[
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15032067#comment-15032067
]
Mark Symons commented on VELOCITY-869:
--------------------------------------
Linked to VELTOOLS-169, as Velocity Tools pulls in Velocity as a compile
dependency.
I am delighted to read here that Velocity was not actually at risk but did
arrive at this issue from the starting point of performing a security audit. I
totally agree with the previous comments that it can be very hard to work with
automatically generated reports and then have to annotate umpteen items to
explain why they do not matter.
{{quote}}
it's easiest to just do the upgrade
{{quote}}
Yup!
> Vulnerability in dependency: commons-collections:3.2.1
> ------------------------------------------------------
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
> Issue Type: Bug
> Components: Build
> Affects Versions: 1.7
> Reporter: Ryan Blue
> Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections,
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed,
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad
> version. Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
