Hi,
I think it is appropriate to sign the post with "Bernd Eckenfels and Gary
Gregory, on behalf of the Apache Commons PMC"
The content has been open for discussion long enough for anybody to raise
concerns. Several PMC members have been involved in this issue.
Thank you for helping, Sally!
Bene
Thanks, Chris.
I read that as an internal comment to the PMC/folks on the list.
I have incorporated all other comments/corrections/additions.
Please let me know if I have misinterpreted this.
Kind regards,
Sally
[From the mobile; please excuse top-posting, spelling/spacing errors, and
brevit
Not sure if this was coming through from my work email, so I'm resending from
here...
All,
I just wanted to make sure that this didn’t get missed in thecomments:
“I’d suggest doing this foranything Serializable that performs reflection for
completeness.”
I think there’s a reasonable
Just to clarify re: PMC affiliation, may I suggest it appear as:
> Authors: Bernd Eckenfels and Gary Gregory, members of the Apache Commons
> Project Management Committee
I'm happy to proceed tonight if this meets your approval. If you can please
give the go-ahead by 7PM ET (= ~45 minutes from
Hi all,
in order to provide a work-around for the known remote code exploit via
java de-serialization of malicious InvokerTransformer instances, I would
like to start a vote to release Commons Collections 3.2.2 based on RC1.
I would kindly ask people to review the RC especially wrt the following
Thanks so much, Bernd.
Personally, I prefer mentioning PMC affiliation, as it adds credibility, but
I'll post it however you'd like.
OK re: tweet screenshot; I've included it.
Please let me know when you're ready, and I'll publish.
Warmly,
Sally
[From the mobile; please excuse top-posting, s
Hello Sally,
Yes it is just a screenshot of a tweet, I could not come up with a useful
graohic for the topic and since discussion on Twitter somewhat powered all the
fuzz I figured it would fit.
Regarding Phils comment I think having some "apache commons" communication on
blogs does help the b
Thanks, Chris. I'll include your edits.
Status-wise, I'm uploading the copy to blogs.apache.org. I noticed that the
"screenshot" referenced at https://twitter.com/gebl/status/662786601425080320
is simply the tweet status. Is that intentional? Do you want me to include a
screenshot of this?
Plea
On 11/09/2015 12:34 PM, Eirik Bjørsnøs wrote:
> Hi,
>
> Following the "recent" "news" about Java deserialization security issues, I
> decided to create:
>
> https://github.com/kantega/invoker-defender/
>
> This is a Java Agent which removes java.io.Serializable from classes known
> to be vulnera
On 11/07/2015 04:00 AM, Gilles wrote:
On Fri, 6 Nov 2015 15:06:35 -0600, Ole Ersoy wrote:
If math is broken up into smaller artifacts it will make it easier
for users to upgrade, even if it it breaks compatibility, as well as
speed up the release frequency. So for example:
commons-math-optimi
On the whole this looks good to me... there are a few grammatical errors
though. Not being familiar with your process will there be a quick scrub at
the end to find all these or do you need me to point them out?
Also, chris is reviewing it as well and we should add him to this "We want
to thank Ch
I think the post is nicely written and I don't personally object to
anything in it. I have not dug into the details of the subject
though. I wonder, also, if the "statement from Commons" bit is
necessary. We have never done this before and we are in general
pretty conservative at the ASF level i
If I'm interested in some functionality that is 'beta' then I first have to
realize that it's 'beta'...Maybe just tag the branch beta. After that there's
probably (Judging from the number of people communicating here) 1/2 people
interested. Isn't it easier for them to just just check out the b
This might not be the best place to discuss this (?), but I do have a
follow-up on the agent-approuch to mitigating deserialization attacks:
I think it would be safer to whitelist expected uses of deserialization
instead of trying to blacklist the "bad" ones.
Of course, maintaining a list of safe
Thanks, Bernd. Thanks, Gary.
I'm happy to publish for you when I'm back at the office later today.
To confirm, is there consensus on the content?
Thanks again,
Sally
[From the mobile; please excuse top-posting, spelling/spacing errors, and
brevity]
- Reply message -
From: "Gary Gregor
1) Please don't hijack threads - start a new thread with a new subject
as I have done here
2) Please don't cross-post to multiple lists
There is some info here:
http://commons.apache.org/volunteering.html
On 9 November 2015 at 14:44, Java Techie wrote:
> Hi,
>
>
> Can anyone help me getting st
It's commons collections
On Mon, Nov 9, 2015 at 5:45 AM Bernd Eckenfels
wrote:
> Hello Sally,
>
> currently there is a security vulnerability doing the rounds which uses
> as an example Apache Commons Collection. It is not really a bug in
> Commons Collection, but there is a lot of fuzz. So sinc
My name is spelled Gary Gregory BTW ;-)
Gary
On Nov 9, 2015 2:45 AM, "Bernd Eckenfels" wrote:
> Hello Sally,
>
> currently there is a security vulnerability doing the rounds which uses
> as an example Apache Commons Collection. It is not really a bug in
> Commons Collection, but there is a lot o
Hi,
Following the "recent" "news" about Java deserialization security issues, I
decided to create:
https://github.com/kantega/invoker-defender/
This is a Java Agent which removes java.io.Serializable from classes known
to be vulnerable to deserialization attacks. (Including InvokerTransformer)
Hello Sally,
currently there is a security vulnerability doing the rounds which uses
as an example Apache Commons Collection. It is not really a bug in
Commons Collection, but there is a lot of fuzz. So since we are doing
somethign in the Apache Commons team against the problem we wanted to
make a
Thanks Timo!
Am Mon, 9 Nov 2015 10:18:18 +0100
schrieb Timo :
> Hello Bernd,
>
> nice article and I would be happy to see this on the ASF blog to point
> people to it.
>
> I also found some typos:
>
> "Both research work shows that developers"
> should be
> "Both research works show that devel
On Mon, Nov 9, 2015 at 10:37 AM, Emmanuel Bourg wrote:
> Le 08/11/2015 23:21, Thomas Neidhart a écrit :
>
> > please review the proposed fix for this issue here:
>
> The exception message ends with a comma, is this a typo? I suggest
> mentioning the system property in the message, such that someo
Am Mon, 9 Nov 2015 09:36:41 +0100
schrieb Benedikt Ritter :
> Hello Bernd,
>
> very nice. I found two typos:
>
> "It is possible to limit the impact when using a custom
> ObjecrtInputStream which overwrites" - should be ObjectInputStream
fixed
> "However it should be clear, this is not the onl
Le 08/11/2015 23:21, Thomas Neidhart a écrit :
> please review the proposed fix for this issue here:
The exception message ends with a comma, is this a typo? I suggest
mentioning the system property in the message, such that someone
hitting the exception immediately knows how to work around it.
Hello Bernd,
nice article and I would be happy to see this on the ASF blog to point
people to it.
I also found some typos:
"Both research work shows that developers"
should be
"Both research works show that developers"
"final type is checked lot of code"
should be
"final type is checked a lot o
Hello Bernd,
very nice. I found two typos:
"It is possible to limit the impact when using a custom ObjecrtInputStream
which overwrites" - should be ObjectInputStream
"However it should be clear, this is not the only known (and especially not
yet know) gadget" - should be "and especially not yet k
Hello,
attached is the draft, thanks for Gary and Gabriel (did I miss any
contribution?)
I think "Bernd Eckenfels and Gary Gregory for Apache Commons" would be
the author (includes a thanks to Gabriel at the end).
What is the procedure to get this published?
Title? "Apache Commons statement to
27 matches
Mail list logo