commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (VALIDATOR-357) Upgrade BeanUtils
Date Fri, 16 Jan 2015 19:17:34 GMT

    [ https://issues.apache.org/jira/browse/VALIDATOR-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14280685#comment-14280685
] 

Sebb commented on VALIDATOR-357:
--------------------------------

Currently the only references to BeanUtils are to PropertyUtils

Field: calls PropertyUtils.getProperty(bean, this.getIndexedListProperty()); twice

ValidatorUtils: public static String getValueAsString(Object bean, String property)
PropertyUtils.getProperty(bean, property);

> Upgrade BeanUtils
> -----------------
>
>                 Key: VALIDATOR-357
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-357
>             Project: Commons Validator
>          Issue Type: New Feature
>          Components: Framework
>    Affects Versions: 1.1.3 Release, 1.2.0 Release, 1.3.0 Release, 1.3.1 Release, 1.4.0
Release, 1.4.1 Release
>            Reporter: David Dillard
>            Priority: Minor
>             Fix For: 1.5.0
>
>
> Validator 1.41 depends on BeanUtils 1.8.3.  This has a "potential security issue", see
http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt  Also,
see http://www.cvedetails.com/cve-details.php?t=1&cve_id=cve-2014-0114
> Even if this issue doesn't affect Validator, BeanUtils should be upgraded so that issue
issue doesn't affect other users of BeanUtils given the screwy way some builders (e.g. Maven)
resolve conflicting dependencies.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message