[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1

2016-04-18 Thread Sergiu Dumitriu (JIRA)

[ 
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15245550#comment-15245550
 ] 

Sergiu Dumitriu commented on VELOCITY-869:
--

Depends on how your build works. If you're using Maven, you can either add a 
{{}} on commons-collections 3.2.2 (no need to exclude 3.2.1, Maven 
automatically selects just one version for a library), or add a 
[{{}}|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management]
 on 3.2.2, which will make Maven automatically upgrade the transitive 
dependency, without declaring a dependency that's not actually used by your 
code.

> Vulnerability in dependency: commons-collections:3.2.1
> --
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
>  Issue Type: Bug
>  Components: Build
>Affects Versions: 1.7
>Reporter: Ryan Blue
>Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections, 
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, 
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad 
> version. Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org



[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1

2016-04-18 Thread Nimisha Gupta (JIRA)

[ 
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15245261#comment-15245261
 ] 

Nimisha Gupta commented on VELOCITY-869:


[~sdumitriu]

That would mean excluding commons-collections 3.2.1 and explicitly include 
commons-collections 3.2.2?

Thanks in advance!

> Vulnerability in dependency: commons-collections:3.2.1
> --
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
>  Issue Type: Bug
>  Components: Build
>Affects Versions: 1.7
>Reporter: Ryan Blue
>Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections, 
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, 
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad 
> version. Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org