[RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3
On 11/13/2015 12:31 AM, Thomas Neidhart wrote: > Hi all, [snip] > Considering that this is a security related release and that RC2 did not > show any functional problems with the release, I plan to close this vote > in 24h from now, i.e. after 0100 GMT 14-November 2015 Here is a tally of the VOTE Commons PMC: +1 from Luc, Joerg, Gary, Stefan, Thomas No other votes have been recorded. This VOTE, therefore, passes. Thomas - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3
Thx Thomas. The fix for the Java serialization vulnerability is on the way. Now should we add some information on http://commons.apache.org/security.html like Commons Compress did? -- Uwe On November 14, 2015 10:59:52 AM Thomas Neidhartwrote: On 11/13/2015 12:31 AM, Thomas Neidhart wrote: Hi all, [snip] Considering that this is a security related release and that RC2 did not show any functional problems with the release, I plan to close this vote in 24h from now, i.e. after 0100 GMT 14-November 2015 Here is a tally of the VOTE Commons PMC: +1 from Luc, Joerg, Gary, Stefan, Thomas No other votes have been recorded. This VOTE, therefore, passes. Thomas - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3
On 11/14/2015 04:20 PM, Uwe Barthel wrote: > Thx Thomas. > > The fix for the Java serialization vulnerability is on the way. > Now should we add some information on > http://commons.apache.org/security.html like Commons Compress did? yes, we will do something similar. Thomas - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Le 13/11/2015 00:31, Thomas Neidhart a écrit : > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC3. > > Notes: > > * the site will not be published, it just serves as a reference to > access the various reports. After a successful vote, the current 4.X > branch site will be updated with relevant information and published. > > * some tests might fail with various IBM JDK 6 JREs, these are known > issues and have been worked-around in the 4.X branch but are not > back-ported to this release. > > * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > with a newly introduced default method in the Map interface. > > * the collections-testframework.jar that has been published in previous > versions is not included in this release > > Changes from RC2: > > * fixed false positives in RAT report > * fixed test execution and compilation problems with JDK 1.4 and 1.5 > > Changes from RC1: > > * fixed RAT report > * fixed NOTICE file > * improve the security fix: it has been made symmetric in the sense >that also the serialization of an unsafe class is disabled by >default and will result in an exception > * changed the system property to re-enable serialization of unsafe >classes. It is now >"org.apache.commons.collections.enableUnsafeSerialization" > * all classes in the functor package which (based on current >knowledge) have to be considered unsafe cannot be serialized/ >de-serialized any more by default. This includes the following >classes: > > ** CloneTransformer > ** PrototypeFactory (inner classes > PrototypeCloneFactory and > PrototypeSerializationFactory) > ** InstantiateFactory > ** InstantiateTransformer > ** ForClosure > ** WhileClosure > ** InvokerTransformer > > > > Collections 3.2.2 RC3 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/collections/ > (svn revision 11167) > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ > > Details of changes since 3.2.1 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html > > The tag is here: > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 > (svn revision 1714131) > > Site: > http://people.apache.org/builds/commons/collections/3.2.2/RC3/ > > Clirr Report (compared to 3.2.1): > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html > > RAT Report: > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > > > Considering that this is a security related release and that RC2 did not > show any functional problems with the release, I plan to close this vote > in 24h from now, i.e. after 0100 GMT 14-November 2015 > > [X] +1 Release these artifacts Luc > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thanks, > > Thomas > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
+1 Builds fine now with my compiler zoo. Thomas Neidhart wrote: > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC3. > > Notes: > > * the site will not be published, it just serves as a reference to > access the various reports. After a successful vote, the current 4.X > branch site will be updated with relevant information and published. > > * some tests might fail with various IBM JDK 6 JREs, these are known > issues and have been worked-around in the 4.X branch but are not > back-ported to this release. > > * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > with a newly introduced default method in the Map interface. > > * the collections-testframework.jar that has been published in previous > versions is not included in this release > > Changes from RC2: > > * fixed false positives in RAT