On Fri, Nov 20, 2015 at 12:37 AM, <[email protected]> wrote: > > > Hi, > > We have a customer that's concerned about a reported vulnerability with > commons-collections. > > The collections jar (I believe) is a runtime dependency for the ApacheDS > api. The binary api download includes it among others and we've always just > shipped the entire kit. > > > > If the URL doesn't come through, the JIRA is COLLECTIONS-580< > https://issues.apache.org/jira/browse/COLLECTIONS-580> > > https://issues.apache.org/jira/browse/COLLECTIONS-580 > > Our use of the ApacheDS api is not open to external calls such as web > services, REST end points, etc. > So I'm not completely understanding the risks related to this issue if > any. Can someone chime in on what the actual exposures might be? > none, ApacheDS doesn't use commons-collections for de/serialization and additionally there are no external endpoints from which ApacheDS reads serialized objects.
> > Thanks, Carlo Accorsi > > -- Kiran Ayyagari http://keydap.com
