[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15632130#comment-15632130 ] Claude Brisson commented on VELOCITY-869: - There probably won't be any more 1.x release, but the 2.0 should not take long, now. > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15629734#comment-15629734 ] Mark Symons commented on VELOCITY-869: -- No matter how straight-forward to It may be tweak the transitive dependency, there is an aversion by some to doing this rather than getting an updated version of velocity that includes the fix outright. This issue was resolved a year ago and still has not been released. Would it not be possible to actually get this pushed out the door? I see that v1.x has only 1 outstanding planned issue (out of 8). VELOCITY-862: Applied to 1.x branch and Resolved... and then "Reopening at Nathan's suggestion that we may want to apply this to 2.x" Velocity 2.x also has only 1 outstanding planned issue (out of 118): VELOCITY-876 Both VELOCITY-862 and VELOCITY-876 are improvements, not defects. There is another reason to release Velocity... v1.7 is now giving alerts in scanning software due to age... "architectural age" policy in Sonatype Nexus IQ and (from memory) "Operational Risk" in Black Duck Hub. Such alerts are more than enough on their own to cause some managers to issue instructions to remove Velocity entirely. All the above for Velocity also applies to Velocity Tools. Perhaps connected to all of the above... does this JIRA project still have an active project lead? Will Glass-Husain's last activity stream entry is from 2014. > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15245550#comment-15245550
]
Sergiu Dumitriu commented on VELOCITY-869:
--
Depends on how your build works. If you're using Maven, you can either add a
{{}} on commons-collections 3.2.2 (no need to exclude 3.2.1, Maven
automatically selects just one version for a library), or add a
[{{}}|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management]
on 3.2.2, which will make Maven automatically upgrade the transitive
dependency, without declaring a dependency that's not actually used by your
code.
> Vulnerability in dependency: commons-collections:3.2.1
> --
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
> Issue Type: Bug
> Components: Build
>Affects Versions: 1.7
>Reporter: Ryan Blue
>Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections,
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed,
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad
> version. Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15245261#comment-15245261 ] Nimisha Gupta commented on VELOCITY-869: [~sdumitriu] That would mean excluding commons-collections 3.2.1 and explicitly include commons-collections 3.2.2? Thanks in advance! > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15242894#comment-15242894 ] Sergiu Dumitriu commented on VELOCITY-869: -- There are no real code changes, so all you have to do is replace one jar with the other in your project. > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15242799#comment-15242799 ] Nimisha Gupta commented on VELOCITY-869: [~sdumitriu] Hi, I am using Velocity 1.7.However, I need to get rid of commons-collections 3.2.1 vulnerability.It seems that you have resolved this issue in version 1.7.1/2.x. These versions are not yet released, is there a specific release date or alternative through which I can get rid of this vulnerability? Thanks! > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185387#comment-15185387 ] Timothy A Vertein commented on VELOCITY-869: Late to the audit party, but also using Velocity in my project. Was there a patch release? Maybe 1.7.1 that I could use? I couldn't find any new releases. Thanks! > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15032067#comment-15032067
]
Mark Symons commented on VELOCITY-869:
--
Linked to VELTOOLS-169, as Velocity Tools pulls in Velocity as a compile
dependency.
I am delighted to read here that Velocity was not actually at risk but did
arrive at this issue from the starting point of performing a security audit. I
totally agree with the previous comments that it can be very hard to work with
automatically generated reports and then have to annotate umpteen items to
explain why they do not matter.
{{quote}}
it's easiest to just do the upgrade
{{quote}}
Yup!
> Vulnerability in dependency: commons-collections:3.2.1
> --
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
> Issue Type: Bug
> Components: Build
>Affects Versions: 1.7
>Reporter: Ryan Blue
>Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections,
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed,
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad
> version. Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018773#comment-15018773 ] Ryan Blue commented on VELOCITY-869: Great, it sounds like Velocity's use wasn't a risk. But the way dependencies are handled in Java could easily mean that 3.2.1 gets included in the classpath and used instead of 3.2.2 in an application that would be vulnerable. > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[
https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018592#comment-15018592
]
Sergiu Dumitriu commented on VELOCITY-869:
--
The only two classes used from commons-collections are {{ExtendedProperties}}
and {{LRUMap}}, so I would say that Velocity wasn't affected before, and still
isn't affected.
> Vulnerability in dependency: commons-collections:3.2.1
> --
>
> Key: VELOCITY-869
> URL: https://issues.apache.org/jira/browse/VELOCITY-869
> Project: Velocity
> Issue Type: Bug
> Components: Build
>Affects Versions: 1.7
>Reporter: Ryan Blue
>Assignee: Sergiu Dumitriu
> Fix For: 2.x, 1.x
>
>
> There is an arbitrary remote code execution bug in commons-collections,
> tracked by COLLECTIONS-580. Updating to the version where this bug is fixed,
> 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad
> version. Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018577#comment-15018577 ] Mike Yoder commented on VELOCITY-869: - Agreed completely. This vulnerability (and this entire class of vulnerability) is going to be afflicting large swaths of the open source community for some time... > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018551#comment-15018551 ] Brian Martin commented on VELOCITY-869: --- Absolutely, and I encourage vendors to upgrade libraries as a precaution. I point it out because that even in upgrading to a new version, an application may still be vulnerable. Ideally, I want vendors to upgrade and positively confirm if they were vulnerable to begin with, and if the upgrade also includes configuration changes to remove the issue. > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018517#comment-15018517 ] Mike Yoder commented on VELOCITY-869: - All true. However, in some sense what you say almost does not matter. There are many corporate security departments that are going to raise red flags about the presence of this library in the classpath. Explaining to them why you think you're not vulnerable may or may not work, and it's hard to prove a negative. In my experience it's easiest to just do the upgrade. > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-869) Vulnerability in dependency: commons-collections:3.2.1
[ https://issues.apache.org/jira/browse/VELOCITY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018476#comment-15018476 ] Brian Martin commented on VELOCITY-869: --- Please note that Commons Collections is designed to deserialize code. The "fix" is to add an option to disable that, which each implementing software needs to consider. Further, just having Commons Collections in your software does not necessarily mean you are, or are not, vulnerable. Each application must assess if they allow users to send code to be deserialized to that library (its intended function), and if that crosses privilege boundaries are not. So just upgrading to 3.2.2 doesn't mean you are necessarily fixing a vuln, and the presence of that software doesn't necessarily mean you were vulnerable in the first place. =) > Vulnerability in dependency: commons-collections:3.2.1 > -- > > Key: VELOCITY-869 > URL: https://issues.apache.org/jira/browse/VELOCITY-869 > Project: Velocity > Issue Type: Bug > Components: Build >Affects Versions: 1.7 >Reporter: Ryan Blue >Assignee: Sergiu Dumitriu > Fix For: 2.x, 1.x > > > There is an arbitrary remote code execution bug in commons-collections, > tracked by COLLECTIONS-580. Updating to the version where this bug is fixed, > 3.2.2, will help downstream libraries (like avro-ipc) from pulling in the bad > version. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
