Closed gmlewis closed 8 years ago
Have you checked out the project and run all the unit tests to ensure nothing breaks with this new version?
No, I haven't, and I won't be able to, as this is part of a larger GitHub-wide cleanup effort. Please feel free to close the PR if it is not helpful to you. Thanks.
OK, I agree it's a useful change, just not in this form. I'm going to do this in a separate branch as it should also include an update to the changelog in the same commit.
Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/