You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by oh...@apache.org on 2014/05/25 19:12:36 UTC

svn commit: r1597449 - /commons/proper/beanutils/trunk/RELEASE-NOTES.txt

Author: oheger
Date: Sun May 25 17:12:35 2014
New Revision: 1597449

URL: http://svn.apache.org/r1597449
Log:
Updated release notes for version 1.9.2.

Modified:
    commons/proper/beanutils/trunk/RELEASE-NOTES.txt

Modified: commons/proper/beanutils/trunk/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/RELEASE-NOTES.txt?rev=1597449&r1=1597448&r2=1597449&view=diff
==============================================================================
--- commons/proper/beanutils/trunk/RELEASE-NOTES.txt (original)
+++ commons/proper/beanutils/trunk/RELEASE-NOTES.txt Sun May 25 17:12:35 2014
@@ -17,7 +17,7 @@ $Id$
 
 
                           Commons BeanUtils Package
-                               Version 1.9.1
+                               Version 1.9.2
                                Release Notes
 
 INTRODUCTION:
@@ -29,6 +29,42 @@ BeanUtils package, and highlights change
 For more information on Commons BeanUtils, see
 o http://commons.apache.org/beanutils/
 
+Release 1.9.2 mainly addresses a potential security issue when accessing
+properties in an uncontrolled way. In a nutshell, if an application that uses
+Commons BeanUtils passes property paths from an external source directly to
+the getProperty() method of BeanUtilsBean, an attacker can access the class
+loader via the class property available on all Java objects.
+
+In version 1.9.2 now a special BeanIntrospector class was added which allows
+suppressing this property. Note that this BeanIntrospector is NOT enabled by
+default! Commons BeanUtils is a low-level library, and on this layer it cannot
+be decided whether access to a certain property is legal or not. Therefore,
+an application has to activate this suppressing BeanIntrospector explicitly.
+This can be done with the following lines of code:
+
+BeanUtilsBean bub = new BeanUtilsBean();
+bub.getPropertyUtils().addBeanIntrospector(
+    SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+
+Now all access to properties has to be done via the specially configured
+BeanUtilsBean instance. More information about this issue can be found at
+https://issues.apache.org/jira/browse/BEANUTILS-463 or in section 2.5 of the
+user's guide.
+
+BUGFIXES in version 1.9.2
+=========================
+* [BEANUTILS-458]
+  BaseLocaleConverter.checkConversionResult() no longer throws a
+  ConversionException if the result of a conversion is null.
+
+New features in version 1.9.2
+=============================
+* [BEANUTILS-463]
+  Added new SuppressPropertiesBeanIntrospector class to deal with a potential
+  class loader vulnerability.
+
+                        Release Notes for version 1.9.0
+
 Release 1.9.1 is a bug fix release which addresses a problem with the new
 feature of custom introspection introduced with release 1.9.0. It is fully
 binary compatible with the previous release. The minimum required Java version