Mailing-List: contact dev-help@commons.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Commons Developers List" <dev@commons.apache.org>
To: dev@commons.apache.org
From: =?UTF-8?B?SsO2cmc=?= Schaible <joerg.schaible@gmx.de>
Subject: Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2
Date: Thu, 12 Nov 2015 19:14:49 +0100
Lines: 164
Message-ID: <n22kuq$9ph$1@ger.gmane.org>
References: <56436C65.7020408@gmail.com>
Reply-To: joerg.schaible@gmx.de
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8Bit
User-Agent: KNode/4.14.8

Hi Thomas,

Thomas Neidhart wrote:

> Hi all,
> 
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC2.
> 
> Notes:
> 
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
> 
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
> 
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
> 
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
> 
> 
> Changes from RC1:
> 
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
> 
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
> 
> 
> 
> Collections 3.2.2 RC2 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11147)
> 
> Maven artifacts are here:
> 
> 
https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
> 
> Details of changes since 3.2.1 are in the release notes:
> 
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
> 
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
> 
> The tag is here:
> 
> 
https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>     (svn revision 1713883)
> 
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
> 
> Clirr Report (compared to 3.2.1):
> 
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
> 
> RAT Report:
> 
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
> 
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
> 
> Please review the release candidate and vote.
> 
> 
> Considering that this is a security related release and that RC1 did not
> show any functional problems with the release, I plan to close this vote
> in 24 from now, i.e. after 1800 GMT 12-November 2015
> 
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...

-1,

sorry, but there's a regression

The package claims to be compatible with Java 1.3. Well, I don't have 1.3 
anymore, but 1.4. And I can build CC-3.2.1 and run all tests with Blackdown 
JDK 1.4 and Maven 2.0.11.

For CC-3.2.2 I have to use at least Java 5 and Maven 3.0(.5):

- Using java-1.4 profile: Build fails, because tests no longer compile
- Sun JDK 1.5: TestAllPackages fails due to SecurityException:
================== %< ==================
Running org.apache.commons.collections.TestAllPackages
java.lang.SecurityException
        at 
org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322)
        at java.lang.System.getProperty(System.java:628)
        at 
sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.io.PrintWriter.<init>(PrintWriter.java:77)
        at java.io.PrintWriter.<init>(PrintWriter.java:61)
        at 
org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56)
        at 
org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330)
        at 
org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119)
================== %< ==================
- Sun JDK 1.6: OK
- Oracle JDK 1.7: OK
- IBM JDK 1.5: OK (!!)
- IBM JDK 1.6 (J9 2.4): fails (as expected, same for CC-3.2.1)
- IBM JDK 1.7: OK (!!)
- IcedTea 6 (OpenJDK): TestAllPackages fails due to SecurityException:
================== %< ==================
Running org.apache.commons.collections.TestAllPackages
java.lang.SecurityException
        at 
org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322)
        at java.lang.System.getProperty(System.java:628)
        at 
sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.io.PrintWriter.<init>(PrintWriter.java:77)
        at java.io.PrintWriter.<init>(PrintWriter.java:61)
        at 
org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56)
        at 
org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330)
        at 
org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119)
================== %< ==================
- IcedTea 7 (OpenJDK): OK


TestExtendedProperties.testActiveSecurityManager is the only test using a 
SM, but I wonder, why it fails the test now, because both failing JDKs have 
no problem building CC-3.2.1 (using Maven 3.0.5) and all tests pass fine.

Cheers,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org