You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by "Mark Symons (JIRA)" <ji...@apache.org> on 2015/11/30 17:54:11 UTC

[jira] [Comment Edited] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1

    [ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15032067#comment-15032067 ] 

Mark Symons edited comment on VELOCITY-869 at 11/30/15 4:54 PM:
----------------------------------------------------------------

Linked to VELTOOLS-169, as Velocity Tools pulls in Velocity as a compile dependency.

I am delighted to read here that Velocity was not actually at risk but did arrive at this issue from the starting point of performing a security audit.  I totally agree with the previous comments that it can be very hard to work with automatically generated reports and then have to annotate umpteen items to explain why they do not matter.

{quote}
it's easiest to just do the upgrade
{quote}

Yup!


was (Author: marks):
Linked to VELTOOLS-169, as Velocity Tools pulls in Velocity as a compile dependency.

I am delighted to read here that Velocity was not actually at risk but did arrive at this issue from the starting point of performing a security audit.  I totally agree with the previous comments that it can be very hard to work with automatically generated reports and then have to annotate umpteen items to explain why they do not matter.

{{quote}}
it's easiest to just do the upgrade
{{quote}}

Yup!

> Vulnerability in dependency: commons-collections:3.2.1
> ------------------------------------------------------
>
>                 Key: VELOCITY-869
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-869
>             Project: Velocity
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 1.7
>            Reporter: Ryan Blue
>            Assignee: Sergiu Dumitriu
>             Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections, tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad version. Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org