commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joël Traber <>
Subject [configuration] is common-configuration affected by COLLECTIONS-580
Date Tue, 17 Nov 2015 17:01:18 GMT
Hi guys,

I am running an application working with commons-configuration version 1.6
I just noticed a bug in commons-collection.(

As the older versions (will be changed in 2.0) of commons-configuration are having a runtime
dependency to commons-collections I am wondering if they are potentially affected by this
bug as well?
Commons-configuration version 1.6 uses commons-collections 3.2.1. which still contains the
bug. (From 3.2.2. they disabled the classes by default
The documentation says only ConfigurationConverter has a dependency to commons-collections
(org.apache.commons.collections.ExtendedProperties;). I bet that affected classes by the bug
are never referenced and do not run. That looks to me pretty much that using commons-configuration
1.6 is safe, not recommended but safe. Even more because it is not using any Serialization
support from commons-collections.

Can somebody confirm this?

Many thanks

View raw message