You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2017/07/11 17:56:08 UTC
[38/50] commons-collections git commit: Update Release Notes with
details about improved fix for COLLECTIONS-580.
Update Release Notes with details about improved fix for COLLECTIONS-580.
git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713850 13f79535-47bb-0310-9956-ffa450edef68
Project: http://git-wip-us.apache.org/repos/asf/commons-collections/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-collections/commit/75335407
Tree: http://git-wip-us.apache.org/repos/asf/commons-collections/tree/75335407
Diff: http://git-wip-us.apache.org/repos/asf/commons-collections/diff/75335407
Branch: refs/heads/COLLECTIONS_3_2_X
Commit: 753354073b2bcf0d134d10f18e9a34cc09343a48
Parents: d9a0013
Author: Thomas Neidhart <tn...@apache.org>
Authored: Wed Nov 11 14:29:18 2015 +0000
Committer: Thomas Neidhart <tn...@apache.org>
Committed: Wed Nov 11 14:29:18 2015 +0000
----------------------------------------------------------------------
RELEASE-NOTES.txt | 18 +++++++++++-------
src/changes/changes.xml | 11 +++++++----
2 files changed, 18 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/commons-collections/blob/75335407/RELEASE-NOTES.txt
----------------------------------------------------------------------
diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index 53df5d0..b32b03d 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -12,8 +12,9 @@ This release is JDK1.3 compatible, and does not use JDK1.5 generics.
This v3.2.2 release is a bugfix release, fixing several bugs present in the previous
releases of the 3.2 branch. Additionally, this release provides a mitigation for a
known remote code exploitation via the standard java object serialization mechanism.
-By default, de-serialization of "InvokerTransformer" instances is prohibited and
-will result in an exception. For more details, please refer to COLLECTIONS-580.
+By default, serialization support for unsafe classes in the functor package is
+disabled and will result in an exception when either trying to serialize or de-serialize
+an instance of these classes. For more details, please refer to COLLECTIONS-580.
All users are strongly encouraged to updated to this release.
@@ -23,11 +24,14 @@ Changes in this version include:
CHANGES
=======
-o COLLECTIONS-580: De-serialization of "InvokerTransformer" is disabled by default as this
- can be exploited for remote code execution attacks. To re-enable the
- feature the system property
- "org.apache.commons.collections.invokertransformer.enableDeserialization"
- needs to be set to "true".
+o COLLECTIONS-580: Serialization support for unsafe classes in the functor package is
+ disabled by default as this can be exploited for remote code execution
+ attacks. To re-enable the feature the system property
+ "org.apache.commons.collections.enableUnsafeSerialization" needs to be
+ set to "true".
+ Classes considered to be unsafe are: CloneTransformer, ForClosure,
+ InstantiateFactory, InstantiateTransformer, InvokerTransformer,
+ PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.
BUGFIXES
========
http://git-wip-us.apache.org/repos/asf/commons-collections/blob/75335407/src/changes/changes.xml
----------------------------------------------------------------------
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 83a0427..7981903 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -21,12 +21,15 @@
</properties>
<body>
- <release version="3.2.2" date="20XX-XX-XX" description="This is a bugfix release.">
+ <release version="3.2.2" date="2015-11-18" description="This is a bugfix release.">
<action issue="COLLECTIONS-580" dev="tn" type="update">
- De-serialization of "InvokerTransformer" is disabled by default as this
- can be exploited for remote code execution attacks. To re-enable the
- feature the system property "org.apache.commons.collections.invokertransformer.enableDeserialization"
+ Serialization support for unsafe classes in the functor package is disabled
+ by default as this can be exploited for remote code execution attacks.
+ To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization"
needs to be set to "true".
+ Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory,
+ InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory,
+ PrototypeSerializationFactory, WhileClosure.
</action>
<action issue="COLLECTIONS-538" dev="tn" type="fix" due-to="Trejkaz">
"ExtendedProperties" will now use a privileged action to access the