Hi Deepesh,
there is an ongoing vote to release commons-collections 3.2.2, which
by default prevents InvokerTransformer from being deserialized. You
can find the release notes here:
https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
For further information, please take a look at the ASF blog:
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
Timo
2015-11-10 9:05 GMT+01:00 Kapoor, Deepesh :
> Hi Team,
>
> This is regarding "commons-collections Java library". In our applications we
> are widely using this library and hence looking to urgently patch the fix for
> vulnerability issue if it is available.
> Searching on internet we found one patch released on Sunday 08th Nov
> http://svn.apache.org/viewvc?view=revision&revision=1713307
>
> Just wanted to check with you if there is any updated / complied version of
> commons-collections jar available or going to be released soon which we can
> directly replace with our existing jar file that provides the fix for the
> vulnerability issue.
>
> Thanks in advance!
>
>
> Thanks & Regards,
> Deepesh
-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
