Hi,
We have a customer that's concerned about a reported vulnerability with commons-collections. The collections jar (I believe) is a runtime dependency for the ApacheDS api. The binary api download includes it among others and we've always just shipped the entire kit. If the URL doesn't come through, the JIRA is COLLECTIONS-580<https://issues.apache.org/jira/browse/COLLECTIONS-580> https://issues.apache.org/jira/browse/COLLECTIONS-580 Our use of the ApacheDS api is not open to external calls such as web services, REST end points, etc. So I'm not completely understanding the risks related to this issue if any. Can someone chime in on what the actual exposures might be? Thanks, Carlo Accorsi
