Hi all,
in order to provide a work-around for the known remote code exploit via
java de-serialization of malicious InvokerTransformer instances, I would
like to start a vote to release Commons Collections 3.2.2 based on RC3.
Notes:
* the site will not be published, it just serves as a reference to
access the various reports. After a successful vote, the current 4.X
branch site will be updated with relevant information and published.
* some tests might fail with various IBM JDK 6 JREs, these are known
issues and have been worked-around in the 4.X branch but are not
back-ported to this release.
* Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
with a newly introduced default method in the Map interface.
* the collections-testframework.jar that has been published in previous
versions is not included in this release
Changes from RC2:
* fixed false positives in RAT report
* fixed test execution and compilation problems with JDK 1.4 and 1.5
Changes from RC1:
* fixed RAT report
* fixed NOTICE file
* improve the security fix: it has been made symmetric in the sense
that also the serialization of an unsafe class is disabled by
default and will result in an exception
* changed the system property to re-enable serialization of unsafe
classes. It is now
"org.apache.commons.collections.enableUnsafeSerialization"
* all classes in the functor package which (based on current
knowledge) have to be considered unsafe cannot be serialized/
de-serialized any more by default. This includes the following
classes:
** CloneTransformer
** PrototypeFactory (inner classes
PrototypeCloneFactory and
PrototypeSerializationFactory)
** InstantiateFactory
** InstantiateTransformer
** ForClosure
** WhileClosure
** InvokerTransformer
Collections 3.2.2 RC3 is available for review here:
https://dist.apache.org/repos/dist/dev/commons/collections/
(svn revision 11167)
Maven artifacts are here:
https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
Details of changes since 3.2.1 are in the release notes:
https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
The tag is here:
https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
(svn revision 1714131)
Site:
http://people.apache.org/builds/commons/collections/3.2.2/RC3/
Clirr Report (compared to 3.2.1):
http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
RAT Report:
http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
KEYS:
https://www.apache.org/dist/commons/KEYS
Please review the release candidate and vote.
Considering that this is a security related release and that RC2 did not
show any functional problems with the release, I plan to close this vote
in 24h from now, i.e. after 0100 GMT 14-November 2015
[ ] +1 Release these artifacts
[ ] +0 OK, but...
[ ] -0 OK, but really should fix...
[ ] -1 I oppose this release because...
Thanks,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
