[
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185387#comment-15185387
]
Timothy A Vertein commented on VELOCITY-869:
--------------------------------------------
Late to the audit party, but also using Velocity in my project. Was there a
patch release? Maybe 1.7.1 that I could use? I couldn't find any new releases.
Thanks!
> Vulnerability in dependency: commons-collections:3.2.1
> ------------------------------------------------------
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
> Issue Type: Bug
> Components: Build
> Affects Versions: 1.7
> Reporter: Ryan Blue
> Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections,
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed,
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad
> version. Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
