You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by "Mark Symons (JIRA)" <de...@velocity.apache.org> on 2015/11/30 17:34:10 UTC

[jira] [Created] (VELTOOLS-169) Upgrade commons-collections compile dependency to 4.1

Mark Symons created VELTOOLS-169:
------------------------------------

             Summary: Upgrade commons-collections compile dependency to 4.1
                 Key: VELTOOLS-169
                 URL: https://issues.apache.org/jira/browse/VELTOOLS-169
             Project: Velocity Tools
          Issue Type: Bug
          Components: Build
    Affects Versions: 2.0
            Reporter: Mark Symons
            Priority: Critical


Upgrade commons-collections to v4.1 or later to mitigate level 9 threat.

Old name: commons-collections:commons-collections
Current name: org.apache.commons:commons-collections4

Velocity Tools v2.0 uses commons-collections:commons-collections v3.2

commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580.  Quoting from v4.1 release notes:

{quote}
Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are:

    CloneTransformer
    ForClosure
    InstantiateFactory
    InstantiateTransformer
    InvokerTransformer
    PrototypeCloneFactory
    PrototypeSerializationFactory
    WhileClosure.
{quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org