On Wed, Feb 12, 2025 at 4:22 PM Volodymyr Siedlecki <volos...@apache.org> wrote:
> We are looking at collections4 as a possibility, but haven't determined if > we can upgrade yet. > That sounds reasonable. > The main issue is COLLECTIONS-701which is flagged by security scanners: > > ``` > The framework Apache Commons Collections before 4.3 is vulnerable to Stack > Overflow. The function add() in the file list/SetUniqueList.java throws a > StackOverflowError when the add() method is called with its own list. > ``` > That does not really make sense: * I think you should provide feedback to your security scanner vendor, as this seems like a false positive: COLLECTIONS-701 is triggered by passing a SetUniqueList to itself with SetUniqueList.add(), and AFAICS this can only be triggered by incorrect code, not by malicious input. If they have additional background information to make a convincing argument that there is security impact here, you may report it to secur...@commons.apache.org and we'll consider publishing a CVE advisory for it, but as it stands this seems like an invalid warning * In any case, this issue was already fixed in 4.3 so (as Sebb mentioned) this should not prevent you from upgrading to the latest version. Kind regards, Arnout Engelen On 2025/02/12 15:08:19 sebb wrote: > > On Wed, 12 Feb 2025 at 14:53, Volodymyr Siedlecki <volos...@apache.org> > wrote: > > > > > > Hello, > > > > > > I don't see it explicitly on the commons website, but is 3.2.2 end of > Life? > > > I'm assuming so (as there are no releases in 10 years), but I would > like to > > > double check? > > > > Collections3 is no longer advertised on the download page. > > > > All development is now happening in collections4 (and has been for many > years). > > > > > I ask since my team would like to backport a few fixes if there's any > > > possibility for a 3.2.3 release. > > > > I think that is extremely unlikely. > > > > Have you had a look at collections4? > > > > > Thanks! > > > > > > Volodymyr > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
