manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Markus Schuch (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CONNECTORS-1565) Upgrade commons-collections to 3.2.2 (CVE-2015-6420)
Date Tue, 08 Jan 2019 07:56:00 GMT

    [ https://issues.apache.org/jira/browse/CONNECTORS-1565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16736848#comment-16736848
] 

Markus Schuch commented on CONNECTORS-1565:
-------------------------------------------

Thanks for your analysis Karl.

I still vote to proceed with the update, because security scanners will always report us with
the known issue. The version step is minor and the release notes state that the 3.2.2 is fully
compatible with other 3.2 versions.

Seems also not be widely used in our project: [https://github.com/apache/manifoldcf/search?q=%22org.apache.commons.collections%22&unscoped_q=%22org.apache.commons.collections%22]

What do you think? Should i proceed with the update or close this ticket?

> Upgrade commons-collections to 3.2.2 (CVE-2015-6420)
> ----------------------------------------------------
>
>                 Key: CONNECTORS-1565
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1565
>             Project: ManifoldCF
>          Issue Type: Bug
>          Components: Framework core
>    Affects Versions: ManifoldCF 2.12
>            Reporter: Markus Schuch
>            Assignee: Markus Schuch
>            Priority: Critical
>             Fix For: ManifoldCF next
>
>
> We should upgrade commons-collections to 3.2.2 due to a known security issue with 3.2.1
> https://commons.apache.org/proper/commons-collections/security-reports.html
> Further reading:
> [http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-andyour-application-have-in-common-this-vulnerability/]
> [https://www.cvedetails.com/cve/CVE-2015-6420/]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message