[jira] [Commented] (CLOUDSTACK-9053) CloudStack is dependent upon a vulnerable version of Commons Collections

Fri, 20 Nov 2015 01:42:26 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15015503#comment-15015503
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9053:
--------------------------------------------

Github user remibergsma commented on the pull request:

    https://github.com/apache/cloudstack/pull/1089#issuecomment-158338131
  
    @DaanHoogland the tests succeed for me:
    ```
    nosetests --with-marvin --marvin-config=${marvinCfg} -s -a 
tags=advanced,required_hardware=true smoke/test_ssvm.py
    ```
    
    Result:
    ```
    Test SSVM Internals ... === TestName: test_03_ssvm_internals | Status : 
SUCCESS ===
    ok
    Test CPVM Internals ... === TestName: test_04_cpvm_internals | Status : 
SUCCESS ===
    ok
    Test stop SSVM ... === TestName: test_05_stop_ssvm | Status : SUCCESS ===
    ok
    Test stop CPVM ... === TestName: test_06_stop_cpvm | Status : SUCCESS ===
    ok
    Test reboot SSVM ... === TestName: test_07_reboot_ssvm | Status : SUCCESS 
===
    ok
    Test reboot CPVM ... === TestName: test_08_reboot_cpvm | Status : SUCCESS 
===
    ok
    Test destroy SSVM ... === TestName: test_09_destroy_ssvm | Status : SUCCESS 
===
    ok
    Test destroy CPVM ... === TestName: test_10_destroy_cpvm | Status : SUCCESS 
===
    ok
    
    ----------------------------------------------------------------------
    Ran 8 tests in 1404.281s
    
    OK
    ```
    
    Now all tests pass, LGTM.


> CloudStack is dependent upon a vulnerable version of Commons Collections
> ------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9053
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9053
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: John Kinsella
>
> COLLECTIONS-580 was brought to our attention today. Current versions of 
> Apache Commons Collections contain a serialization/unserialization 
> vulnerability which may result in remote code execution.
> CloudStack does not seem to use the specific vulnerable class 
> InvokerTransformer, so in theory we could recommend pulling that class from 
> the jars/wars, but still looking to see what else we can do...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to