[JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

Thursday, 19 November 2015

    [
https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin....
] 

Mickael Istria commented on JBDS-3560:
--------------------------------------

I don't believe those changes in target-platform are useful. The current version of
common.collections (3.2.0) is currently transitively included by a feature, so
# even if you add this to TP, it doesn't remove the feature inclusion, so both version
would work
# Assuming the feature is required and available while resolving dependencies, it will
install commons.collections 3.2.0 and not 3.3.2

It's mostly not something that requires to be changed in TP, it's more that the
features/plugins we embed/provide need to put the right version ranges to use the bug-free
common.collections.

...
 Arbitrary remote code execution with InvokerTransformer
(COLLECTIONS-580)
 -------------------------------------------------------------------------

                 Key: JBDS-3560
                 URL: https://issues.jboss.org/browse/JBDS-3560
             Project: Developer Studio (JBoss Developer Studio)
          Issue Type: Bug
          Components: upstream
    Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1
            Reporter: Nick Boldt
            Assignee: Max Rydahl Andersen
             Fix For: 9.1.0.Beta1, 10.0.0.Alpha1

         Attachments: apache-commons-collections-in-JBDS7,8,9,10.png,
apache-commons-collections-in-JBDS7,8,9,10_refs1.png,
apache-commons-collections-in-JBDS7,8,9,10_refs10.png,
apache-commons-collections-in-JBDS7,8,9,10_refs7.png,
apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png,
apache-commons-collections-in-JBDS7,8,9,10_refs8.png,
apache-commons-collections-in-JBDS7,8,9,10_refs9.png,
orbit.R20150519210750_vs_I20151117200049.log.txt,
orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt

 This is a container issue to wrap & track
https://issues.apache.org/jira/browse/COLLECTIONS-580
 Problem is that JBDS 9 (and probably 8 and 10 too) include
org.apache.commons.collections	3.2.0.v2013030210310, which is affected by COLLECTIONS-580
- Arbitrary remote code execution with InvokerTransformer 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006