alibaba / cobar

a proxy for sharding databases and tables
Apache License 2.0
3.21k stars 1.22k forks source link

Upgrade Apache Commons Collections to v3.2.2 #71

Closed jart closed 8 years ago

jart commented 8 years ago

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

CLAassistant commented 8 years ago

CLA assistant check
You should sign our Contributor License Agreement in order to get your pull request merged.

jart commented 8 years ago

I shouldn't need to sign a CLA for a one line change.