Re: Blog post "commons" vulnerability

2015-11-09 Thread Gary Gregory
My name is spelled Gary Gregory BTW ;-) Gary On Nov 9, 2015 2:45 AM, "Bernd Eckenfels" wrote: > Hello Sally, > > currently there is a security vulnerability doing the rounds which uses > as an example Apache Commons Collection. It is not really a bug in > Commons

Contributing (was: svn commit: r1713437 - /commons/proper/validator/trunk/src/test/java/org/apache/commons/validator/routines/ISSNValidatorTest.java)

2015-11-09 Thread sebb AT ASF
1) Please don't hijack threads - start a new thread with a new subject as I have done here 2) Please don't cross-post to multiple lists There is some info here: http://commons.apache.org/volunteering.html On 9 November 2015 at 14:44, Java Techie wrote: > Hi, > > >

Re: invoker-defender Java agent

2015-11-09 Thread Thomas Neidhart
On 11/09/2015 12:34 PM, Eirik Bjørsnøs wrote: > Hi, > > Following the "recent" "news" about Java deserialization security issues, I > decided to create: > > https://github.com/kantega/invoker-defender/ > > This is a Java Agent which removes java.io.Serializable from classes known > to be

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
Thanks, Chris. I'll include your edits. Status-wise, I'm uploading the copy to blogs.apache.org. I noticed that the "screenshot" referenced at https://twitter.com/gebl/status/662786601425080320  is simply the tweet status. Is that intentional? Do  you want me to include a screenshot of this?

Re: [math] Smaller Packages / Artifacts / Dependencies

2015-11-09 Thread Ole Ersoy
On 11/07/2015 04:00 AM, Gilles wrote: On Fri, 6 Nov 2015 15:06:35 -0600, Ole Ersoy wrote: If math is broken up into smaller artifacts it will make it easier for users to upgrade, even if it it breaks compatibility, as well as speed up the release frequency. So for example:

Re: invoker-defender Java agent

2015-11-09 Thread Eirik Bjørsnøs
This might not be the best place to discuss this (?), but I do have a follow-up on the agent-approuch to mitigating deserialization attacks: I think it would be safer to whitelist expected uses of deserialization instead of trying to blacklist the "bad" ones. Of course, maintaining a list of

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
Thanks, Bernd. Thanks, Gary. I'm happy to publish for you when I'm back at the office later today. To confirm, is there consensus on the content? Thanks again, Sally [From the mobile; please excuse top-posting, spelling/spacing errors, and brevity] - Reply message - From: "Gary

Re: Blog post "commons" vulnerability

2015-11-09 Thread Gabriel Lawrence
On the whole this looks good to me... there are a few grammatical errors though. Not being familiar with your process will there be a quick scrub at the end to find all these or do you need me to point them out? Also, chris is reviewing it as well and we should add him to this "We want to thank

Re: [math] Version mgt idea

2015-11-09 Thread Ole Ersoy
If I'm interested in some functionality that is 'beta' then I first have to realize that it's 'beta'...Maybe just tag the branch beta. After that there's probably (Judging from the number of people communicating here) 1/2 people interested. Isn't it easier for them to just just check out the

Re: Blog post "commons" vulnerability

2015-11-09 Thread Phil Steitz
I think the post is nicely written and I don't personally object to anything in it. I have not dug into the details of the subject though. I wonder, also, if the "statement from Commons" bit is necessary. We have never done this before and we are in general pretty conservative at the ASF level

Re: Blog post "commons" vulnerability

2015-11-09 Thread Benedikt Ritter
Hi, I think it is appropriate to sign the post with "Bernd Eckenfels and Gary Gregory, on behalf of the Apache Commons PMC" The content has been open for discussion long enough for anybody to raise concerns. Several PMC members have been involved in this issue. Thank you for helping, Sally!

