OsgiliathEnterprise / net.osgiliath.parent

Osgiliath OSGI-EE Framework
http://osgiliathenterprise.github.io/projects.documentations/products/osgiliath-enterprise-framework/
15 stars 7 forks source link

Upgrade Apache Commons Collections to v3.2.2 #62

Closed gmlewis closed 8 years ago

gmlewis commented 8 years ago

Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Tcharl commented 8 years ago

Can one of the admins verify this patch?