jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobias Bocanegra <tri...@apache.org>
Subject Re: [VOTE] Release Apache Jackrabbit Filevault 3.1.36
Date Fri, 10 Mar 2017 14:34:47 GMT
Hi Julian,
the references to the "unstable" versions are unfortunate, but they don't
have impact of the operation.
also, all the test pass so far. the only user of commons-collections is
vault-cli, and I don't think that this is vulnerable to the serilization
vulnerability.
oak is not included at all, only parts of jackrabbit-2.13.7 in the command
line client for the davex interoperability.
here's the list of bundled libraries in vault-cli:

commons-cli-2.0-mahout.jar
commons-codec-1.10.jar
commons-collections-3.2.1.jar
commons-io-2.4.jar
commons-jci-fam-1.0.jar
commons-logging-1.0.3.jar
commons-logging-api-1.1.jar
diffutils-1.2.1.jar
guava-15.0.jar
httpclient-4.5.2.jar
httpcore-4.4.4.jar
httpmime-4.5.2.jar
jackrabbit-api-2.13.7.jar
jackrabbit-jcr-client-2.13.7.jar
jackrabbit-jcr-commons-2.13.7.jar
jackrabbit-jcr2spi-2.13.7.jar
jackrabbit-spi-2.13.7.jar
jackrabbit-spi-commons-2.13.7.jar
jackrabbit-spi2dav-2.13.7.jar
jackrabbit-webdav-2.13.7.jar
jcl-over-slf4j-1.5.8.jar
jcr-2.0.jar
jline-0.9.94.jar
log4j-1.2.12.jar
org.apache.sling.commons.osgi-2.0.6.jar
org.apache.sling.jcr.api-2.0.6.jar
slf4j-api-1.5.8.jar
slf4j-log4j12-1.5.8.jar

however, if you think this is really a no go,
please indicate which versions you would use, and I will update them for
the next the release, if the vote fails.

thanks.
regards, toby

btw: there should be a mechanism to mark libraries as invalid/revoked so
that they can't be referenced by other projects.

On Fri, Mar 10, 2017 at 8:08 PM, Julian Reschke <julian.reschke@gmx.de>
wrote:

> On 2017-03-10 07:39, Julian Reschke wrote:
>
>> On 2017-03-10 04:05, Tobias Bocanegra wrote:
>>
>>> ...
>>>
>>
>> [X] -1 Do not release this package because...
>>
>> ...it references unstable releases of Jackrabbit and Oak.
>>
>
> ...it also uses commons-collections 3.2.1... (<
> https://www.cvedetails.com/vulnerability-list/vendor_id-45
> /product_id-32731/version_id-187982/Apache-Commons-Collections-3.2.1.html>).
> Should be 3.2.2.
>
> Best regards, Julian
>
>

Mime
View raw message