You're most welcome! Lots of heavy activity on Twitter as well :-) -Sally
From: Gary Gregory
To: Commons Developers List ; Sally Khudairi
Sent: Tuesday, November 10, 2015 10:40 AM
Subject: Re: Blog post "commons" vulnerability
Thank you Sally!GaryOn Nov 10, 2015
; src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java
> Thanks,-Chris
>
> From: Sally Khudairi [mailto:sallykhuda...@yahoo.com]
> Sent: Monday, November 09, 2015 3:15 PM
> To: Sally Khudairi; e...@zusammenkunft.net; Frohoff, Chris; Gabriel
> La
On 10/11/2015 10:17, Jochen Wiedmann wrote:
> On Tue, Nov 10, 2015 at 10:51 AM, Mark Thomas
>
>> You only need a CVE ID if there is a vulnerability.
>>
>> I would argue (and the OPs appear to agree with me) that this is NOT a
>> vulnerability in Apache Commons Collections. The vulnerability lies
"Frohoff, Chris"
To: Sally Khudairi ; "e...@zusammenkunft.net"
; Gabriel Lawrence ;
Commons Developers List
Sent: Monday, November 9, 2015 6:42 PM
Subject: RE: Blog post "commons" vulnerability
#yiv5799872531 #yiv5799872531 -- _filtered #yiv5799872531
{font-f
On Tue, Nov 10, 2015 at 10:51 AM, Mark Thomas
> You only need a CVE ID if there is a vulnerability.
>
> I would argue (and the OPs appear to agree with me) that this is NOT a
> vulnerability in Apache Commons Collections. The vulnerability lies in
> applications that are blindly deserializing dat
gt; --include=*.java -l | grep -v InvokerTransformer | xargs -n1 grep -l
>>> Serializable
>>>
>>> src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java
>>>
>>> src/main/java/org/apache/commons/collections4/functors/InstantiateTrans
ep -v InvokerTransformer | xargs -n1 grep -l
>> Serializable
>>
>> src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java
>>
>> src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java
>>
>> src/main/java/org/apache/com
he/commons/collections4/functors/InstantiateTransformer.java
>
> src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java
>
> Thanks,
>
> -Chris
>
>
>
> From: Sally Khudairi [mailto:sallykhuda...@yahoo.com]
>
>
> Sent: Monday, November 09,
sammenkunft.net; Frohoff, Chris; Gabriel Lawrence;
Commons Developers List
Subject: Re: Blog post "commons" vulnerability
Just to clarify re: PMC affiliation, may I suggest it appear as:
> Authors: Bernd Eckenfels and Gary Gregory, members of the Apache Commons
> P
de-serialisation vulnerabilities
(I.e. less formal. Gary I guess you would agree not to mention PMC?)
Gruss
Bernd
--
http://bernd.eckenfels.net
-Original Message-
From: Sally Khudairi
To: "Frohoff, Chris" , Gabriel Lawrence
, Commons Developers List
Sent: Mo., 09 Nov. 2015
pers List
Sent: Monday, November 9, 2015 5:29 PM
Subject: Re: Blog post "commons" vulnerability
Thanks so much, Bernd.
Personally, I prefer mentioning PMC affiliation, as it adds credibility, but
I'll post it however you'd like.
OK re: tweet screenshot; I've included
ss you would agree not to mention PMC?)
Gruss
Bernd
--
http://bernd.eckenfels.net
-Original Message-
From: Sally Khudairi
To: "Frohoff, Chris" , Gabriel Lawrence
, Commons Developers List
Sent: Mo., 09 Nov. 2015 22:36
Subject: Re: Blog post "commons" vulnerability
T
C?)
Gruss
Bernd
--
http://bernd.eckenfels.net
-Original Message-
From: Sally Khudairi
To: "Frohoff, Chris" , Gabriel Lawrence
, Commons Developers List
Sent: Mo., 09 Nov. 2015 22:36
Subject: Re: Blog post "commons" vulnerability
Thanks, Chris. I'll include you
airi
From: "Frohoff, Chris"
To: Gabriel Lawrence ; Commons Developers List
Cc: Sally Khudairi
Sent: Monday, November 9, 2015 12:31 PM
Subject: RE: Blog post "commons" vulnerability
#yiv5525942083 #yiv5525942083 -- _filtered #yiv5525942083 {panose-1:2 4 5 3
On the whole this looks good to me... there are a few grammatical errors
though. Not being familiar with your process will there be a quick scrub at
the end to find all these or do you need me to point them out?
Also, chris is reviewing it as well and we should add him to this "We want
to thank Ch
I think the post is nicely written and I don't personally object to
anything in it. I have not dug into the details of the subject
though. I wonder, also, if the "statement from Commons" bit is
necessary. We have never done this before and we are in general
pretty conservative at the ASF level i
Thanks, Bernd. Thanks, Gary.
I'm happy to publish for you when I'm back at the office later today.
To confirm, is there consensus on the content?
Thanks again,
Sally
[From the mobile; please excuse top-posting, spelling/spacing errors, and
brevity]
- Reply message -
From: "Gary Gregor
It's commons collections
On Mon, Nov 9, 2015 at 5:45 AM Bernd Eckenfels
wrote:
> Hello Sally,
>
> currently there is a security vulnerability doing the rounds which uses
> as an example Apache Commons Collection. It is not really a bug in
> Commons Collection, but there is a lot of fuzz. So sinc
My name is spelled Gary Gregory BTW ;-)
Gary
On Nov 9, 2015 2:45 AM, "Bernd Eckenfels" wrote:
> Hello Sally,
>
> currently there is a security vulnerability doing the rounds which uses
> as an example Apache Commons Collection. It is not really a bug in
> Commons Collection, but there is a lot o
19 matches
Mail list logo
