commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joël Traber <joel.tra...@stabilit.ch>
Subject [configuration] is common-configuration affected by COLLECTIONS-580
Date Tue, 17 Nov 2015 17:01:18 GMT
Hi guys,

I am running an application working with commons-configuration version 1.6
I just noticed a bug in commons-collection.(http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results)

As the older versions (will be changed in 2.0) of commons-configuration are having a runtime
dependency to commons-collections I am wondering if they are potentially affected by this
bug as well?
Commons-configuration version 1.6 uses commons-collections 3.2.1. which still contains the
bug. (From 3.2.2. they disabled the classes by default
The documentation says only ConfigurationConverter has a dependency to commons-collections
(org.apache.commons.collections.ExtendedProperties;). I bet that affected classes by the bug
are never referenced and do not run. That looks to me pretty much that using commons-configuration
1.6 is safe, not recommended but safe. Even more because it is not using any Serialization
support from commons-collections.

Can somebody confirm this?

Many thanks
joël





Mime
View raw message