[ 
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018517#comment-15018517
 ] 

Mike Yoder commented on VELOCITY-869:
-------------------------------------

All true. However, in some sense what you say almost does not matter. There are 
many corporate security departments that are going to raise red flags about the 
presence of this library in the classpath. Explaining to them why you think 
you're not vulnerable may or may not work, and it's hard to prove a negative. 
In my experience it's easiest to just do the upgrade.


> Vulnerability in dependency: commons-collections:3.2.1
> ------------------------------------------------------
>
>                 Key: VELOCITY-869
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-869
>             Project: Velocity
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 1.7
>            Reporter: Ryan Blue
>            Assignee: Sergiu Dumitriu
>             Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections, 
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, 
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad 
> version. Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to