commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benedikt Ritter <brit...@apache.org>
Subject Re: [configuration] is common-configuration affected by COLLECTIONS-580
Date Tue, 17 Nov 2015 17:07:32 GMT
Hello Joel,

2015-11-17 18:01 GMT+01:00 Joël Traber <joel.traber@stabilit.ch>:

> Hi guys,
>
> I am running an application working with commons-configuration version 1.6
> I just noticed a bug in commons-collection.(
> http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results
> )
>
> As the older versions (will be changed in 2.0) of commons-configuration
> are having a runtime dependency to commons-collections I am wondering if
> they are potentially affected by this bug as well?
> Commons-configuration version 1.6 uses commons-collections 3.2.1. which
> still contains the bug. (From 3.2.2. they disabled the classes by default
> The documentation says only ConfigurationConverter has a dependency to
> commons-collections (org.apache.commons.collections.ExtendedProperties;). I
> bet that affected classes by the bug are never referenced and do not run.
> That looks to me pretty much that using commons-configuration 1.6 is safe,
> not recommended but safe. Even more because it is not using any
> Serialization support from commons-collections.
>
> Can somebody confirm this?
>

commons-collections 3.2.2 is a drop in replacement for 3.2.1. You can just
upgrade an everything will be fine. However I recommend reading [1]. It's a
blogpost I've written to show, that most applications are probably not
affected by said vulnerability (which by the way is no problem in commons
collections but in the application using deserialization in an unsafe way).

HTH,
Benedikt

[1]
https://blog.codecentric.de/en/2015/11/comment-on-the-so-called-security-vulnerability-in-apache-commons-collections/


> Many thanks
> joël
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>



-- 
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message