Indeed. The Camel included in 6.0.2 depends on 3.2.2 but ActiveMQ and CXF still on 3.2.1. The new ActiveMQ which is currently under the vote has the new Commons Collections, but CXF still depends on 3.2.1. I'll include the correct version in the new ServiceMix release using overrides mechanism.
Thanks for reporting of the problem. Regards Krzysztof On 08.01.2016 11:33, jovo wrote: > ksobkowiak wrote >> The ServiceMix team is pleased to announce the availability of Apache >> ServiceMix 6.0.2. >> >> >> The new Apache Camel version included in this release also updates the >> Apache Commons >> Collections library to version 3.2.2 that contains a patch for a reported >> object de-serialization vulnerability >> <https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>. > Hi, > > Why does this release still contains > "apache-servicemix-6.0.2/system/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar" > and not > "apache-servicemix-6.0.2/system/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar" > ? > > Regards, > Joop > > > > > > -- > View this message in context: > http://servicemix.396122.n5.nabble.com/ANN-Apache-ServiceMix-6-0-2-released-tp5723299p5723338.html > Sent from the ServiceMix - Dev mailing list archive at Nabble.com. -- Krzysztof Sobkowiak JEE & OSS Architect, Integration Architect Apache Software Foundation Member (http://apache.org/) Apache ServiceMix Committer & PMC Member (http://servicemix.apache.org/) Senior Solution Architect @ Capgemini SSC (http://www.capgeminisoftware.pl/) Robocap.pl - workshops of programming and robotics for kids (http://robocap.pl/)
