search

Verigreen / verigreen

Verigreen is a lightweight, server side solution for verification of git commits. It is a gated check-in process which will not allow any failed CI commit to go into an integration/release/any protected branch. We keep it green (hence the name).
Apache License 2.0
57 stars 19 forks source link

Upgrade vg-common to Apache Commons Collections to v3.2.2 #114

Open jart opened 8 years ago

jart commented 8 years ago

Version 3.1 has a CVSS 10.0 vulnerability. That's the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

soninob commented 8 years ago

@jart - Thank you for this PR - to approve it you will need to sign the Contributor License Agreement