Hi Deepesh, there is an ongoing vote to release commons-collections 3.2.2, which by default prevents InvokerTransformer from being deserialized. You can find the release notes here: https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
For further information, please take a look at the ASF blog: https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread Timo 2015-11-10 9:05 GMT+01:00 Kapoor, Deepesh <deepesh_kap...@spe.sony.com>: > Hi Team, > > This is regarding "commons-collections Java library". In our applications we > are widely using this library and hence looking to urgently patch the fix for > vulnerability issue if it is available. > Searching on internet we found one patch released on Sunday 08th Nov > http://svn.apache.org/viewvc?view=revision&revision=1713307 > > Just wanted to check with you if there is any updated / complied version of > commons-collections jar available or going to be released soon which we can > directly replace with our existing jar file that provides the fix for the > vulnerability issue. > > Thanks in advance! > > > Thanks & Regards, > Deepesh --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
