Hi Thomas, Thomas Neidhart wrote:
> Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC2. > > Notes: > > * the site will not be published, it just serves as a reference to > access the various reports. After a successful vote, the current 4.X > branch site will be updated with relevant information and published. > > * some tests might fail with various IBM JDK 6 JREs, these are known > issues and have been worked-around in the 4.X branch but are not > back-ported to this release. > > * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > with a newly introduced default method in the Map interface. > > * the collections-testframework.jar that has been published in previous > versions is not included in this release > > > Changes from RC1: > > * fixed RAT report > * fixed NOTICE file > * improve the security fix: it has been made symmetric in the sense > that also the serialization of an unsafe class is disabled by > default and will result in an exception > * changed the system property to re-enable serialization of unsafe > classes. It is now > "org.apache.commons.collections.enableUnsafeSerialization" > * all classes in the functor package which (based on current > knowledge) have to be considered unsafe cannot be serialized/ > de-serialized any more by default. This includes the following > classes: > > ** CloneTransformer > ** PrototypeFactory (inner classes > PrototypeCloneFactory and > PrototypeSerializationFactory) > ** InstantiateFactory > ** InstantiateTransformer > ** ForClosure > ** WhileClosure > ** InvokerTransformer > > > > Collections 3.2.2 RC2 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/collections/ > (svn revision 11147) > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/ > > Details of changes since 3.2.1 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html > > The tag is here: > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2 > (svn revision 1713883) > > Site: > http://people.apache.org/builds/commons/collections/3.2.2/RC2/ > > Clirr Report (compared to 3.2.1): > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html > > RAT Report: > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > > > Considering that this is a security related release and that RC1 did not > show any functional problems with the release, I plan to close this vote > in 24 from now, i.e. after 1800 GMT 12-November 2015 > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... -1, sorry, but there's a regression The package claims to be compatible with Java 1.3. Well, I don't have 1.3 anymore, but 1.4. And I can build CC-3.2.1 and run all tests with Blackdown JDK 1.4 and Maven 2.0.11. For CC-3.2.2 I have to use at least Java 5 and Maven 3.0(.5): - Using java-1.4 profile: Build fails, because tests no longer compile - Sun JDK 1.5: TestAllPackages fails due to SecurityException: ================== %< ================== Running org.apache.commons.collections.TestAllPackages java.lang.SecurityException at org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322) at java.lang.System.getProperty(System.java:628) at sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66) at java.security.AccessController.doPrivileged(Native Method) at java.io.PrintWriter.<init>(PrintWriter.java:77) at java.io.PrintWriter.<init>(PrintWriter.java:61) at org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56) at org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119) ================== %< ================== - Sun JDK 1.6: OK - Oracle JDK 1.7: OK - IBM JDK 1.5: OK (!!) - IBM JDK 1.6 (J9 2.4): fails (as expected, same for CC-3.2.1) - IBM JDK 1.7: OK (!!) - IcedTea 6 (OpenJDK): TestAllPackages fails due to SecurityException: ================== %< ================== Running org.apache.commons.collections.TestAllPackages java.lang.SecurityException at org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322) at java.lang.System.getProperty(System.java:628) at sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66) at java.security.AccessController.doPrivileged(Native Method) at java.io.PrintWriter.<init>(PrintWriter.java:77) at java.io.PrintWriter.<init>(PrintWriter.java:61) at org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56) at org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119) ================== %< ================== - IcedTea 7 (OpenJDK): OK TestExtendedProperties.testActiveSecurityManager is the only test using a SM, but I wonder, why it fails the test now, because both failing JDKs have no problem building CC-3.2.1 (using Maven 3.0.5) and all tests pass fine. Cheers, Jörg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
