You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by "Peter Janssen (JIRA)" <ji...@apache.org> on 2018/06/22 08:39:01 UTC

[jira] [Comment Edited] (VELOCITY-853) Upgrade dependency to commons-collections4

    [ https://issues.apache.org/jira/browse/VELOCITY-853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16520120#comment-16520120 ] 

Peter Janssen edited comment on VELOCITY-853 at 6/22/18 8:38 AM:
-----------------------------------------------------------------

commons-collections contains the following CVE's:

  
||CVE||description||severity||package||
|[CVE-2017-15708\|https://nvd.nist.gov/vuln/detail/CVE-2017-15708]|CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')|High (7.5)|commons-collections-3.2.1.jar|
|[CVE-2015-6420\|https://nvd.nist.gov/vuln/detail/CVE-2015-6420]|CWE-502 Deserialization of Untrusted Data|High (7.5)|commons-collections-3.2.1.jar|

 
  


was (Author: peter.janssen):
commons-collections contains the following CVE's:

  
||CVE||description||severity||package||
|CVE-2017-15708|CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')|High (7.5)|commons-collections-3.2.1.jar|
|CVE-2015-6420|CWE-502 Deserialization of Untrusted Data|High (7.5)|commons-collections-3.2.1.jar|
 
 

> Upgrade dependency to commons-collections4
> ------------------------------------------
>
>                 Key: VELOCITY-853
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-853
>             Project: Velocity
>          Issue Type: Wish
>          Components: Engine
>    Affects Versions: 1.7.x, 1.7
>            Reporter: Ilia Sretenskii
>            Priority: Major
>             Fix For: 1.7.x
>
>
> *org.apache.velocity:velocity:1.7* depends on *commons-collections:commons-collections:3.2.1*
> https://github.com/apache/velocity-engine/blob/1.7/pom.xml
> *org.apache.velocity:velocity:1.7.x* depends on *commons-collections:commons-collections:3.2.1* also
> https://github.com/apache/velocity-engine/blob/1.7.x/pom.xml
> Please upgrade dependency to *org.apache.commons:commons-collections4:4.0*
> That will allow using generics in collections classes.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org