creadur-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philipp Ottlinger (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (RAT-213) Upgrade Apache Commons Collections to v3.2.2
Date Sun, 13 Mar 2016 19:22:33 GMT

     [ https://issues.apache.org/jira/browse/RAT-213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Philipp Ottlinger closed RAT-213.
---------------------------------

> Upgrade Apache Commons Collections to v3.2.2
> --------------------------------------------
>
>                 Key: RAT-213
>                 URL: https://issues.apache.org/jira/browse/RAT-213
>             Project: Apache Rat
>          Issue Type: Improvement
>    Affects Versions: 0.11
>            Reporter: Philipp Ottlinger
>            Assignee: Philipp Ottlinger
>             Fix For: 0.12
>
>
> Upgrade as requested with the Git PR.
> Thanks to https://github.com/gmlewis Glenn Lewis
> h3. Context
> Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of
> vulnerability that exists. By merely existing on the classpath, this
> library causes the Java serialization parser for the entire JVM process
> to go from being a state machine to a turing machine. A turing machine
> with an exec() function!
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
> https://commons.apache.org/proper/commons-collections/security-reports.html
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message