[
https://issues.apache.org/jira/browse/WHISKER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17812075#comment-17812075
]
ASF subversion and git services commented on WHISKER-15:
--------------------------------------------------------
Commit bc1bb09193b937384a7aef6baf8fdbc1842ca6d0 in creadur-whisker's branch
refs/heads/master from Philipp Ottlinger
[ https://gitbox.apache.org/repos/asf?p=creadur-whisker.git;h=bc1bb09 ]
WHISKER-15: Add changelog
> Upgrade Apache Commons Collections to v3.2.2
> --------------------------------------------
>
> Key: WHISKER-15
> URL: https://issues.apache.org/jira/browse/WHISKER-15
> Project: Apache Whisker
> Issue Type: Improvement
> Affects Versions: 0.2
> Reporter: Philipp Ottlinger
> Assignee: Philipp Ottlinger
> Priority: Major
> Fix For: 0.2
>
>
> Motivated by RAT-213 we should upgrade Whisker as well.
> Tentacles does not seem to use commons-collections as of now.
> h3. Context
> Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of
> vulnerability that exists. By merely existing on the classpath, this
> library causes the Java serialization parser for the entire JVM process
> to go from being a state machine to a turing machine. A turing machine
> with an exec() function!
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
> https://commons.apache.org/proper/commons-collections/security-reports.html
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
