On 11/12/2015 07:14 PM, Jörg Schaible wrote: > Hi Thomas, > > Thomas Neidhart wrote: > >> Hi all, >> >> in order to provide a work-around for the known remote code exploit via >> java de-serialization of malicious InvokerTransformer instances, I would >> like to start a vote to release Commons Collections 3.2.2 based on RC2. >> >> Notes: >> >> * the site will not be published, it just serves as a reference to >> access the various reports. After a successful vote, the current 4.X >> branch site will be updated with relevant information and published. >> >> * some tests might fail with various IBM JDK 6 JREs, these are known >> issues and have been worked-around in the 4.X branch but are not >> back-ported to this release. >> >> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash >> with a newly introduced default method in the Map interface. >> >> * the collections-testframework.jar that has been published in previous >> versions is not included in this release >> >> >> Changes from RC1: >> >> * fixed RAT report >> * fixed NOTICE file >> * improve the security fix: it has been made symmetric in the sense >> that also the serialization of an unsafe class is disabled by >> default and will result in an exception >> * changed the system property to re-enable serialization of unsafe >> classes. It is now >> "org.apache.commons.collections.enableUnsafeSerialization" >> * all classes in the functor package which (based on current >> knowledge) have to be considered unsafe cannot be serialized/ >> de-serialized any more by default. This includes the following >> classes: >> >> ** CloneTransformer >> ** PrototypeFactory (inner classes >> PrototypeCloneFactory and >> PrototypeSerializationFactory) >> ** InstantiateFactory >> ** InstantiateTransformer >> ** ForClosure >> ** WhileClosure >> ** InvokerTransformer >> >> >> >> Collections 3.2.2 RC2 is available for review here: >> https://dist.apache.org/repos/dist/dev/commons/collections/ >> (svn revision 11147) >> >> Maven artifacts are here: >> >> > https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/ >> >> Details of changes since 3.2.1 are in the release notes: >> >> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html >> >> The tag is here: >> >> > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2 >> (svn revision 1713883) >> >> Site: >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/ >> >> Clirr Report (compared to 3.2.1): >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html >> >> RAT Report: >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html >> >> KEYS: >> https://www.apache.org/dist/commons/KEYS >> >> Please review the release candidate and vote. >> >> >> Considering that this is a security related release and that RC1 did not >> show any functional problems with the release, I plan to close this vote >> in 24 from now, i.e. after 1800 GMT 12-November 2015 >> >> [ ] +1 Release these artifacts >> [ ] +0 OK, but... >> [ ] -0 OK, but really should fix... >> [ ] -1 I oppose this release because... > > -1, > > sorry, but there's a regression > > The package claims to be compatible with Java 1.3. Well, I don't have 1.3 > anymore, but 1.4. And I can build CC-3.2.1 and run all tests with Blackdown > JDK 1.4 and Maven 2.0.11. > > For CC-3.2.2 I have to use at least Java 5 and Maven 3.0(.5): > > - Using java-1.4 profile: Build fails, because tests no longer compile > - Sun JDK 1.5: TestAllPackages fails due to SecurityException: > ================== %< ================== > Running org.apache.commons.collections.TestAllPackages > java.lang.SecurityException > at > org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322) > at java.lang.System.getProperty(System.java:628) > at > sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66) > at java.security.AccessController.doPrivileged(Native Method) > at java.io.PrintWriter.<init>(PrintWriter.java:77) > at java.io.PrintWriter.<init>(PrintWriter.java:61) > at > org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56) > at > org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330) > at > org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119) > ================== %< ================== > - Sun JDK 1.6: OK > - Oracle JDK 1.7: OK > - IBM JDK 1.5: OK (!!) > - IBM JDK 1.6 (J9 2.4): fails (as expected, same for CC-3.2.1) > - IBM JDK 1.7: OK (!!) > - IcedTea 6 (OpenJDK): TestAllPackages fails due to SecurityException: > ================== %< ================== > Running org.apache.commons.collections.TestAllPackages > java.lang.SecurityException > at > org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322) > at java.lang.System.getProperty(System.java:628) > at > sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66) > at java.security.AccessController.doPrivileged(Native Method) > at java.io.PrintWriter.<init>(PrintWriter.java:77) > at java.io.PrintWriter.<init>(PrintWriter.java:61) > at > org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56) > at > org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330) > at > org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119) > ================== %< ================== > - IcedTea 7 (OpenJDK): OK > > > TestExtendedProperties.testActiveSecurityManager is the only test using a > SM, but I wonder, why it fails the test now, because both failing JDKs have > no problem building CC-3.2.1 (using Maven 3.0.5) and all tests pass fine.
ok, the errors have been fixed in the branch. I have successfully tested it with the Oracle/Sun jdk from 1.4 till 1.7 The Jdk 1.3 does not run anymore on my computer. Maybe you have the time to execute the tests again from trunk, I will create a new RC in about 2 hours. Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
