Update Release Notes with details about improved fix for COLLECTIONS-580. git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713850 13f79535-47bb-0310-9956-ffa450edef68
Project: http://git-wip-us.apache.org/repos/asf/commons-collections/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-collections/commit/75335407 Tree: http://git-wip-us.apache.org/repos/asf/commons-collections/tree/75335407 Diff: http://git-wip-us.apache.org/repos/asf/commons-collections/diff/75335407 Branch: refs/heads/COLLECTIONS_3_2_X Commit: 753354073b2bcf0d134d10f18e9a34cc09343a48 Parents: d9a0013 Author: Thomas Neidhart <t...@apache.org> Authored: Wed Nov 11 14:29:18 2015 +0000 Committer: Thomas Neidhart <t...@apache.org> Committed: Wed Nov 11 14:29:18 2015 +0000 ---------------------------------------------------------------------- RELEASE-NOTES.txt | 18 +++++++++++------- src/changes/changes.xml | 11 +++++++---- 2 files changed, 18 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/commons-collections/blob/75335407/RELEASE-NOTES.txt ---------------------------------------------------------------------- diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt index 53df5d0..b32b03d 100644 --- a/RELEASE-NOTES.txt +++ b/RELEASE-NOTES.txt @@ -12,8 +12,9 @@ This release is JDK1.3 compatible, and does not use JDK1.5 generics. This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. -By default, de-serialization of "InvokerTransformer" instances is prohibited and -will result in an exception. For more details, please refer to COLLECTIONS-580. +By default, serialization support for unsafe classes in the functor package is +disabled and will result in an exception when either trying to serialize or de-serialize +an instance of these classes. For more details, please refer to COLLECTIONS-580. All users are strongly encouraged to updated to this release. @@ -23,11 +24,14 @@ Changes in this version include: CHANGES ======= -o COLLECTIONS-580: De-serialization of "InvokerTransformer" is disabled by default as this - can be exploited for remote code execution attacks. To re-enable the - feature the system property - "org.apache.commons.collections.invokertransformer.enableDeserialization" - needs to be set to "true". +o COLLECTIONS-580: Serialization support for unsafe classes in the functor package is + disabled by default as this can be exploited for remote code execution + attacks. To re-enable the feature the system property + "org.apache.commons.collections.enableUnsafeSerialization" needs to be + set to "true". + Classes considered to be unsafe are: CloneTransformer, ForClosure, + InstantiateFactory, InstantiateTransformer, InvokerTransformer, + PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure. BUGFIXES ======== http://git-wip-us.apache.org/repos/asf/commons-collections/blob/75335407/src/changes/changes.xml ---------------------------------------------------------------------- diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 83a0427..7981903 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -21,12 +21,15 @@ </properties> <body> - <release version="3.2.2" date="20XX-XX-XX" description="This is a bugfix release."> + <release version="3.2.2" date="2015-11-18" description="This is a bugfix release."> <action issue="COLLECTIONS-580" dev="tn" type="update"> - De-serialization of "InvokerTransformer" is disabled by default as this - can be exploited for remote code execution attacks. To re-enable the - feature the system property "org.apache.commons.collections.invokertransformer.enableDeserialization" + Serialization support for unsafe classes in the functor package is disabled + by default as this can be exploited for remote code execution attacks. + To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". + Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, + InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, + PrototypeSerializationFactory, WhileClosure. </action> <action issue="COLLECTIONS-538" dev="tn" type="fix" due-to="Trejkaz"> "ExtendedProperties" will now use a privileged action to access the
