[
https://issues.apache.org/jira/browse/CONNECTORS-1565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16736011#comment-16736011
]
Karl Wright commented on CONNECTORS-1565:
-----------------------------------------
This CVE applies only to deserialization of collections over the wire. We
don't do any of that. It's possible that some connector's client library does
this but if so the connector client library would need to be updated as well,
so we'd have to wait for that to happen anyway.
> Upgrade commons-collections to 3.2.2 (CVE-2015-6420)
> ----------------------------------------------------
>
> Key: CONNECTORS-1565
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1565
> Project: ManifoldCF
> Issue Type: Bug
> Components: Framework core
> Affects Versions: ManifoldCF 2.12
> Reporter: Markus Schuch
> Assignee: Markus Schuch
> Priority: Critical
> Fix For: ManifoldCF next
>
>
> We should upgrade commons-collections to 3.2.2 due to a known security issue
> with 3.2.1
> https://commons.apache.org/proper/commons-collections/security-reports.html
> Further reading:
> [http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-andyour-application-have-in-common-this-vulnerability/]
> [https://www.cvedetails.com/cve/CVE-2015-6420/]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
