You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Thomas Neidhart <th...@gmail.com> on 2015/11/11 13:19:59 UTC

[CANCEL][VOTE] Release Commons Collections 3.2.2 Based on RC1

On 11/09/2015 11:37 PM, Thomas Neidhart wrote:
> Hi all,
> 
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC1.
> 
> I would kindly ask people to review the RC especially wrt the following
> topics:
> 
>  * OSGI compatibility
>  * reproducing the exploits and verifying that it provides protection
>  * any kind of regression that this release might create with existing
> applications
> 
> Notes:
> 
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
> 
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
> 
> 
> Collections 3.2.2 RC1 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11092)
> 
> Maven artifacts are here:
> 
> https://repository.apache.org/content/repositories/orgapachecommons-1115/commons-collections/commons-collections/3.2.2/
> 
> Details of changes since 3.2.1 are in the release notes:
> 
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
> 
> http://people.apache.org/builds/commons/collections/3.2.2/RC1/changes-report.html
> 
> The tag is here:
> 
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC1
>     (svn revision 1713561)
> 
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC1/
> 
> Clirr Report (compared to 3.2.1):
> 
> http://people.apache.org/builds/commons/collections/3.2.2/RC1/clirr-report.html
> 
> RAT Report:
> 
> http://people.apache.org/builds/commons/collections/3.2.2/RC1/rat-report.html
> 
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
> 
> Please review the release candidate and vote.
> 
> This vote will close no sooner that 72 hours from now, i.e. after 2300
> GMT 12-November 2015
> 
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...

Hi,

after careful consideration, I decided to cancel this vote to apply the
fix for InvokerTransformer to all classes in the functor package that
are serializable and use reflection.

Additionally, the fix will be applied in a symmetric way, i.e.
serialization of an unsafe class will be blocked as well.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org