commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Date Fri, 13 Nov 2015 20:15:03 GMT
On Fri, Nov 13, 2015 at 12:12 PM, Luc Maisonobe <luc@spaceroots.org> wrote:

> Le 13/11/2015 20:26, Gary Gregory a écrit :
> > +1
> >
> > Tested with src zip.
> >
> > BUT:
> >
> > - The site Javadoc link is labeled "3.2.1" (fixed in
> >
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> > )
> > - The site history does not mentioned (fixed in svn)
> >
> > ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?
>
> Yes. I check this for every release.
>

Great, thank you for clarifying that.

Gary


>
> Luc
>
> >
> > Reports OK.
> >
> > Tested building with:
> >
> > Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> > 2015-04-22T04:57:37-07:00)
> > Maven home: C:\Java\apache-maven-3.3.3\bin\..
> > Java version: 1.7.0_79, vendor: Oracle Corporation
> > Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> > Default locale: en_US, platform encoding: Cp1252
> > OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
> >
> > and:
> >
> > Apache Ant(TM) version 1.9.6 compiled on June 29 2015
> >
> > Gary
> >
> > On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <
> thomas.neidhart@gmail.com>
> > wrote:
> >
> >> Hi all,
> >>
> >> in order to provide a work-around for the known remote code exploit via
> >> java de-serialization of malicious InvokerTransformer instances, I would
> >> like to start a vote to release Commons Collections 3.2.2 based on RC3.
> >>
> >> Notes:
> >>
> >>  * the site will not be published, it just serves as a reference to
> >> access the various reports. After a successful vote, the current 4.X
> >> branch site will be updated with relevant information and published.
> >>
> >>  * some tests might fail with various IBM JDK 6 JREs, these are known
> >> issues and have been worked-around in the 4.X branch but are not
> >> back-ported to this release.
> >>
> >>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> >> with a newly introduced default method in the Map interface.
> >>
> >>  * the collections-testframework.jar that has been published in previous
> >> versions is not included in this release
> >>
> >> Changes from RC2:
> >>
> >>  * fixed false positives in RAT report
> >>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
> >>
> >> Changes from RC1:
> >>
> >>  * fixed RAT report
> >>  * fixed NOTICE file
> >>  * improve the security fix: it has been made symmetric in the sense
> >>    that also the serialization of an unsafe class is disabled by
> >>    default and will result in an exception
> >>  * changed the system property to re-enable serialization of unsafe
> >>    classes. It is now
> >>    "org.apache.commons.collections.enableUnsafeSerialization"
> >>  * all classes in the functor package which (based on current
> >>    knowledge) have to be considered unsafe cannot be serialized/
> >>    de-serialized any more by default. This includes the following
> >>    classes:
> >>
> >>  ** CloneTransformer
> >>  ** PrototypeFactory (inner classes
> >>                       PrototypeCloneFactory and
> >>                       PrototypeSerializationFactory)
> >>  ** InstantiateFactory
> >>  ** InstantiateTransformer
> >>  ** ForClosure
> >>  ** WhileClosure
> >>  ** InvokerTransformer
> >>
> >>
> >>
> >> Collections 3.2.2 RC3 is available for review here:
> >>     https://dist.apache.org/repos/dist/dev/commons/collections/
> >>     (svn revision 11167)
> >>
> >> Maven artifacts are here:
> >>
> >>
> >>
> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
> >>
> >> Details of changes since 3.2.1 are in the release notes:
> >>
> >>
> >>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
> >>
> >> The tag is here:
> >>
> >>
> >>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
> >>     (svn revision 1714131)
> >>
> >> Site:
> >>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
> >>
> >> Clirr Report (compared to 3.2.1):
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
> >>
> >> RAT Report:
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
> >>
> >> KEYS:
> >>   https://www.apache.org/dist/commons/KEYS
> >>
> >> Please review the release candidate and vote.
> >>
> >>
> >> Considering that this is a security related release and that RC2 did not
> >> show any functional problems with the release, I plan to close this vote
> >> in 24h from now, i.e. after 0100 GMT 14-November 2015
> >>
> >>   [ ] +1 Release these artifacts
> >>   [ ] +0 OK, but...
> >>   [ ] -0 OK, but really should fix...
> >>   [ ] -1 I oppose this release because...
> >>
> >> Thanks,
> >>
> >> Thomas
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>


-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message