[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

Thursday, 19 November 2015

    [
https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin....
] 

Mickael Istria edited comment on JBDS-3560 at 11/19/15 9:21 AM:
----------------------------------------------------------------

The only feature in our TP that requires and provide org.apache.commons.collections is
org.eclipse.jpt.jpa.feature. It is strictly tied to version 3.2.0.
JBDS includes this feature, so it transitively requires the 3.2.0 version of
org.apache.commons.collections. I guess there is not much we can do before Mars.2.

Anyway, the features and plugins we provide can still decide to enforce dependency on
3.2.2, and we keep both 3.2.0 and 3.2.2. So at least we know that "our"
execution threads wouldn't be hurt by the issue.

was (Author: mickael_istria):
The only feature in our TP that requires and provide org.apache.commons.collections is
org.eclipse.jpt.jpa.feature. It is strictly tied to version 3.2.0.
JBDS includes this feature, so it transitively requires the 3.2.0 version of
org.apache.commons.collections. I guess there is not much we can do before Mars.2.

...
 Arbitrary remote code execution with InvokerTransformer
(COLLECTIONS-580)
 -------------------------------------------------------------------------

                 Key: JBDS-3560
                 URL: https://issues.jboss.org/browse/JBDS-3560
             Project: Developer Studio (JBoss Developer Studio)
          Issue Type: Bug
          Components: upstream
    Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1
            Reporter: Nick Boldt
            Assignee: Max Rydahl Andersen
             Fix For: 9.1.0.Beta1, 10.0.0.Alpha1

         Attachments: apache-commons-collections-in-JBDS7,8,9,10.png,
apache-commons-collections-in-JBDS7,8,9,10_refs1.png,
apache-commons-collections-in-JBDS7,8,9,10_refs10.png,
apache-commons-collections-in-JBDS7,8,9,10_refs7.png,
apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png,
apache-commons-collections-in-JBDS7,8,9,10_refs8.png,
apache-commons-collections-in-JBDS7,8,9,10_refs9.png,
orbit.R20150519210750_vs_I20151117200049.log.txt,
orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt

 This is a container issue to wrap & track
https://issues.apache.org/jira/browse/COLLECTIONS-580
 Problem is that JBDS 9 (and probably 8 and 10 too) include
org.apache.commons.collections	3.2.0.v2013030210310, which is affected by COLLECTIONS-580
- Arbitrary remote code execution with InvokerTransformer 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006