You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Thomas Neidhart <th...@gmail.com> on 2015/11/13 00:31:27 UTC
[VOTE] Release Commons Collections 3.2.2 Based on RC3
Hi all,
in order to provide a work-around for the known remote code exploit via
java de-serialization of malicious InvokerTransformer instances, I would
like to start a vote to release Commons Collections 3.2.2 based on RC3.
Notes:
* the site will not be published, it just serves as a reference to
access the various reports. After a successful vote, the current 4.X
branch site will be updated with relevant information and published.
* some tests might fail with various IBM JDK 6 JREs, these are known
issues and have been worked-around in the 4.X branch but are not
back-ported to this release.
* Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
with a newly introduced default method in the Map interface.
* the collections-testframework.jar that has been published in previous
versions is not included in this release
Changes from RC2:
* fixed false positives in RAT report
* fixed test execution and compilation problems with JDK 1.4 and 1.5
Changes from RC1:
* fixed RAT report
* fixed NOTICE file
* improve the security fix: it has been made symmetric in the sense
that also the serialization of an unsafe class is disabled by
default and will result in an exception
* changed the system property to re-enable serialization of unsafe
classes. It is now
"org.apache.commons.collections.enableUnsafeSerialization"
* all classes in the functor package which (based on current
knowledge) have to be considered unsafe cannot be serialized/
de-serialized any more by default. This includes the following
classes:
** CloneTransformer
** PrototypeFactory (inner classes
PrototypeCloneFactory and
PrototypeSerializationFactory)
** InstantiateFactory
** InstantiateTransformer
** ForClosure
** WhileClosure
** InvokerTransformer
Collections 3.2.2 RC3 is available for review here:
https://dist.apache.org/repos/dist/dev/commons/collections/
(svn revision 11167)
Maven artifacts are here:
https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
Details of changes since 3.2.1 are in the release notes:
https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
The tag is here:
https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
(svn revision 1714131)
Site:
http://people.apache.org/builds/commons/collections/3.2.2/RC3/
Clirr Report (compared to 3.2.1):
http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
RAT Report:
http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
KEYS:
https://www.apache.org/dist/commons/KEYS
Please review the release candidate and vote.
Considering that this is a security related release and that RC2 did not
show any functional problems with the release, I plan to close this vote
in 24h from now, i.e. after 0100 GMT 14-November 2015
[ ] +1 Release these artifacts
[ ] +0 OK, but...
[ ] -0 OK, but really should fix...
[ ] -1 I oppose this release because...
Thanks,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Jörg Schaible <jo...@gmx.de>.
+1
Builds fine now with my compiler zoo.
Thomas Neidhart wrote:
> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>
> Notes:
>
> * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
> * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
> * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
> Changes from RC2:
>
> * fixed false positives in RAT report
> * fixed test execution and compilation problems with JDK 1.4 and 1.5
>
> Changes from RC1:
>
> * fixed RAT report
> * fixed NOTICE file
> * improve the security fix: it has been made symmetric in the sense
> that also the serialization of an unsafe class is disabled by
> default and will result in an exception
> * changed the system property to re-enable serialization of unsafe
> classes. It is now
> "org.apache.commons.collections.enableUnsafeSerialization"
> * all classes in the functor package which (based on current
> knowledge) have to be considered unsafe cannot be serialized/
> de-serialized any more by default. This includes the following
> classes:
>
> ** CloneTransformer
> ** PrototypeFactory (inner classes
> PrototypeCloneFactory and
> PrototypeSerializationFactory)
> ** InstantiateFactory
> ** InstantiateTransformer
> ** ForClosure
> ** WhileClosure
> ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC3 is available for review here:
> https://dist.apache.org/repos/dist/dev/commons/collections/
> (svn revision 11167)
>
> Maven artifacts are here:
>
>
https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>
> The tag is here:
>
>
https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
> (svn revision 1714131)
>
> Site:
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>
> KEYS:
> https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
> [ ] +1 Release these artifacts
> [ ] +0 OK, but...
> [ ] -0 OK, but really should fix...
> [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Luc Maisonobe <lu...@spaceroots.org>.
