[ANNOUNCEMENT] Apache Commons Configuration Version 2.7 Released.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANNOUNCEMENT] Apache Commons Configuration Version 2.7 Released.

Rob Tompkins-2
The Apache Commons team is pleased to announce the release of Apache Commons Configuration Version 2.7.

Release Notes
2020-03-11

INTRODUCTION:
=============

This document contains the release notes for this version of the Commons
Configuration component. It describes the changes since the previous version.
The Commons Configuration software library provides a generic configuration
interface which enables an application to read configuration data from a variety
of sources.

Tools to assist in the reading of configuration/preferences files in
various formats

Minor release with new features and updated dependencies.

Changes in this version include:

New features:
o CONFIGURATION-765:  Refactor XMLConfiguration.write(Writer) to add XMLConfiguration.write(Writer, Transformer). Thanks to Gary Gregory.

Fixed Bugs:
o CONFIGURATION-761:  Single argument DataConfiguration APIs always create empty arrays. Thanks to Gary Gregory.
o CONFIGURATION-767:  NullPointerException in XMLConfiguration#createTransformer() when no FileLocator is set. Thanks to Gary Gregory.
o CONFIGURATION-768:  XMLConfiguration#write does not indent XML elements. Thanks to Gary Gregory.
o CONFIGURATION-771:  Update com.fasterxml.jackson.core:jackson-databind 2.10.0 -> 2.10.1. Thanks to Gary Gregory.
o CONFIGURATION-773:  User's Guide > Properties files > Saving - small documentation bugs #41. Thanks to Dan Dragut.

Changes:
o CONFIGURATION-762:  Use variable arguments. Thanks to Gary Gregory.
o                     Update ]com.puppycrawl.tools:checkstyle from 8.24 to  8.25. Thanks to Gary Gregory.
o CONFIGURATION-763:  Update com.fasterxml.jackson.core:jackson-databind from 2.9.9 to 2.10.0. Thanks to Gary Gregory.
o                     [test] org.easymock:easymock 4.0.2 -> 4.1. Thanks to Gary Gregory.
o CONFIGURATION-775:  Update Apache Commons VFS from 2.4.1 to 2.5.0. Thanks to Gary Gregory.
o CONFIGURATION-777:  Update Apache Commons VFS from 2.5.0 to 2.6.0. Thanks to Gary Gregory.
o CONFIGURATION-778:  Update optional Apache Commons Codec from 1.13 to 1.14. Thanks to Gary Gregory.
o                     Update tests from JUnit 4.12 to 4.13. Thanks to Gary Gregory.
o CONFIGURATION-779:  Update optional jackson-databind from 2.10.1 to 2.10.2. Thanks to Gary Gregory.
o CONFIGURATION-783:  Update com.fasterxml.jackson.core:jackson-databind from 2.10.2 to 2.10.3. Thanks to Gary Gregory.
o CONFIGURATION-784:  Update org.yaml:snakeyaml from 1.25 to 1.26 and tweak parser configuration. Thanks to Gary Gregory.
o CONFIGURATION-785:  Update org.springframework:spring-* from 4.3.25.RELEASE to 4.3.26.RELEASE. Thanks to Gary Gregory.
o                     Update org.apache.commons:commons-parent from 48 to 50 Thanks to Rob Tompkins.

Historical list of changes:
https://commons.apache.org/proper/commons-configuration/changes-report.html

For complete information on Apache Commons Configuration, including
instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Commons
Configuration website:

https://commons.apache.org/proper/commons-configuration/

Download it from
https://commons.apache.org/proper/commons-configuration/download_configuration.cgi

Best regards,
Rob Tompkins,
On behalf of the Apache Commons Team
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration

Oliver Heger-4
CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
in Apache Commons Configuration

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
2.2 to 2.6

Description:
Apache Commons Configuration uses a third-party library to parse YAML
files which by default allows the instantiation of classes if the YAML
includes special statements. If a YAML file is from an untrusted source,
it can therefore load and execute code out of the control of the host
application.

Mitigation:
Users should upgrade to to 2.7, which prevents class instantiation by
the YAML processor.

Credit:
This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team

Oliver Heger
on behalf of the Apache Commons PMC


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration

Oliver Heger-3
The form at Mitre was just submitted, so I assume that the issue will be
visible soon.

Oliver

Am 12.03.20 um 19:18 schrieb Gary Gregory:

> Note that  https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not
> "live" yet.
>
> Gary
>
> On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger <[hidden email]> wrote:
>
>> CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
>> in Apache Commons Configuration
>>
>> Severity: Moderate
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> 2.2 to 2.6
>>
>> Description:
>> Apache Commons Configuration uses a third-party library to parse YAML
>> files which by default allows the instantiation of classes if the YAML
>> includes special statements. If a YAML file is from an untrusted source,
>> it can therefore load and execute code out of the control of the host
>> application.
>>
>> Mitigation:
>> Users should upgrade to to 2.7, which prevents class instantiation by
>> the YAML processor.
>>
>> Credit:
>> This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team
>>
>> Oliver Heger
>> on behalf of the Apache Commons PMC
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]