report > * fixed test execution and compilation problems with JDK 1.4 and 1.5 > > Changes from RC1: > > * fixed RAT report > * fixed NOTICE file > * improve the security fix: it has been made symmetric in the sense >that also the serialization of an unsafe class is disabled by >default and will result in an exception > * changed the system property to re-enable serialization of unsafe >classes. It is now >"org.apache.commons.collections.enableUnsafeSerialization" > * all classes in the functor package which (based on current >knowledge) have to be considered unsafe cannot be serialized/ >de-serialized any more by default. This includes the following >classes: > > ** CloneTransformer > ** PrototypeFactory (inner classes > PrototypeCloneFactory and > PrototypeSerializationFactory) > ** InstantiateFactory > ** InstantiateTransformer > ** ForClosure > ** WhileClosure > ** InvokerTransformer > > > > Collections 3.2.2 RC3 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/collections/ > (svn revision 11167) > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ > > Details of changes since 3.2.1 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html > > The tag is here: > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 > (svn revision 1714131) > > Site: > http://people.apache.org/builds/commons/collections/3.2.2/RC3/ > > Clirr Report (compared to 3.2.1): > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html > > RAT Report: > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > > > Considering that this is a security related release and that RC2 did not > show any functional problems with the release, I plan to close this vote > in 24h from now, i.e. after 0100 GMT 14-November 2015 > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thanks, > > Thomas - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
+1 Tested with src zip. BUT: - The site Javadoc link is labeled "3.2.1" (fixed in https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X ) - The site history does not mentioned (fixed in svn) ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right? Reports OK. Tested building with: Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06; 2015-04-22T04:57:37-07:00) Maven home: C:\Java\apache-maven-3.3.3\bin\.. Java version: 1.7.0_79, vendor: Oracle Corporation Java home: C:\Program Files\Java\jdk1.7.0_79\jre Default locale: en_US, platform encoding: Cp1252 OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows" and: Apache Ant(TM) version 1.9.6 compiled on June 29 2015 Gary On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <thomas.neidh...@gmail.com> wrote: > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC3. > > Notes: > > * the site will not be published, it just serves as a reference to > access the various reports. After a successful vote, the current 4.X > branch site will be updated with relevant information and published. > > * some tests might fail with various IBM JDK 6 JREs, these are known > issues and have been worked-around in the 4.X branch but are not > back-ported to this release. > > * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > with a newly introduced default method in the Map interface. > > * the collections-testframework.jar that has been published in previous > versions is not included in this release > > Changes from RC2: > > * fixed false positives in RAT report > * fixed test execution and compilation problems with JDK 1.4 and 1.5 > > Changes from RC1: > > * fixed RAT report > * fixed NOTICE file > * improve the security fix: it has been made symmetric in the sense >that also the serialization of an unsafe class is disabled by >default and will result in an exception > * changed the system property to re-enable serialization of unsafe >classes. It is now >"org.apache.commons.collections.enableUnsafeSerialization" > * all classes in the functor package which (based on current >knowledge) have to be considered unsafe cannot be serialized/ >de-serialized any more by default. This includes the following >classes: > > ** CloneTransformer > ** PrototypeFactory (inner classes > PrototypeCloneFactory and > PrototypeSerializationFactory) > ** InstantiateFactory > ** InstantiateTransformer > ** ForClosure > ** WhileClosure > ** InvokerTransformer > > > > Collections 3.2.2 RC3 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/collections/ > (svn revision 11167) > > Maven artifacts are here: > > > https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ > > Details of changes since 3.2.1 are in the release notes: > > > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html > > The tag is here: > > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 > (svn revision 1714131) > > Site: > http://people.apache.org/builds/commons/collections/3.2.2/RC3/ > > Clirr Report (compared to 3.2.1): > > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html > > RAT Report: > > > http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > > > Considering that this is a security related release and that RC2 did not > show any functional problems with the release, I plan to close this vote > in 24h from now, i.e. after 0100 GMT 14-November 2015 > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thanks, > > Thomas > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> Spring Batch in Action <http://www.manning.com/templier/> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
