You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by "Mark Symons (JIRA)" <ji...@apache.org> on 2016/11/02 17:30:59 UTC

[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1

    [ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15629734#comment-15629734 ] 

Mark Symons commented on VELOCITY-869:
--------------------------------------

No matter how straight-forward to It may be tweak the transitive dependency, there is an aversion by some to doing this rather than getting an updated version of velocity that includes the fix outright.  

This issue was resolved a year ago and still has not been released.

Would it not be possible to actually get this pushed out the door? 

I see that v1.x has only 1 outstanding planned issue (out of 8). 

VELOCITY-862:  Applied to 1.x branch and Resolved...  and then "Reopening at Nathan's suggestion that we may want to apply this to 2.x"

Velocity 2.x also has only 1 outstanding planned issue (out of 118):

VELOCITY-876

Both VELOCITY-862 and VELOCITY-876 are improvements, not defects.

There is another reason to release Velocity...  v1.7 is now giving alerts in scanning software due to age...  "architectural age" policy in Sonatype Nexus IQ and (from memory) "Operational Risk" in Black Duck Hub.  Such alerts are more than enough on their own to cause some managers to issue instructions to remove Velocity entirely.

All the above for Velocity also applies to Velocity Tools.

Perhaps connected to all of the above...  does this JIRA project still have an active project lead?  Will Glass-Husain's last activity stream entry is from 2014. 

> Vulnerability in dependency: commons-collections:3.2.1
> ------------------------------------------------------
>
>                 Key: VELOCITY-869
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-869
>             Project: Velocity
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 1.7
>            Reporter: Ryan Blue
>            Assignee: Sergiu Dumitriu
>             Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections, tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad version. Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org