Hi all, in order to provide a work-around for the known remote code exploit via java de-serialization of malicious InvokerTransformer instances, I would like to start a vote to release Commons Collections 3.2.2 based on RC3.
Notes: * the site will not be published, it just serves as a reference to access the various reports. After a successful vote, the current 4.X branch site will be updated with relevant information and published. * some tests might fail with various IBM JDK 6 JREs, these are known issues and have been worked-around in the 4.X branch but are not back-ported to this release. * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash with a newly introduced default method in the Map interface. * the collections-testframework.jar that has been published in previous versions is not included in this release Changes from RC2: * fixed false positives in RAT report * fixed test execution and compilation problems with JDK 1.4 and 1.5 Changes from RC1: * fixed RAT report * fixed NOTICE file * improve the security fix: it has been made symmetric in the sense that also the serialization of an unsafe class is disabled by default and will result in an exception * changed the system property to re-enable serialization of unsafe classes. It is now "org.apache.commons.collections.enableUnsafeSerialization" * all classes in the functor package which (based on current knowledge) have to be considered unsafe cannot be serialized/ de-serialized any more by default. This includes the following classes: ** CloneTransformer ** PrototypeFactory (inner classes PrototypeCloneFactory and PrototypeSerializationFactory) ** InstantiateFactory ** InstantiateTransformer ** ForClosure ** WhileClosure ** InvokerTransformer Collections 3.2.2 RC3 is available for review here: https://dist.apache.org/repos/dist/dev/commons/collections/ (svn revision 11167) Maven artifacts are here: https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ Details of changes since 3.2.1 are in the release notes: https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html The tag is here: https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 (svn revision 1714131) Site: http://people.apache.org/builds/commons/collections/3.2.2/RC3/ Clirr Report (compared to 3.2.1): http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html RAT Report: http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. Considering that this is a security related release and that RC2 did not show any functional problems with the release, I plan to close this vote in 24h from now, i.e. after 0100 GMT 14-November 2015 [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thanks, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org