It seems unlikely m2e is affected by it. Its been a while but I don't recall m2e using class serialization internally. The bundle suggests the archetypes, I don't know if the maven archetypes use object serialization but since they can already result in arbitrary code being run on your system (via the generated pom) it doesn't seem an attack source.
On 17 November 2015 at 16:05, Victor Adrian Sosa Herrera < victo...@mx1.ibm.com> wrote: > Hello Community. > > Throwing again this question to the table. Will this problem be fixed by > m2e team? > > Thanks > > Regards > > ------------------------------ > *Victor Adrian Sosa Herrera* > <http://www.ibm.com/webaccessories/emailsig/i/ibm2.gif> Software Engineer > - Rational Application Developer 2200 Camino A El Castillo IBM Master > Innovator El Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: > +52-33-3669-7000 > x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com > Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog > <https://www.ibm.com/developerworks/community/blogs/victorsh> > ------------------------------ > > > > > > ----- Original message ----- > From: Victor Adrian Sosa Herrera/Mexico/IBM > To: m2e-users@eclipse.org > Cc: > Subject: Vulnerability problem found in M2E > Date: Mon, Nov 16, 2015 1:39 PM > > Hello community. > > On the past weeks, a security vulnerability was found in Apache Commons > Collections library, particularly on versions 3.x and 4.x. You can see > details here > > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > > The fix is on its way and tracked under this JIRA > https://issues.apache.org/jira/browse/COLLECTIONS-580 > > Now, I've been digging this a little bit and found that one M2E plugin is > bundling this commons-collections.jar archive, at least on Eclipse Luna. > Doing a quick search in the Eclipse installation I found this > > org.eclipse.m2e.archetype.common_1.5.0.20140605-2032/commons-collections-3.2.jar > > Do you have any plans to patch this plugin with the updated library (once > available)? > > Regards > > ------------------------------ > *Victor Adrian Sosa Herrera* > <http://www.ibm.com/webaccessories/emailsig/i/ibm2.gif> Software Engineer > - Rational Application Developer 2200 Camino A El Castillo IBM Master > Innovator El Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: > +52-33-3669-7000 > x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com > Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog > <https://www.ibm.com/developerworks/community/blogs/victorsh> > ------------------------------ > > > > > > > _______________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users >
_______________________________________________ m2e-users mailing list m2e-users@eclipse.org To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
