You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by "Brian Martin (JIRA)" <ji...@apache.org> on 2015/11/20 19:33:10 UTC
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency:
commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018476#comment-15018476 ]
Brian Martin commented on VELOCITY-869:
---------------------------------------
Please note that Commons Collections is designed to deserialize code. The "fix" is to add an option to disable that, which each implementing software needs to consider. Further, just having Commons Collections in your software does not necessarily mean you are, or are not, vulnerable. Each application must assess if they allow users to send code to be deserialized to that library (its intended function), and if that crosses privilege boundaries are not.
So just upgrading to 3.2.2 doesn't mean you are necessarily fixing a vuln, and the presence of that software doesn't necessarily mean you were vulnerable in the first place. =)
> Vulnerability in dependency: commons-collections:3.2.1
> ------------------------------------------------------
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
> Issue Type: Bug
> Components: Build
> Affects Versions: 1.7
> Reporter: Ryan Blue
> Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections, tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad version. Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org