Le 13/11/2015 00:31, Thomas Neidhart a écrit :
> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>
> Notes:
>
> * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
> * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
> * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
> Changes from RC2:
>
> * fixed false positives in RAT report
> * fixed test execution and compilation problems with JDK 1.4 and 1.5
>
> Changes from RC1:
>
> * fixed RAT report
> * fixed NOTICE file
> * improve the security fix: it has been made symmetric in the sense
> that also the serialization of an unsafe class is disabled by
> default and will result in an exception
> * changed the system property to re-enable serialization of unsafe
> classes. It is now
> "org.apache.commons.collections.enableUnsafeSerialization"
> * all classes in the functor package which (based on current
> knowledge) have to be considered unsafe cannot be serialized/
> de-serialized any more by default. This includes the following
> classes:
>
> ** CloneTransformer
> ** PrototypeFactory (inner classes
> PrototypeCloneFactory and
> PrototypeSerializationFactory)
> ** InstantiateFactory
> ** InstantiateTransformer
> ** ForClosure
> ** WhileClosure
> ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC3 is available for review here:
> https://dist.apache.org/repos/dist/dev/commons/collections/
> (svn revision 11167)
>
> Maven artifacts are here:
>
> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>
> The tag is here:
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
> (svn revision 1714131)
>
> Site:
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>
> KEYS:
> https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
> [X] +1 Release these artifacts
Luc
> [ ] +0 OK, but...
> [ ] -0 OK, but really should fix...
> [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Stefan Bodewig <bo...@apache.org>.
On 2015-11-13, Thomas Neidhart wrote:
> Please review the release candidate and vote.
+1
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Gary Gregory <ga...@gmail.com>.
On Fri, Nov 13, 2015 at 12:12 PM, Luc Maisonobe <lu...@spaceroots.org> wrote:
> Le 13/11/2015 20:26, Gary Gregory a écrit :
> > +1
> >
> > Tested with src zip.
> >
> > BUT:
> >
> > - The site Javadoc link is labeled "3.2.1" (fixed in
> >
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> > )
> > - The site history does not mentioned (fixed in svn)
> >
> > ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?
>
> Yes. I check this for every release.
>
Great, thank you for clarifying that.
Gary
>
> Luc
>
> >
> > Reports OK.
> >
> > Tested building with:
> >
> > Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> > 2015-04-22T04:57:37-07:00)
> > Maven home: C:\Java\apache-maven-3.3.3\bin\..
> > Java version: 1.7.0_79, vendor: Oracle Corporation
> > Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> > Default locale: en_US, platform encoding: Cp1252
> > OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
> >
> > and:
> >
> > Apache Ant(TM) version 1.9.6 compiled on June 29 2015
> >
> > Gary
> >
> > On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <
> thomas.neidhart@gmail.com>
> > wrote:
> >
> >> Hi all,
> >>
> >> in order to provide a work-around for the known remote code exploit via
> >> java de-serialization of malicious InvokerTransformer instances, I would
> >> like to start a vote to release Commons Collections 3.2.2 based on RC3.
> >>
> >> Notes:
> >>
> >> * the site will not be published, it just serves as a reference to
> >> access the various reports. After a successful vote, the current 4.X
> >> branch site will be updated with relevant information and published.
> >>
> >> * some tests might fail with various IBM JDK 6 JREs, these are known
> >> issues and have been worked-around in the 4.X branch but are not
> >> back-ported to this release.
> >>
> >> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> >> with a newly introduced default method in the Map interface.
> >>
> >> * the collections-testframework.jar that has been published in previous
> >> versions is not included in this release
> >>
> >> Changes from RC2:
> >>
> >> * fixed false positives in RAT report
> >> * fixed test execution and compilation problems with JDK 1.4 and 1.5
> >>
> >> Changes from RC1:
> >>
> >> * fixed RAT report
> >> * fixed NOTICE file
> >> * improve the security fix: it has been made symmetric in the sense
> >> that also the serialization of an unsafe class is disabled by
> >> default and will result in an exception
> >> * changed the system property to re-enable serialization of unsafe
> >> classes. It is now
> >> "org.apache.commons.collections.enableUnsafeSerialization"
> >> * all classes in the functor package which (based on current
> >> knowledge) have to be considered unsafe cannot be serialized/
> >> de-serialized any more by default. This includes the following
> >> classes:
> >>
> >> ** CloneTransformer
> >> ** PrototypeFactory (inner classes
> >> PrototypeCloneFactory and
> >> PrototypeSerializationFactory)
> >> ** InstantiateFactory
> >> ** InstantiateTransformer
> >> ** ForClosure
> >> ** WhileClosure
> >> ** InvokerTransformer
> >>
> >>
> >>
> >> Collections 3.2.2 RC3 is available for review here:
> >> https://dist.apache.org/repos/dist/dev/commons/collections/
> >> (svn revision 11167)
> >>
> >> Maven artifacts are here:
> >>
> >>
> >>
> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
> >>
> >> Details of changes since 3.2.1 are in the release notes:
> >>
> >>
> >>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
> >>
> >> The tag is here:
> >>
> >>
> >>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
> >> (svn revision 1714131)
> >>
> >> Site:
> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/
> >>
> >> Clirr Report (compared to 3.2.1):
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
> >>
> >> RAT Report:
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
> >>
> >> KEYS:
> >> https://www.apache.org/dist/commons/KEYS
> >>
> >> Please review the release candidate and vote.
