You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Thomas Neidhart <th...@gmail.com> on 2015/11/12 20:38:01 UTC
[CANCEL][VOTE] Release Commons Collections 3.2.2 Based on RC2
On 11/11/2015 05:27 PM, Thomas Neidhart wrote:
> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>
> Notes:
>
> * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
> * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
> * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
>
> Changes from RC1:
>
> * fixed RAT report
> * fixed NOTICE file
> * improve the security fix: it has been made symmetric in the sense
> that also the serialization of an unsafe class is disabled by
> default and will result in an exception
> * changed the system property to re-enable serialization of unsafe
> classes. It is now
> "org.apache.commons.collections.enableUnsafeSerialization"
> * all classes in the functor package which (based on current
> knowledge) have to be considered unsafe cannot be serialized/
> de-serialized any more by default. This includes the following
> classes:
>
> ** CloneTransformer
> ** PrototypeFactory (inner classes
> PrototypeCloneFactory and
> PrototypeSerializationFactory)
> ** InstantiateFactory
> ** InstantiateTransformer
> ** ForClosure
> ** WhileClosure
> ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC2 is available for review here:
> https://dist.apache.org/repos/dist/dev/commons/collections/
> (svn revision 11147)
>
> Maven artifacts are here:
>
> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>
> The tag is here:
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
> (svn revision 1713883)
>
> Site:
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>
> KEYS:
> https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC1 did not
> show any functional problems with the release, I plan to close this vote
> in 24 from now, i.e. after 1800 GMT 12-November 2015
>
> [ ] +1 Release these artifacts
> [ ] +0 OK, but...
> [ ] -0 OK, but really should fix...
> [ ] -1 I oppose this release because...
The vote is cancelled to fix the test errors on some java versions.
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org