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
Thanks so much, Bernd. Personally, I prefer mentioning PMC affiliation, as it adds credibility, but I'll post it however you'd like. OK re: tweet screenshot; I've included it. Please let me know when you're ready, and I'll publish. Warmly, Sally [From the mobile; please excuse top-posting,

[VOTE] Release Commons Collections 3.2.2 Based on RC1

2015-11-09 Thread Thomas Neidhart
Hi all, in order to provide a work-around for the known remote code exploit via java de-serialization of malicious InvokerTransformer instances, I would like to start a vote to release Commons Collections 3.2.2 based on RC1. I would kindly ask people to review the RC especially wrt the following

Re: Blog post "commons" vulnerability

2015-11-09 Thread ecki
Hello Sally, Yes it is just a screenshot of a tweet, I could not come up with a useful graohic for the topic and since discussion on Twitter somewhat powered all the fuzz I figured it would fit. Regarding Phils comment I think having some "apache commons" communication on blogs does help the

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Benedikt Ritter
Hello Bernd, very nice. I found two typos: "It is possible to limit the impact when using a custom ObjecrtInputStream which overwrites" - should be ObjectInputStream "However it should be clear, this is not the only known (and especially not yet know) gadget" - should be "and especially not yet

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Bernd Eckenfels
Am Mon, 9 Nov 2015 09:36:41 +0100 schrieb Benedikt Ritter : > Hello Bernd, > > very nice. I found two typos: > > "It is possible to limit the impact when using a custom > ObjecrtInputStream which overwrites" - should be ObjectInputStream fixed > "However it should be

Re: [collections] Review of proposed fix for InvokerTransformer exploit

2015-11-09 Thread Thomas Neidhart
On Mon, Nov 9, 2015 at 10:37 AM, Emmanuel Bourg wrote: > Le 08/11/2015 23:21, Thomas Neidhart a écrit : > > > please review the proposed fix for this issue here: > > The exception message ends with a comma, is this a typo? I suggest > mentioning the system property in the

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Bernd Eckenfels
Thanks Timo! Am Mon, 9 Nov 2015 10:18:18 +0100 schrieb Timo : > Hello Bernd, > > nice article and I would be happy to see this on the ASF blog to point > people to it. > > I also found some typos: > > "Both research work shows that developers" > should be > "Both research

Blog post "commons" vulnerability

2015-11-09 Thread Bernd Eckenfels
Hello Sally, currently there is a security vulnerability doing the rounds which uses as an example Apache Commons Collection. It is not really a bug in Commons Collection, but there is a lot of fuzz. So since we are doing somethign in the Apache Commons team against the problem we wanted to make

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
Thanks, Chris. I read that as an internal comment to the PMC/folks on the list. I have incorporated all other comments/corrections/additions. Please let me know if I have misinterpreted this. Kind regards, Sally [From the mobile; please excuse top-posting, spelling/spacing errors, and

Re: Blog post "commons" vulnerability

2015-11-09 Thread Chris Frohoff
Not sure if this was coming through from my work email, so I'm resending from here... All,   I just wanted to make sure that this didn’t get missed in thecomments:   “I’d suggest doing this foranything Serializable that performs reflection for completeness.”   I think there’s a reasonable

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
Just to clarify re: PMC affiliation, may I suggest it appear as: > Authors: Bernd Eckenfels and Gary Gregory, members of the Apache Commons > Project Management Committee   I'm happy to proceed tonight if this meets your approval. If you can please give the go-ahead by 7PM ET (= ~45 minutes from

Re: [collections] Review of proposed fix for InvokerTransformer exploit

2015-11-09 Thread Emmanuel Bourg
Le 08/11/2015 23:21, Thomas Neidhart a écrit : > please review the proposed fix for this issue here: The exception message ends with a comma, is this a typo? I suggest mentioning the system property in the message, such that someone hitting the exception immediately knows how to work around it.

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Bernd Eckenfels
Hello, attached is the draft, thanks for Gary and Gabriel (did I miss any contribution?) I think "Bernd Eckenfels and Gary Gregory for Apache Commons" would be the author (includes a thanks to Gabriel at the end). What is the procedure to get this published? Title? "Apache Commons statement to

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Timo
Hello Bernd, nice article and I would be happy to see this on the ASF blog to point people to it. I also found some typos: "Both research work shows that developers" should be "Both research works show that developers" "final type is checked lot of code" should be "final type is checked a lot

invoker-defender Java agent

2015-11-09 Thread Eirik Bjørsnøs
Hi, Following the "recent" "news" about Java deserialization security issues, I decided to create: https://github.com/kantega/invoker-defender/ This is a Java Agent which removes java.io.Serializable from classes known to be vulnerable to deserialization attacks. (Including InvokerTransformer)