Mark Symons created VELTOOLS-169:
------------------------------------
Summary: Upgrade commons-collections compile dependency to 4.1
Key: VELTOOLS-169
URL: https://issues.apache.org/jira/browse/VELTOOLS-169
Project: Velocity Tools
Issue Type: Bug
Components: Build
Affects Versions: 2.0
Reporter: Mark Symons
Priority: Critical
Upgrade commons-collections to v4.1 or later to mitigate level 9 threat.
Old name: commons-collections:commons-collections
Current name: org.apache.commons:commons-collections4
Velocity Tools v2.0 uses commons-collections:commons-collections v3.2
commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580.
Quoting from v4.1 release notes:
{quote}
Serialization support for unsafe classes in the functor package has been
removed completely as this can be exploited for remote code execution attacks.
Classes considered to be unsafe are:
CloneTransformer
ForClosure
InstantiateFactory
InstantiateTransformer
InvokerTransformer
PrototypeCloneFactory
PrototypeSerializationFactory
WhileClosure.
{quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
