Uploaded image for project: 'Velocity Tools'
  1. Velocity Tools
  2. VELTOOLS-169

Upgrade or remove commons-collections compile dependency

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 3.0
    • Component/s: Build
    • Labels:
      None

      Description

      Remove commons-collection dependency, or upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9 threat.

      Old name: commons-collections:commons-collections
      Current name: org.apache.commons:commons-collections4

      Velocity Tools v2.0 uses commons-collections:commons-collections v3.2

      commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580. Quoting from v4.1 release notes:

      Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are:

      CloneTransformer
      ForClosure
      InstantiateFactory
      InstantiateTransformer
      InvokerTransformer
      PrototypeCloneFactory
      PrototypeSerializationFactory
      WhileClosure.

        Attachments

          Activity

            People

            • Assignee:
              claude Claude Brisson
              Reporter:
              marks Mark Symons
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: