You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by "Kapoor, Deepesh" <De...@spe.sony.com> on 2015/11/10 09:05:03 UTC
Deserialization vulnerability in Apache Commons Collection
Hi Team,
This is regarding "commons-collections Java library". In our applications we are widely using this library and hence looking to urgently patch the fix for vulnerability issue if it is available.
Searching on internet we found one patch released on Sunday 08th Nov http://svn.apache.org/viewvc?view=revision&revision=1713307
Just wanted to check with you if there is any updated / complied version of commons-collections jar available or going to be released soon which we can directly replace with our existing jar file that provides the fix for the vulnerability issue.
Thanks in advance!
Thanks & Regards,
Deepesh
Re: Deserialization vulnerability in Apache Commons Collection
Posted by Timo <Ma...@gmx.de>.
Hi Deepesh,
there is an ongoing vote to release commons-collections 3.2.2, which
by default prevents InvokerTransformer from being deserialized. You
can find the release notes here:
https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
For further information, please take a look at the ASF blog:
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
Timo
2015-11-10 9:05 GMT+01:00 Kapoor, Deepesh <De...@spe.sony.com>:
> Hi Team,
>
> This is regarding "commons-collections Java library". In our applications we are widely using this library and hence looking to urgently patch the fix for vulnerability issue if it is available.
> Searching on internet we found one patch released on Sunday 08th Nov http://svn.apache.org/viewvc?view=revision&revision=1713307
>
> Just wanted to check with you if there is any updated / complied version of commons-collections jar available or going to be released soon which we can directly replace with our existing jar file that provides the fix for the vulnerability issue.
>
> Thanks in advance!
>
>
> Thanks & Regards,
> Deepesh
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org