[38/50] commons-collections git commit: Update Release Notes with details about improved fix for COLLECTIONS-580.

[ch...@apache.org]

Update Release Notes with details about improved fix for COLLECTIONS-580.

git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713850 13f79535-47bb-0310-9956-ffa450edef68


Project: http://git-wip-us.apache.org/repos/asf/commons-collections/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-collections/commit/75335407
Tree: http://git-wip-us.apache.org/repos/asf/commons-collections/tree/75335407
Diff: http://git-wip-us.apache.org/repos/asf/commons-collections/diff/75335407

Branch: refs/heads/COLLECTIONS_3_2_X
Commit: 753354073b2bcf0d134d10f18e9a34cc09343a48
Parents: d9a0013
Author: Thomas Neidhart <tn...@apache.org>
Authored: Wed Nov 11 14:29:18 2015 +0000
Committer: Thomas Neidhart <tn...@apache.org>
Committed: Wed Nov 11 14:29:18 2015 +0000

----------------------------------------------------------------------
 RELEASE-NOTES.txt       | 18 +++++++++++-------
 src/changes/changes.xml | 11 +++++++----
 2 files changed, 18 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-collections/blob/75335407/RELEASE-NOTES.txt
----------------------------------------------------------------------
diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index 53df5d0..b32b03d 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -12,8 +12,9 @@ This release is JDK1.3 compatible, and does not use JDK1.5 generics.
 This v3.2.2 release is a bugfix release, fixing several bugs present in the previous
 releases of the 3.2 branch. Additionally, this release provides a mitigation for a
 known remote code exploitation via the standard java object serialization mechanism.
-By default, de-serialization of "InvokerTransformer" instances is prohibited and
-will result in an exception. For more details, please refer to COLLECTIONS-580.
+By default, serialization support for unsafe classes in the functor package is
+disabled and will result in an exception when either trying to serialize or de-serialize
+an instance of these classes. For more details, please refer to COLLECTIONS-580.
 
 All users are strongly encouraged to updated to this release.
 
@@ -23,11 +24,14 @@ Changes in this version include:
 CHANGES
 =======
 
-o COLLECTIONS-580:  De-serialization of "InvokerTransformer" is disabled by default as this
-                    can be exploited for remote code execution attacks. To re-enable the
-                    feature the system property
-                    "org.apache.commons.collections.invokertransformer.enableDeserialization"
-                    needs to be set to "true". 
+o COLLECTIONS-580:  Serialization support for unsafe classes in the functor package is
+                    disabled by default as this can be exploited for remote code execution
+                    attacks. To re-enable the feature the system property
+                    "org.apache.commons.collections.enableUnsafeSerialization" needs to be
+                    set to "true".
+                    Classes considered to be unsafe are: CloneTransformer, ForClosure,
+                    InstantiateFactory, InstantiateTransformer, InvokerTransformer,
+                    PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.
 
 BUGFIXES
 ========

http://git-wip-us.apache.org/repos/asf/commons-collections/blob/75335407/src/changes/changes.xml
----------------------------------------------------------------------
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 83a0427..7981903 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -21,12 +21,15 @@
   </properties>
   <body>
 
-  <release version="3.2.2" date="20XX-XX-XX" description="This is a bugfix release.">
+  <release version="3.2.2" date="2015-11-18" description="This is a bugfix release.">
     <action issue="COLLECTIONS-580" dev="tn" type="update">
-      De-serialization of "InvokerTransformer" is disabled by default as this
-      can be exploited for remote code execution attacks. To re-enable the
-      feature the system property "org.apache.commons.collections.invokertransformer.enableDeserialization"
+      Serialization support for unsafe classes in the functor package is disabled
+      by default as this can be exploited for remote code execution attacks.
+      To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization"
       needs to be set to "true".
+      Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory,
+      InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory,
+      PrototypeSerializationFactory, WhileClosure.
     </action>
     <action issue="COLLECTIONS-538" dev="tn" type="fix" due-to="Trejkaz">
       "ExtendedProperties" will now use a privileged action to access the