On 11/13/2015 08:26 PM, Gary Gregory wrote: > +1 > > Tested with src zip. > > BUT: > > - The site Javadoc link is labeled "3.2.1" (fixed in > https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X > ) > - The site history does not mentioned (fixed in svn) as I said the site will not be published from the 3.2.2 release but from the 4.X branch. > ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right? > > Reports OK. > > Tested building with: > > Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06; > 2015-04-22T04:57:37-07:00) > Maven home: C:\Java\apache-maven-3.3.3\bin\.. > Java version: 1.7.0_79, vendor: Oracle Corporation > Java home: C:\Program Files\Java\jdk1.7.0_79\jre > Default locale: en_US, platform encoding: Cp1252 > OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows" > > and: > > Apache Ant(TM) version 1.9.6 compiled on June 29 2015 > > Gary > > On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <thomas.neidh...@gmail.com> > wrote: > >> Hi all, >> >> in order to provide a work-around for the known remote code exploit via >> java de-serialization of malicious InvokerTransformer instances, I would >> like to start a vote to release Commons Collections 3.2.2 based on RC3. >> >> Notes: >> >> * the site will not be published, it just serves as a reference to >> access the various reports. After a successful vote, the current 4.X >> branch site will be updated with relevant information and published. >> >> * some tests might fail with various IBM JDK 6 JREs, these are known >> issues and have been worked-around in the 4.X branch but are not >> back-ported to this release. >> >> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash >> with a newly introduced default method in the Map interface. >> >> * the collections-testframework.jar that has been published in previous >> versions is not included in this release >> >> Changes from RC2: >> >> * fixed false positives in RAT report >> * fixed test execution and compilation problems with JDK 1.4 and 1.5 >> >> Changes from RC1: >> >> * fixed RAT report >> * fixed NOTICE file >> * improve the security fix: it has been made symmetric in the sense >>that also the serialization of an unsafe class is disabled by >>default and will result in an exception >> * changed the system property to re-enable serialization of unsafe >>classes. It is now >>"org.apache.commons.collections.enableUnsafeSerialization" >> * all classes in the functor package which (based on current >>knowledge) have to be considered unsafe cannot be serialized/ >>de-serialized any more by default. This includes the following >>classes: >> >> ** CloneTransformer >> ** PrototypeFactory (inner classes >> PrototypeCloneFactory and >> PrototypeSerializationFactory) >> ** InstantiateFactory >> ** InstantiateTransformer >> ** ForClosure >> ** WhileClosure >> ** InvokerTransformer >> >> >> >> Collections 3.2.2 RC3 is available for review here: >> https://dist.apache.org/repos/dist/dev/commons/collections/ >> (svn revision 11167) >> >> Maven artifacts are here: >> >> >> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ >> >> Details of changes since 3.2.1 are in the release notes: >> >> >> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html >> >> The tag is here: >> >> >> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 >> (svn revision 1714131) >> >> Site: >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/ >> >> Clirr Report (compared to 3.2.1): >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html >> >> RAT Report: >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html >> >> KEYS: >> https://www.apache.org/dist/commons/KEYS >> >> Please review the release candidate and vote. >> >> >> Considering that this is a security related release and that RC2 did not >> show any functional problems with the release, I plan to close this vote >> in 24h from now, i.e. after 0100 GMT 14-November 2015 >> >> [ ] +1 Release these artifacts >> [ ] +0 OK, but... >> [ ] -0 OK, but really should fix... >> [ ] -1 I oppose this release because... >> >> Thanks, >> >> Thomas >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
