Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import fixed Apache Commons Collections #444

Closed
1 task done
ikeyat opened this issue Dec 14, 2015 · 4 comments
Closed
1 task done

Import fixed Apache Commons Collections #444

ikeyat opened this issue Dec 14, 2015 · 4 comments
Assignees
@btshimizukza
Labels
type: misc
Milestone
1.0.4

Comments

@ikeyat
Copy link
Contributor

ikeyat commented Dec 14, 2015

Description

In commons-collections 3.2.1, arbitrary remote code execution vulnerability was found.
It was fixed 3.2.2.
https://issues.apache.org/jira/browse/COLLECTIONS-580

5.1.0.RELEASE is based on Spring IO Platform 2.0.0.RELEASE, but it contains commons-collection 3.2.1.

Spring 4 itself had similar vulnerability in older version. But fixed version (4.2.3 in IOPF 2.0.0.RELEASE #362 / 4.1.9 #392) will be imported in the next release.

Possible Solutions

Override its version to commons-collections 3.2.2.
It is necessary to backport to 1.0.x because of its impact.

Affects Version/s

  • 5.0.1.RELEASE
  • 1.0.3.RELEASE

Fix Version/s

Issue Links

https://jvn.jp/vu/JVNVU94276522/
https://issues.apache.org/jira/browse/COLLECTIONS-580
https://jira.spring.io/browse/SPR-13656
#362
@ikeyat ikeyat added this to the 5.1.0 milestone Dec 14, 2015
@btshimizukza
Copy link
Member

@ikeyat

Spring IO Platform 2.0.x and 1.1.x will be fixed version of commons-collections at next maintenance release.

We need to watch these release timing.

@ikeyat
Copy link
Contributor Author

ikeyat commented Dec 14, 2015

@btshimizukza
Exactly yes. We would like to rely on IO Platform as possible.
In my idea, it should be replaced fixed one in RC1(begin of Jan.) even if IO Platform was not released.
Of course, we can switch to IO Platform after RC1 if it is released later.

@kazuki43zoo kazuki43zoo modified the milestones: 1.0.4, 5.1.0 Dec 18, 2015
@btshimizukza btshimizukza mentioned this issue Dec 18, 2015
Closed
7 tasks
@btshimizukza btshimizukza self-assigned this Dec 18, 2015
btshimizukza added a commit that referenced this issue Dec 18, 2015
@btshimizukza
Update to Commons-Collections 3.3.2 #444
d4f2720 
* Apply fix version for COLLECTIONS-580
@btshimizukza btshimizukza mentioned this issue Dec 18, 2015
Merged
making added a commit that referenced this issue Dec 18, 2015
@making
Merge pull request #448 from terasolunaorg/issues/444_commons-collect…
f329eda 
…ions-3.2.2

[1.0.x] Update to Commons-Collections 3.3.2 #444
@kazuki43zoo
Copy link
Contributor

5.1.0 will resolved via #362 .

@ikeyat
Copy link
Contributor Author

ikeyat commented Dec 19, 2015

5.0.2 will be resolved via #392 .

@ikeyat ikeyat mentioned this issue Dec 19, 2015
Closed
1 task
@ikeyat ikeyat closed this as completed Dec 19, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@btshimizukza btshimizukza

Labels
type: misc
Projects
None yet
Milestone
1.0.4
Development

No branches or pull requests
4 participants
@making @kazuki43zoo @btshimizukza @ikeyat