> >>
> >>
> >> Considering that this is a security related release and that RC2 did not
> >> show any functional problems with the release, I plan to close this vote
> >> in 24h from now, i.e. after 0100 GMT 14-November 2015
> >>
> >> [ ] +1 Release these artifacts
> >> [ ] +0 OK, but...
> >> [ ] -0 OK, but really should fix...
> >> [ ] -1 I oppose this release because...
> >>
> >> Thanks,
> >>
> >> Thomas
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
--
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Luc Maisonobe <lu...@spaceroots.org>.
Le 13/11/2015 20:26, Gary Gregory a écrit :
> +1
>
> Tested with src zip.
>
> BUT:
>
> - The site Javadoc link is labeled "3.2.1" (fixed in
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> )
> - The site history does not mentioned (fixed in svn)
>
> ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?
Yes. I check this for every release.
Luc
>
> Reports OK.
>
> Tested building with:
>
> Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> 2015-04-22T04:57:37-07:00)
> Maven home: C:\Java\apache-maven-3.3.3\bin\..
> Java version: 1.7.0_79, vendor: Oracle Corporation
> Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> Default locale: en_US, platform encoding: Cp1252
> OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
>
> and:
>
> Apache Ant(TM) version 1.9.6 compiled on June 29 2015
>
> Gary
>
> On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <th...@gmail.com>
> wrote:
>
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>>
>> Notes:
>>
>> * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>> * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>> * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>> Changes from RC2:
>>
>> * fixed false positives in RAT report
>> * fixed test execution and compilation problems with JDK 1.4 and 1.5
>>
>> Changes from RC1:
>>
>> * fixed RAT report
>> * fixed NOTICE file
>> * improve the security fix: it has been made symmetric in the sense
>> that also the serialization of an unsafe class is disabled by
>> default and will result in an exception
>> * changed the system property to re-enable serialization of unsafe
>> classes. It is now
>> "org.apache.commons.collections.enableUnsafeSerialization"
>> * all classes in the functor package which (based on current
>> knowledge) have to be considered unsafe cannot be serialized/
>> de-serialized any more by default. This includes the following
>> classes:
>>
>> ** CloneTransformer
>> ** PrototypeFactory (inner classes
>> PrototypeCloneFactory and
>> PrototypeSerializationFactory)
>> ** InstantiateFactory
>> ** InstantiateTransformer
>> ** ForClosure
>> ** WhileClosure
>> ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC3 is available for review here:
>> https://dist.apache.org/repos/dist/dev/commons/collections/
>> (svn revision 11167)
>>
>> Maven artifacts are here:
>>
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>>
>> The tag is here:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
>> (svn revision 1714131)
>>
>> Site:
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>>
>> Clirr Report (compared to 3.2.1):
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>>
>> RAT Report:
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>>
>> KEYS:
>> https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC2 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24h from now, i.e. after 0100 GMT 14-November 2015
>>
>> [ ] +1 Release these artifacts
>> [ ] +0 OK, but...
>> [ ] -0 OK, but really should fix...
>> [ ] -1 I oppose this release because...
>>
>> Thanks,
>>
>> Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Thomas Neidhart <th...@gmail.com>.
On 11/13/2015 08:26 PM, Gary Gregory wrote:
> +1
>
> Tested with src zip.
>
> BUT:
>
> - The site Javadoc link is labeled "3.2.1" (fixed in
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> )
> - The site history does not mentioned (fixed in svn)
as I said the site will not be published from the 3.2.2 release but from
the 4.X branch.
> ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?
>
> Reports OK.
>
> Tested building with:
>
> Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> 2015-04-22T04:57:37-07:00)
> Maven home: C:\Java\apache-maven-3.3.3\bin\..
