java de-serialization of malicious InvokerTransformer instances, I would
like to start a vote to release Commons Collections 3.2.2 based on RC1.

I would kindly ask people to review the RC especially wrt the following

 * OSGI compatibility
 * reproducing the exploits and verifying that it provides protection
 * any kind of regression that this release might create with existing


 * the site will not be published, it just serves as a reference to
access the various reports. After a successful vote, the current 4.X
branch site will be updated with relevant information and published.

 * some tests might fail with various IBM JDK 6 JREs, these are known
issues and have been worked-around in the 4.X branch but are not
back-ported to this release.

Collections 3.2.2 RC1 is available for review here:
    (svn revision 11092)

Maven artifacts are here:

Details of changes since 3.2.1 are in the release notes:

The tag is here:
    (svn revision 1713561)


Clirr Report (compared to 3.2.1):

RAT Report:


Please review the release candidate and vote.

This vote will close no sooner that 72 hours from now, i.e. after 2300
GMT 12-November 2015

  [ ] +1 Release these artifacts
  [ ] +0 OK, but...
  [ ] -0 OK, but really should fix...
  [ ] -1 I oppose this release because...



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message