commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timo <MailAnT...@gmx.de>
Subject Re: Deserialization vulnerability in Apache Commons Collection
Date Tue, 10 Nov 2015 12:36:15 GMT
Hi Deepesh,

there is an ongoing vote to release commons-collections 3.2.2, which
by default prevents InvokerTransformer from being deserialized. You
can find the release notes here:
https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt

For further information, please take a look at the ASF blog:
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

Timo

2015-11-10 9:05 GMT+01:00 Kapoor, Deepesh <Deepesh_Kapoor@spe.sony.com>:
> Hi Team,
>
> This is regarding "commons-collections Java library". In our applications we are widely
using this library and hence looking to urgently patch the fix for vulnerability issue if
it is available.
> Searching on internet we found one patch released on Sunday 08th Nov http://svn.apache.org/viewvc?view=revision&revision=1713307
>
> Just wanted to check with you if there is any updated / complied version of commons-collections
jar available or going to be released soon which we can directly replace with our existing
jar file that provides the fix for the vulnerability issue.
>
> Thanks in advance!
>
>
> Thanks & Regards,
> Deepesh

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message