commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timo <>
Subject Re: Deserialization vulnerability in Apache Commons Collection
Date Tue, 10 Nov 2015 12:36:15 GMT
Hi Deepesh,

there is an ongoing vote to release commons-collections 3.2.2, which
by default prevents InvokerTransformer from being deserialized. You
can find the release notes here:

For further information, please take a look at the ASF blog:


2015-11-10 9:05 GMT+01:00 Kapoor, Deepesh <>:
> Hi Team,
> This is regarding "commons-collections Java library". In our applications we are widely
using this library and hence looking to urgently patch the fix for vulnerability issue if
it is available.
> Searching on internet we found one patch released on Sunday 08th Nov
> Just wanted to check with you if there is any updated / complied version of commons-collections
jar available or going to be released soon which we can directly replace with our existing
jar file that provides the fix for the vulnerability issue.
> Thanks in advance!
> Thanks & Regards,
> Deepesh

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message