Closed gmlewis closed 8 years ago
+1
Hi @gmlewis , thanks for the pull request.
Agreement to the Individual Contributor License Agreement is required by Apereo to enable accepting your contribution. I don't see your name on the roster of signatories, but if it's there, do let me know. I'd love to have you on board.
I apologize, I didn't realize a CLA was involved. I'm closing this request, and you are totally free to do whatever you would like with the information that you have learned from this closed PR, of course.
Cool. It's one character. If I were a lawyer, maybe I could argue that there's no copyright that attaches to a one character change. I'm not a lawyer. I do bet I can do something worthwhile to this code with the idea behind this PR. :smile:.
Sorry for the hassle, @gmlewis. CLA's, they're a hassle.
No worries at all, @apetro ! I totally understand. Best wishes to you and your team.
Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/