Le 19/11/15 17:41, Kiran Ayyagari a écrit : > On Fri, Nov 20, 2015 at 12:37 AM, <[email protected]> wrote: > >> >> Hi, >> >> We have a customer that's concerned about a reported vulnerability with >> commons-collections. >> >> The collections jar (I believe) is a runtime dependency for the ApacheDS >> api. The binary api download includes it among others and we've always just >> shipped the entire kit. >> >> >> >> If the URL doesn't come through, the JIRA is COLLECTIONS-580< >> https://issues.apache.org/jira/browse/COLLECTIONS-580> >> >> https://issues.apache.org/jira/browse/COLLECTIONS-580 >> >> Our use of the ApacheDS api is not open to external calls such as web >> services, REST end points, etc. >> So I'm not completely understanding the risks related to this issue if >> any. Can someone chime in on what the actual exposures might be? >> > none, ApacheDS doesn't use commons-collections for de/serialization and > additionally there are no > external endpoints from which ApacheDS reads serialized objects.
No matter what, I'm currently bumping up the commons-collection library version to 3.2.2 which fixes the issue. I will cut a release of teh LDAP API shortly after, and ApacheDS then. As Kiran says, we *don't* use the critical part of the Collection API, so it's absolutely safe.