> Java version: 1.7.0_79, vendor: Oracle Corporation
> Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> Default locale: en_US, platform encoding: Cp1252
> OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
>
> and:
>
> Apache Ant(TM) version 1.9.6 compiled on June 29 2015
>
> Gary
>
> On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <th...@gmail.com>
> wrote:
>
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>>
>> Notes:
>>
>> * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>> * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>> * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>> Changes from RC2:
>>
>> * fixed false positives in RAT report
>> * fixed test execution and compilation problems with JDK 1.4 and 1.5
>>
>> Changes from RC1:
>>
>> * fixed RAT report
>> * fixed NOTICE file
>> * improve the security fix: it has been made symmetric in the sense
>> that also the serialization of an unsafe class is disabled by
>> default and will result in an exception
>> * changed the system property to re-enable serialization of unsafe
>> classes. It is now
>> "org.apache.commons.collections.enableUnsafeSerialization"
>> * all classes in the functor package which (based on current
>> knowledge) have to be considered unsafe cannot be serialized/
>> de-serialized any more by default. This includes the following
>> classes:
>>
>> ** CloneTransformer
>> ** PrototypeFactory (inner classes
>> PrototypeCloneFactory and
>> PrototypeSerializationFactory)
>> ** InstantiateFactory
>> ** InstantiateTransformer
>> ** ForClosure
>> ** WhileClosure
>> ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC3 is available for review here:
>> https://dist.apache.org/repos/dist/dev/commons/collections/
>> (svn revision 11167)
>>
>> Maven artifacts are here:
>>
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>>
>> The tag is here:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
>> (svn revision 1714131)
>>
>> Site:
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>>
>> Clirr Report (compared to 3.2.1):
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>>
>> RAT Report:
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>>
>> KEYS:
>> https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC2 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24h from now, i.e. after 0100 GMT 14-November 2015
>>
>> [ ] +1 Release these artifacts
>> [ ] +0 OK, but...
>> [ ] -0 OK, but really should fix...
>> [ ] -1 I oppose this release because...
>>
>> Thanks,
>>
>> Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Gary Gregory <ga...@gmail.com>.
+1
Tested with src zip.
BUT:
- The site Javadoc link is labeled "3.2.1" (fixed in
https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
)
- The site history does not mentioned (fixed in svn)
ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?
Reports OK.
Tested building with:
Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
2015-04-22T04:57:37-07:00)
Maven home: C:\Java\apache-maven-3.3.3\bin\..
Java version: 1.7.0_79, vendor: Oracle Corporation
Java home: C:\Program Files\Java\jdk1.7.0_79\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
and:
Apache Ant(TM) version 1.9.6 compiled on June 29 2015
Gary
On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <th...@gmail.com>
wrote:
> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>
> Notes:
>
> * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
> * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
> * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
> Changes from RC2:
>
> * fixed false positives in RAT report
> * fixed test execution and compilation problems with JDK 1.4 and 1.5
>
> Changes from RC1:
>
> * fixed RAT report
> * fixed NOTICE file
> * improve the security fix: it has been made symmetric in the sense
> that also the serialization of an unsafe class is disabled by
> default and will result in an exception
> * changed the system property to re-enable serialization of unsafe
> classes. It is now
> "org.apache.commons.collections.enableUnsafeSerialization"
> * all classes in the functor package which (based on current
> knowledge) have to be considered unsafe cannot be serialized/
> de-serialized any more by default. This includes the following
> classes:
>
> ** CloneTransformer
> ** PrototypeFactory (inner classes
> PrototypeCloneFactory and
> PrototypeSerializationFactory)
> ** InstantiateFactory
> ** InstantiateTransformer
> ** ForClosure
> ** WhileClosure
> ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC3 is available for review here:
> https://dist.apache.org/repos/dist/dev/commons/collections/
> (svn revision 11167)
>
> Maven artifacts are here:
>
>
> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>
> The tag is here:
>
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
> (svn revision 1714131)
>
> Site:
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>
> Clirr Report (compared to 3.2.1):
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>
> RAT Report:
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>
> KEYS:
> https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
> [ ] +1 Release these artifacts
> [ ] +0 OK, but...
> [ ] -0 OK, but really should fix...
> [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
--
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Re: [RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Thomas Neidhart <th...@gmail.com>.
On 11/14/2015 04:20 PM, Uwe Barthel wrote:
> Thx Thomas.
>
> The fix for the Java serialization vulnerability is on the way.
> Now should we add some information on
> http://commons.apache.org/security.html like Commons Compress did?
yes, we will do something similar.
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Uwe Barthel <ba...@x-reizend.de>.
Thx Thomas.
The fix for the Java serialization vulnerability is on the way.
Now should we add some information on
http://commons.apache.org/security.html like Commons Compress did?
-- Uwe
On November 14, 2015 10:59:52 AM Thomas Neidhart
<th...@gmail.com> wrote:
> On 11/13/2015 12:31 AM, Thomas Neidhart wrote:
>> Hi all,
>
> [snip]
>
>> Considering that this is a security related release and that RC2 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
> Here is a tally of the VOTE
>
> Commons PMC:
> +1 from Luc, Joerg, Gary, Stefan, Thomas
>
> No other votes have been recorded.
>
> This VOTE, therefore, passes.
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
[RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3
Posted by Thomas Neidhart <th...@gmail.com>.
On 11/13/2015 12:31 AM, Thomas Neidhart wrote:
> Hi all,
[snip]
> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015
Here is a tally of the VOTE
Commons PMC:
+1 from Luc, Joerg, Gary, Stefan, Thomas
No other votes have been recorded.
This VOTE, therefore, passes.
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org