Re: Blog post "commons" vulnerability

2015-11-10 Thread Gary Gregory
t.net" < > e...@zusammenkunft.net>; Gabriel Lawrence <gabriel.lawre...@gmail.com>; > Commons Developers List <dev@commons.apache.org> > Sent: Monday, November 9, 2015 6:42 PM > Subject: RE: Blog post "commons" vulnerability > > #yiv5799872531 #yiv5799872

Re: Blog post "commons" vulnerability

2015-11-10 Thread Mark Thomas
xtending >>> your patch similarly >>> to these if it’s not too difficult. >>> >>> $ grep -ER -e "lang.reflect.(Method|Constructor)" src/main >>> --include=*.java -l | grep -v InvokerTransformer | xargs -n1 grep -l >>> Serializable >>>

Re: Blog post "commons" vulnerability

2015-11-10 Thread Sally Khudairi
huda...@yahoo.com] Sent: Monday, November 09, 2015 3:15 PM To: Sally Khudairi; e...@zusammenkunft.net; Frohoff, Chris; Gabriel Lawrence; Commons Developers List Subject: Re: Blog post "commons" vulnerability   Just to clarify re: PMC affiliation, may I suggest it appear as:   > Authors: Bernd Eck

Re: Blog post "commons" vulnerability

2015-11-10 Thread Jochen Wiedmann
- Reply message - >> From: "Frohoff, Chris" <cfroh...@qualcomm.com> >> To: "Sally Khudairi" <sallykhuda...@yahoo.com>, "e...@zusammenkunft.net" < >> e...@zusammenkunft.net>, "Gabriel Lawrence" <gabriel.lawre...@gmail.com&

Re: Blog post "commons" vulnerability

2015-11-10 Thread Jochen Wiedmann
On Tue, Nov 10, 2015 at 10:51 AM, Mark Thomas > You only need a CVE ID if there is a vulnerability. > > I would argue (and the OPs appear to agree with me) that this is NOT a > vulnerability in Apache Commons Collections. The vulnerability lies in > applications that are

Re: Blog post "commons" vulnerability

2015-11-10 Thread Mark Thomas
On 10/11/2015 10:17, Jochen Wiedmann wrote: > On Tue, Nov 10, 2015 at 10:51 AM, Mark Thomas > >> You only need a CVE ID if there is a vulnerability. >> >> I would argue (and the OPs appear to agree with me) that this is NOT a >> vulnerability in Apache Commons Collections. The

Re: Blog post "commons" vulnerability

2015-11-09 Thread Gary Gregory
My name is spelled Gary Gregory BTW ;-) Gary On Nov 9, 2015 2:45 AM, "Bernd Eckenfels" wrote: > Hello Sally, > > currently there is a security vulnerability doing the rounds which uses > as an example Apache Commons Collection. It is not really a bug in > Commons

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
: "Frohoff, Chris" <cfroh...@qualcomm.com> To: Gabriel Lawrence <gabriel.lawre...@gmail.com>; Commons Developers List <dev@commons.apache.org> Cc: Sally Khudairi <s...@haloworldwide.com> Sent: Monday, November 9, 2015 12:31 PM Subject: RE: Blog pos

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
;Gary Gregory" <garydgreg...@gmail.com> To: "Commons Developers List" <dev@commons.apache.org> Cc: <secur...@apache.org>, "Benedikt Ritter" <brit...@apache.org>, "Sally Khudairi" <s...@apache.org> Subject: Blog post "commons"

Re: Blog post "commons" vulnerability

2015-11-09 Thread Gabriel Lawrence
To: "Commons Developers List" <dev@commons.apache.org> > > Cc: <secur...@apache.org>, "Benedikt Ritter" <brit...@apache.org>, > "Sally Khudairi" <s...@apache.org> > > Subject: Blog post "commons" vulnerability > > Date: M

Re: Blog post "commons" vulnerability

2015-11-09 Thread Phil Steitz
gt; To: "Commons Developers List" <dev@commons.apache.org> > Cc: <secur...@apache.org>, "Benedikt Ritter" <brit...@apache.org>, "Sally > Khudairi" <s...@apache.org> > Subject: Blog post "commons" vulnerability > Date: Mon, Nov 9

Re: Blog post "commons" vulnerability

2015-11-09 Thread Benedikt Ritter
" <sallykhuda...@yahoo.com>, "e...@zusammenkunft.net" < > e...@zusammenkunft.net>, "Gabriel Lawrence" <gabriel.lawre...@gmail.com>, > "Commons Developers List" <dev@commons.apache.org> > Subject: Blog post "commons" v

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
lt;cfroh...@qualcomm.com>, Gabriel Lawrence <gabriel.lawre...@gmail.com>, Commons Developers List <dev@commons.apache.org> Sent: Mo., 09 Nov. 2015 22:36 Subject: Re: Blog post "commons" vulnerability Thanks, Chris. I'll include your edits. Status-wise, I'm uploading

Re: Blog post "commons" vulnerability

2015-11-09 Thread ecki
rg> Sent: Mo., 09 Nov. 2015 22:36 Subject: Re: Blog post "commons" vulnerability Thanks, Chris. I'll include your edits. Status-wise, I'm uploading the copy to blogs.apache.org. I noticed that the "screenshot" referenced at https://twitter.com/gebl/status/66278660142508032

Blog post "commons" vulnerability

2015-11-09 Thread Bernd Eckenfels
Hello Sally, currently there is a security vulnerability doing the rounds which uses as an example Apache Commons Collection. It is not really a bug in Commons Collection, but there is a lot of fuzz. So since we are doing somethign in the Apache Commons team against the problem we wanted to make

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
actory.java Thanks, -Chris From: Sally Khudairi [mailto:sallykhuda...@yahoo.com] Sent: Monday, November 09, 2015 3:15 PM To: Sally Khudairi; e...@zusammenkunft.net; Frohoff, Chris; Gabriel Lawrence; Commons Developers List Subject: Re: Blog post "commons" vulnerability Just

Re: Blog post "commons" vulnerability

2015-11-09 Thread Chris Frohoff
lawre...@gmail.com>, "Commons Developers List" <dev@commons.apache.org>, "Sally Khudairi" <sallykhuda...@yahoo.com> Subject: Blog post "commons" vulnerability Date: Mon, Nov 9, 2015 17:24 Hello Sally, Yes it is just a screenshot of a tweet, I could

Re: Blog post "commons" vulnerability

2015-11-09 Thread Sally Khudairi
..@qualcomm.com>; Gabriel Lawrence <gabriel.lawre...@gmail.com>; Commons Developers List <dev@commons.apache.org> Sent: Monday, November 9, 2015 5:29 PM Subject: Re: Blog post "commons" vulnerability Thanks so much, Bernd. Personally, I prefer mentioning PMC affiliation,