On Fri, Nov 13, 2015 at 12:12 PM, Luc Maisonobe <l...@spaceroots.org> wrote: > Le 13/11/2015 20:26, Gary Gregory a écrit : > > +1 > > > > Tested with src zip. > > > > BUT: > > > > - The site Javadoc link is labeled "3.2.1" (fixed in > > > https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X > > ) > > - The site history does not mentioned (fixed in svn) > > > > ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right? > > Yes. I check this for every release. > Great, thank you for clarifying that. Gary > > Luc > > > > > Reports OK. > > > > Tested building with: > > > > Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06; > > 2015-04-22T04:57:37-07:00) > > Maven home: C:\Java\apache-maven-3.3.3\bin\.. > > Java version: 1.7.0_79, vendor: Oracle Corporation > > Java home: C:\Program Files\Java\jdk1.7.0_79\jre > > Default locale: en_US, platform encoding: Cp1252 > > OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows" > > > > and: > > > > Apache Ant(TM) version 1.9.6 compiled on June 29 2015 > > > > Gary > > > > On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart < > thomas.neidh...@gmail.com> > > wrote: > > > >> Hi all, > >> > >> in order to provide a work-around for the known remote code exploit via > >> java de-serialization of malicious InvokerTransformer instances, I would > >> like to start a vote to release Commons Collections 3.2.2 based on RC3. > >> > >> Notes: > >> > >> * the site will not be published, it just serves as a reference to > >> access the various reports. After a successful vote, the current 4.X > >> branch site will be updated with relevant information and published. > >> > >> * some tests might fail with various IBM JDK 6 JREs, these are known > >> issues and have been worked-around in the 4.X branch but are not > >> back-ported to this release. > >> > >> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > >> with a newly introduced default method in the Map interface. > >> > >> * the collections-testframework.jar that has been published in previous > >> versions is not included in this release > >> > >> Changes from RC2: > >> > >> * fixed false positives in RAT report > >> * fixed test execution and compilation problems with JDK 1.4 and 1.5 > >> > >> Changes from RC1: > >> > >> * fixed RAT report > >> * fixed NOTICE file > >> * improve the security fix: it has been made symmetric in the sense > >>that also the serialization of an unsafe class is disabled by > >>default and will result in an exception > >> * changed the system property to re-enable serialization of unsafe > >>classes. It is now > >>"org.apache.commons.collections.enableUnsafeSerialization" > >> * all classes in the functor package which (based on current > >>knowledge) have to be considered unsafe cannot be serialized/ > >>de-serialized any more by default. This includes the following > >>classes: > >> > >> ** CloneTransformer > >> ** PrototypeFactory (inner classes > >> PrototypeCloneFactory and > >> PrototypeSerializationFactory) > >> ** InstantiateFactory > >> ** InstantiateTransformer > >> ** ForClosure > >> ** WhileClosure > >> ** InvokerTransformer > >> > >> > >> > >> Collections 3.2.2 RC3 is available for review here: > >> https://dist.apache.org/repos/dist/dev/commons/collections/ > >> (svn revision 11167) > >> > >> Maven artifacts are here: > >> > >> > >> > https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ > >> > >> Details of changes since 3.2.1 are in the release notes: > >> > >> > >> > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > >> > >> > >> > http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html > >> > >> The tag is here: > >> > >> > >> > https://svn.
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
On 2015-11-13, Thomas Neidhart wrote: > Please review the release candidate and vote. +1 Stefan - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3
Le 13/11/2015 20:26, Gary Gregory a écrit : > +1 > > Tested with src zip. > > BUT: > > - The site Javadoc link is labeled "3.2.1" (fixed in > https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X > ) > - The site history does not mentioned (fixed in svn) > > ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right? Yes. I check this for every release. Luc > > Reports OK. > > Tested building with: > > Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06; > 2015-04-22T04:57:37-07:00) > Maven home: C:\Java\apache-maven-3.3.3\bin\.. > Java version: 1.7.0_79, vendor: Oracle Corporation > Java home: C:\Program Files\Java\jdk1.7.0_79\jre > Default locale: en_US, platform encoding: Cp1252 > OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows" > > and: > > Apache Ant(TM) version 1.9.6 compiled on June 29 2015 > > Gary > > On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <thomas.neidh...@gmail.com> > wrote: > >> Hi all, >> >> in order to provide a work-around for the known remote code exploit via >> java de-serialization of malicious InvokerTransformer instances, I would >> like to start a vote to release Commons Collections 3.2.2 based on RC3. >> >> Notes: >> >> * the site will not be published, it just serves as a reference to >> access the various reports. After a successful vote, the current 4.X >> branch site will be updated with relevant information and published. >> >> * some tests might fail with various IBM JDK 6 JREs, these are known >> issues and have been worked-around in the 4.X branch but are not >> back-ported to this release. >> >> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash >> with a newly introduced default method in the Map interface. >> >> * the collections-testframework.jar that has been published in previous >> versions is