You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@taverna.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/03/10 11:50:40 UTC

[jira] [Commented] (TAVERNA-934) Security fix: Upgrade Commons Collections

    [ https://issues.apache.org/jira/browse/TAVERNA-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15189081#comment-15189081 ] 

ASF GitHub Bot commented on TAVERNA-934:
----------------------------------------

Github user stain commented on the pull request:

    https://github.com/apache/incubator-taverna-server/pull/1#issuecomment-194788068
  
    Well spotted! Thank you for the pull request, @gmlewis! I've raised it as https://issues.apache.org/jira/browse/TAVERNA-934 as I think we need to upgrade across the board in the super-pom (and change this reference to ${commons.collection.version}.
    
    Thanks for your effort in fixing this across the Java library ecosystem!
    
    My related [security update to Beanshell](https://github.com/beanshell/beanshell#2016-02-18-security-update) has just made its way into Debian and Ubuntu - so this is another one we'll need to update in Taverna and elsewhere (Open Office, various servlet thingies).


> Security fix: Upgrade Commons Collections
> -----------------------------------------
>
>                 Key: TAVERNA-934
>                 URL: https://issues.apache.org/jira/browse/TAVERNA-934
>             Project: Apache Taverna
>          Issue Type: Bug
>          Components: Taverna Language, Taverna Maven Parent, Taverna Server
>            Reporter: Stian Soiland-Reyes
>            Priority: Critical
>              Labels: security
>
> As raised by Glenn Lewis in 
> https://github.com/apache/incubator-taverna-server/pull/1
> we use a Commons Collections 3.2.1 which has a CVSS 10.0 remote code execution vulnerability.
> This affects anyone who has Commons Collection on the classpath - basically through Maven dependencies at would mean also anyone who has the Taverna SCUFL2 API on the classpath.
> This does not affect just Taverna Server - but also indirectly as Commons Collection is also a transitive dependency, e.g. from commons-beanutils:
> {code}
> [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:test
> [INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
> [INFO] |  \- commons-collections:commons-collections:jar:3.2.1:test
> {code}
> Thus we should update taverna-maven-parent - perhaps to have a <dependencyManagement> section - to force a newer version of commons-collections across the board.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)