[GitHub] phoenix pull request: Upgrade Apache Commons Collections to v3.2.2

[jart]

GitHub user jart opened a pull request:

    https://github.com/apache/phoenix/pull/151

    Upgrade Apache Commons Collections to v3.2.2

    Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
    vulnerability that exists. By merely existing on the classpath, this
    library causes the Java serialization parser for the entire JVM process
    to go from being a state machine to a turing machine. A turing machine
    with an exec() function!
    
    https://commons.apache.org/proper/commons-collections/security-reports.html
    
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
    
    Also, do consider using Guava in the future.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/jart/phoenix patch-1

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/phoenix/pull/151.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #151
    
----
commit 634112b1b4c04f02e499878ad98b911f1b8a6e6a
Author: Justine Tunney <jtun...@gmail.com>
Date:   2016-03-05T19:44:52Z

    Upgrade Apache Commons Collections to v3.2.2
    
    Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
    vulnerability that exists. By merely existing on the classpath, this
    library causes the Java serialization parser for the entire JVM process
    to go from being a state machine to a turing machine. A turing machine
    with an exec() function!
    
    https://commons.apache.org/proper/commons-collections/security-reports.html
    
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---