Author: tn
Date: Wed Nov 11 14:29:18 2015
New Revision: 1713850
URL: http://svn.apache.org/viewvc?rev=1713850&view=rev
Log:
Update Release Notes with details about improved fix for COLLECTIONS-580.
Modified:
commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml
Modified:
commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt
URL:
http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt?rev=1713850&r1=1713849&r2=1713850&view=diff
==============================================================================
--- commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt
(original)
+++ commons/proper/collections/branches/COLLECTIONS_3_2_X/RELEASE-NOTES.txt Wed
Nov 11 14:29:18 2015
@@ -12,8 +12,9 @@ This release is JDK1.3 compatible, and d
This v3.2.2 release is a bugfix release, fixing several bugs present in the
previous
releases of the 3.2 branch. Additionally, this release provides a mitigation
for a
known remote code exploitation via the standard java object serialization
mechanism.
-By default, de-serialization of "InvokerTransformer" instances is prohibited
and
-will result in an exception. For more details, please refer to COLLECTIONS-580.
+By default, serialization support for unsafe classes in the functor package is
+disabled and will result in an exception when either trying to serialize or
de-serialize
+an instance of these classes. For more details, please refer to
COLLECTIONS-580.
All users are strongly encouraged to updated to this release.
@@ -23,11 +24,14 @@ Changes in this version include:
CHANGES
=======
-o COLLECTIONS-580: De-serialization of "InvokerTransformer" is disabled by
default as this
- can be exploited for remote code execution attacks. To
re-enable the
- feature the system property
-
"org.apache.commons.collections.invokertransformer.enableDeserialization"
- needs to be set to "true".
+o COLLECTIONS-580: Serialization support for unsafe classes in the functor
package is
+ disabled by default as this can be exploited for remote
code execution
+ attacks. To re-enable the feature the system property
+ "org.apache.commons.collections.enableUnsafeSerialization"
needs to be
+ set to "true".
+ Classes considered to be unsafe are: CloneTransformer,
ForClosure,
+ InstantiateFactory, InstantiateTransformer,
InvokerTransformer,
+ PrototypeCloneFactory, PrototypeSerializationFactory,
WhileClosure.
BUGFIXES
========
Modified:
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml
URL:
http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml?rev=1713850&r1=1713849&r2=1713850&view=diff
==============================================================================
---
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml
(original)
+++
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml
Wed Nov 11 14:29:18 2015
@@ -21,12 +21,15 @@
</properties>
<body>
- <release version="3.2.2" date="20XX-XX-XX" description="This is a bugfix
release.">
+ <release version="3.2.2" date="2015-11-18" description="This is a bugfix
release.">
<action issue="COLLECTIONS-580" dev="tn" type="update">
- De-serialization of "InvokerTransformer" is disabled by default as this
- can be exploited for remote code execution attacks. To re-enable the
- feature the system property
"org.apache.commons.collections.invokertransformer.enableDeserialization"
+ Serialization support for unsafe classes in the functor package is
disabled
+ by default as this can be exploited for remote code execution attacks.
+ To re-enable the feature the system property
"org.apache.commons.collections.enableUnsafeSerialization"
needs to be set to "true".
+ Classes considered to be unsafe are: CloneTransformer, ForClosure,
InstantiateFactory,
+ InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory,
+ PrototypeSerializationFactory, WhileClosure.
</action>
<action issue="COLLECTIONS-538" dev="tn" type="fix" due-to="Trejkaz">
"ExtendedProperties" will now use a privileged action to access the