not included in this release >> >> Changes from RC2: >> >> * fixed false positives in RAT report >> * fixed test execution and compilation problems with JDK 1.4 and 1.5 >> >> Changes from RC1: >> >> * fixed RAT report >> * fixed NOTICE file >> * improve the security fix: it has been made symmetric in the sense >>that also the serialization of an unsafe class is disabled by >>default and will result in an exception >> * changed the system property to re-enable serialization of unsafe >>classes. It is now >>"org.apache.commons.collections.enableUnsafeSerialization" >> * all classes in the functor package which (based on current >>knowledge) have to be considered unsafe cannot be serialized/ >>de-serialized any more by default. This includes the following >>classes: >> >> ** CloneTransformer >> ** PrototypeFactory (inner classes >> PrototypeCloneFactory and >> PrototypeSerializationFactory) >> ** InstantiateFactory >> ** InstantiateTransformer >> ** ForClosure >> ** WhileClosure >> ** InvokerTransformer >> >> >> >> Collections 3.2.2 RC3 is available for review here: >> https://dist.apache.org/repos/dist/dev/commons/collections/ >> (svn revision 11167) >> >> Maven artifacts are here: >> >> >> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ >> >> Details of changes since 3.2.1 are in the release notes: >> >> >> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html >> >> The tag is here: >> >> >> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 >> (svn revision 1714131) >> >> Site: >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/ >> >> Clirr Report (compared to 3.2.1): >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html >> >> RAT Report: >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html >> >> KEYS: >> https://www.apache.org/dist/commons/KEYS >> >> Please review the release candidate and vote. >> >> >> Considering that this is a security related release and that RC2 did not >> show any functional problems with the release, I plan to close this vote >> in 24h from now, i.e. after 0100 GMT 14-November 2015 >> >> [ ] +1 Release these artifacts >> [ ] +0 OK, but... >> [ ] -0 OK, but really should fix... >> [ ] -1 I oppose this release because... >> >> Thanks, >> >> Thomas >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[VOTE] Release Commons Collections 3.2.2 Based on RC3
Hi all, in order to provide a work-around for the known remote code exploit via java de-serialization of malicious InvokerTransformer instances, I would like to start a vote to release Commons Collections 3.2.2 based on RC3. Notes: * the site will not be published, it just serves as a reference to access the various reports. After a successful vote, the current 4.X branch site will be updated with relevant information and published. * some tests might fail with various IBM JDK 6 JREs, these are known issues and have been worked-around in the 4.X branch but are not back-ported to this release. * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash with a newly introduced default method in the Map interface. * the collections-testframework.jar that has been published in previous versions is not included in this release Changes from RC2: * fixed false positives in RAT report * fixed test execution and compilation problems with JDK 1.4 and 1.5 Changes from RC1: * fixed RAT report * fixed NOTICE file * improve the security fix: it has been made symmetric in the sense that also the serialization of an unsafe class is disabled by default and will result in an exception * changed the system property to re-enable serialization of unsafe classes. It is now "org.apache.commons.collections.enableUnsafeSerialization" * all classes in the functor package which (based on current knowledge) have to be considered unsafe cannot be serialized/ de-serialized any more by default. This includes the following classes: ** CloneTransformer ** PrototypeFactory (inner classes PrototypeCloneFactory and PrototypeSerializationFactory) ** InstantiateFactory ** InstantiateTransformer ** ForClosure ** WhileClosure ** InvokerTransformer Collections 3.2.2 RC3 is available for review here: https://dist.apache.org/repos/dist/dev/commons/collections/ (svn revision 11167) Maven artifacts are here: https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/ Details of changes since 3.2.1 are in the release notes: https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html The tag is here: https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3 (svn revision 1714131) Site: http://people.apache.org/builds/commons/collections/3.2.2/RC3/ Clirr Report (compared to 3.2.1): http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html RAT Report: http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. Considering that this is a security related release and that RC2 did not show any functional problems with the release, I plan to close this vote in 24h from now, i.e. after 0100 GMT 14-November 2015 [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thanks, Thomas - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org