On 11/13/2015 08:26 PM, Gary Gregory wrote: > +1 > > Tested with src zip. > > BUT: > > - The site Javadoc link is labeled "3.2.1" (fixed in > https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X > ) > - The site history does not mentioned (fixed in svn)
as I said the site will not be published from the 3.2.2 release but from the 4.X branch. > ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right? > > Reports OK. > > Tested building with: > > Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06; > 2015-04-22T04:57:37-07:00) > Maven home: C:\Java\apache-maven-3.3.3\bin\.. > Java version: 1.7.0_79, vendor: Oracle Corporation > Java home: C:\Program Files\Java\jdk1.7.0_79\jre > Default locale: en_US, platform encoding: Cp1252 > OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows" > > and: > > Apache Ant(TM) version 1.9.6 compiled on June 29 2015 > > Gary > > On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <thomas.neidh...@gmail.com> > wrote: > >> Hi all, >> >> in order to provide a work-around for the known remote code exploit via >> java de-serialization of malicious InvokerTransformer instances, I would >> like to start a vote to release Commons Collections 3.2.2 based on RC3. >> >> Notes: >> >> * the site will not be published, it just serves as a reference to >> access the various reports. After a successful vote, the current 4.X >> branch site will be updated with relevant information and published. >> >> * some tests might fail with various IBM JDK 6 JREs, these are known >> issues and have been worked-around in the 4.X branch but are not >> back-ported to this release. >> >> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash >> with a newly introduced default method in the Map interface. >> >> * the collections-testframework.jar that has been published in previous >> versions is not included in this release >> >> Changes from RC2: >> >> * fixed false positives in RAT report >> * fixed test execution and compilation problems with JDK 1.4 and 1.5 >> >> Changes from RC1: >> >> * fixed RAT report >> * fixed NOTICE file >> * improve the security fix: it has been made symmetric in the sense >> that also the serialization of an unsafe class is disabled by >> default and will result in an exception >> * changed the system property to re-enable serialization of unsafe >> classes. It is now >> "org.apache.commons.collections.enableUnsafeSerialization" >> * all classes in the functor package which (based on current >> knowledge) have to be considered unsafe cannot be serialized/ >> de-serialized any more by default. This includes the following >> classes: >> >> ** CloneTransformer >> ** PrototypeFactory (inner classes >> PrototypeCloneFactory and >> PrototypeSerializationFactory) >> ** InstantiateFactory >> ** InstantiateTransformer >> ** ForClosure >> ** WhileClosure >> ** InvokerTransformer >> >> >> >> Collections 3.2.2 RC3 is available for review here: >> https://dist.apache.org/repos/dist/dev/commons/collections/ >> (svn revision 11167) >> >> Maven artifacts are here: >> >> >> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ >> >> Details of changes since 3.2.1 are in the release notes: >> >> >> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html >> >> The tag is here: >> >> >> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 >> (svn revision 1714131) >> >> Site: >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/ >> >> Clirr Report (compared to 3.2.1): >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html >> >> RAT Report: >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html >> >> KEYS: >> https://www.apache.org/dist/commons/KEYS >> >> Please review the release candidate and vote. >> >> >> Considering that this is a security related release and that RC2 did not >> show any functional problems with the release, I plan to close this vote >> in 24h from now, i.e. after 0100 GMT 14-November 2015 >> >> [ ] +1 Release these artifacts >> [ ] +0 OK, but... >> [ ] -0 OK, but really should fix... >> [ ] -1 I oppose this release because... >> >> Thanks, >> >> Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
