commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luc Maisonobe <...@spaceroots.org>
Subject Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Date Fri, 13 Nov 2015 20:12:25 GMT
Le 13/11/2015 20:26, Gary Gregory a écrit :
> +1
> 
> Tested with src zip.
> 
> BUT:
> 
> - The site Javadoc link is labeled "3.2.1" (fixed in
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> )
> - The site history does not mentioned (fixed in svn)
> 
> ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?

Yes. I check this for every release.

Luc

> 
> Reports OK.
> 
> Tested building with:
> 
> Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> 2015-04-22T04:57:37-07:00)
> Maven home: C:\Java\apache-maven-3.3.3\bin\..
> Java version: 1.7.0_79, vendor: Oracle Corporation
> Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> Default locale: en_US, platform encoding: Cp1252
> OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
> 
> and:
> 
> Apache Ant(TM) version 1.9.6 compiled on June 29 2015
> 
> Gary
> 
> On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <thomas.neidhart@gmail.com>
> wrote:
> 
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>>
>> Notes:
>>
>>  * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>>  * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>>  * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>> Changes from RC2:
>>
>>  * fixed false positives in RAT report
>>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
>>
>> Changes from RC1:
>>
>>  * fixed RAT report
>>  * fixed NOTICE file
>>  * improve the security fix: it has been made symmetric in the sense
>>    that also the serialization of an unsafe class is disabled by
>>    default and will result in an exception
>>  * changed the system property to re-enable serialization of unsafe
>>    classes. It is now
>>    "org.apache.commons.collections.enableUnsafeSerialization"
>>  * all classes in the functor package which (based on current
>>    knowledge) have to be considered unsafe cannot be serialized/
>>    de-serialized any more by default. This includes the following
>>    classes:
>>
>>  ** CloneTransformer
>>  ** PrototypeFactory (inner classes
>>                       PrototypeCloneFactory and
>>                       PrototypeSerializationFactory)
>>  ** InstantiateFactory
>>  ** InstantiateTransformer
>>  ** ForClosure
>>  ** WhileClosure
>>  ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC3 is available for review here:
>>     https://dist.apache.org/repos/dist/dev/commons/collections/
>>     (svn revision 11167)
>>
>> Maven artifacts are here:
>>
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>>
>> The tag is here:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
>>     (svn revision 1714131)
>>
>> Site:
>>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>>
>> Clirr Report (compared to 3.2.1):
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>>
>> RAT Report:
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>>
>> KEYS:
>>   https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC2 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24h from now, i.e. after 0100 GMT 14-November 2015
>>
>>   [ ] +1 Release these artifacts
>>   [ ] +0 OK, but...
>>   [ ] -0 OK, but really should fix...
>>   [ ] -1 I oppose this release because...
>>
>> Thanks,
>>
>> Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message