Closed gmlewis closed 8 years ago
Thank you very much for the pull request and sorry for my late absense. I will be review at the next weekend.
Thomas
I have reviewed your pull request - all is fine for me. I have manual merged your pull request - it should be contained in the master now. But the merge button is shown again - i will be wait until tomorrow. If the button then shown again i will be close the pull request manually because it is done.
OK, great, thanks. I will go ahead and close now since it is already merged.
Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/