Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6726

Update commons collections to 3.2.2 because of known possible exploit [CVE-2016-2170]

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: Release Branch 12.04, Release Branch 13.07, Release Branch 14.12, Trunk
    • Fix Version/s: 14.12.01, 12.04.06, 13.07.03, 16.11.01
    • Component/s: framework
    • Labels:
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Done to 3.2.2 at revision:
      trunk 1714571
      R14.12 1714575
      R13.07 1714576
      R13.04 1714577

        Issue Links

          Activity

          Hide
          adrianc@hlmksw.com Adrian Crum added a comment -

          It would be nice if we had more information about the exploit and how the upgrade might affect OFBiz users.

          Show
          adrianc@hlmksw.com Adrian Crum added a comment - It would be nice if we had more information about the exploit and how the upgrade might affect OFBiz users.
          Show
          jacques.le.roux Jacques Le Roux added a comment - AFAIK, the upgrade should not affect OFBiz users in any ways. Here are some information about the possible exploit: https://issues.apache.org/jira/browse/OFBIZ-6568?focusedCommentId=14998306 https://issues.apache.org/jira/browse/COLLECTIONS-580 TL;DR: see the comment about COLLECTIONS-580 in http://commons.apache.org/proper/commons-collections/release_3_2_2.html http://www.ibm.com/developerworks/library/se-lookahead/
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Maybe we should udate to 4.1 http://markmail.org/message/nh6csf4fun5n6e23 but that needs to be checked. I mean it's maybe not as easy as changing the lib and the 2 OOTB imports (from "org.apache.commons.collections to "org.apache.commons.collections4)...

          Show
          jacques.le.roux Jacques Le Roux added a comment - Maybe we should udate to 4.1 http://markmail.org/message/nh6csf4fun5n6e23 but that needs to be checked. I mean it's maybe not as easy as changing the lib and the 2 OOTB imports (from "org.apache.commons.collections to "org.apache.commons.collections4)...
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Done at revision: 1717247 cf. OFBIZ-6748

          Show
          jacques.le.roux Jacques Le Roux added a comment - Done at revision: 1717247 cf. OFBIZ-6748

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              jacques.le.roux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile