You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by "Claude Brisson (JIRA)" <de...@velocity.apache.org> on 2018/06/24 01:36:00 UTC

[jira] [Resolved] (VELTOOLS-169) Upgrade commons-collections compile dependency to v3.2.2 or v4.1

     [ https://issues.apache.org/jira/browse/VELTOOLS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claude Brisson resolved VELTOOLS-169.
-------------------------------------
       Resolution: Fixed
         Assignee: Claude Brisson
    Fix Version/s: 3.0

trunk got rid of commons-collections by replacing ExtendedProperties by o.a.v.util.ExtProperties

> Upgrade commons-collections compile dependency to v3.2.2 or v4.1
> ----------------------------------------------------------------
>
>                 Key: VELTOOLS-169
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-169
>             Project: Velocity Tools
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 2.0
>            Reporter: Mark Symons
>            Assignee: Claude Brisson
>            Priority: Critical
>             Fix For: 3.0
>
>
> Upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9 threat.
> Old name: commons-collections:commons-collections
> Current name: org.apache.commons:commons-collections4
> Velocity Tools v2.0 uses commons-collections:commons-collections v3.2
> commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580.  Quoting from v4.1 release notes:
> {quote}
> Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are:
>     CloneTransformer
>     ForClosure
>     InstantiateFactory
>     InstantiateTransformer
>     InvokerTransformer
>     PrototypeCloneFactory
>     PrototypeSerializationFactory
>     WhileClosure.
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org

Re: [jira] [Resolved] (VELTOOLS-169) Upgrade commons-collections compile dependency to v3.2.2 or v4.1

Posted by Greg Huber <gr...@gmail.com>.

Claude,

Thanks for the updates, btw the depreciated TexenTask also uses the
ExtendedProperties, I tried to use the o.a.v.util.ExtProperties suggested
here, but it does not work for some reason, I switched to
org.apache.commons.configuration2.PropertiesConfiguration which does work.

its basically just a swap with method .load changed to .read

File fullPath = getProject().resolveFile(sources[i]);

// ExtendedProperties source = new ExtendedProperties();
PropertiesConfiguration source = new PropertiesConfiguration();

// source.load(new FileInputStream(fullPath));
source.read(new FileReader((fullPath)));

<dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-configuration2</artifactId>
            <version>2.2</version>
</dependency>

Cheers Greg

On 24 June 2018 at 02:36, Claude Brisson (JIRA) <de...@velocity.apache.org>
wrote:

>
>      [ https://issues.apache.org/jira/browse/VELTOOLS-169?page=
> com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>
> Claude Brisson resolved VELTOOLS-169.
> -------------------------------------
>        Resolution: Fixed
>          Assignee: Claude Brisson
>     Fix Version/s: 3.0
>
> trunk got rid of commons-collections by replacing ExtendedProperties by
> o.a.v.util.ExtProperties
>
> > Upgrade commons-collections compile dependency to v3.2.2 or v4.1
> > ----------------------------------------------------------------
> >
> >                 Key: VELTOOLS-169
> >                 URL: https://issues.apache.org/jira/browse/VELTOOLS-169
> >             Project: Velocity Tools
> >          Issue Type: Bug
> >          Components: Build
> >    Affects Versions: 2.0
> >            Reporter: Mark Symons
> >            Assignee: Claude Brisson
> >            Priority: Critical
> >             Fix For: 3.0
> >
> >
> > Upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level
> 9 threat.
> > Old name: commons-collections:commons-collections
> > Current name: org.apache.commons:commons-collections4
> > Velocity Tools v2.0 uses commons-collections:commons-collections v3.2
> > commons-collections4 v4.1 includes the critical security fix
> COLLECTIONS-580.  Quoting from v4.1 release notes:
> > {quote}
> > Serialization support for unsafe classes in the functor package has been
> removed completely as this can be exploited for remote code execution
> attacks. Classes considered to be unsafe are:
> >     CloneTransformer
> >     ForClosure
> >     InstantiateFactory
> >     InstantiateTransformer
> >     InvokerTransformer
> >     PrototypeCloneFactory
> >     PrototypeSerializationFactory
> >     WhileClosure.
> > {quote}
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v7.6.3#76005)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
> For additional commands, e-mail: dev-help@velocity.apache.org
>
>