Le 13/11/2015 00:31, Thomas Neidhart a écrit : > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC3. > > Notes: > > * the site will not be published, it just serves as a reference to > access the various reports. After a successful vote, the current 4.X > branch site will be updated with relevant information and published. > > * some tests might fail with various IBM JDK 6 JREs, these are known > issues and have been worked-around in the 4.X branch but are not > back-ported to this release. > > * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > with a newly introduced default method in the Map interface. > > * the collections-testframework.jar that has been published in previous > versions is not included in this release > > Changes from RC2: > > * fixed false positives in RAT report > * fixed test execution and compilation problems with JDK 1.4 and 1.5 > > Changes from RC1: > > * fixed RAT report > * fixed NOTICE file > * improve the security fix: it has been made symmetric in the sense > that also the serialization of an unsafe class is disabled by > default and will result in an exception > * changed the system property to re-enable serialization of unsafe > classes. It is now > "org.apache.commons.collections.enableUnsafeSerialization" > * all classes in the functor package which (based on current > knowledge) have to be considered unsafe cannot be serialized/ > de-serialized any more by default. This includes the following > classes: > > ** CloneTransformer > ** PrototypeFactory (inner classes > PrototypeCloneFactory and > PrototypeSerializationFactory) > ** InstantiateFactory > ** InstantiateTransformer > ** ForClosure > ** WhileClosure > ** InvokerTransformer > > > > Collections 3.2.2 RC3 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/collections/ > (svn revision 11167) > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ > > Details of changes since 3.2.1 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html > > The tag is here: > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 > (svn revision 1714131) > > Site: > http://people.apache.org/builds/commons/collections/3.2.2/RC3/ > > Clirr Report (compared to 3.2.1): > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html > > RAT Report: > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > > > Considering that this is a security related release and that RC2 did not > show any functional problems with the release, I plan to close this vote > in 24h from now, i.e. after 0100 GMT 14-November 2015 > > [X] +1 Release these artifacts
Luc > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thanks, > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
