[
https://issues.apache.org/jira/browse/CLOUDSTACK-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15015507#comment-15015507
]
ASF subversion and git services commented on CLOUDSTACK-9053:
-------------------------------------------------------------
Commit 401693eafbe940c8fc349eec950779cf3e3f2717 in cloudstack's branch
refs/heads/4.6 from [~remibergsma]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=401693e ]
Merge pull request #1089 from DaanHoogland/CLOUDSTACK-9053
CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580 cloustack is not
vulnerable but as the classes are in they might
be used in the future so we upgrade to prevent accidental
vulnerabilities.
unit tests in master succeeded. unit tests on 4.6 passed. integration tests
going on.
* pr/1089:
CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580
Signed-off-by: Remi Bergsma <git...@remi.nl>
> CloudStack is dependent upon a vulnerable version of Commons Collections
> ------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9053
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9053
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: John Kinsella
>
> COLLECTIONS-580 was brought to our attention today. Current versions of
> Apache Commons Collections contain a serialization/unserialization
> vulnerability which may result in remote code execution.
> CloudStack does not seem to use the specific vulnerable class
> InvokerTransformer, so in theory we could recommend pulling that class from
> the jars/wars, but still looking to see what else we can do...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
