[VOTE] Release Commons Collections 3.2.2 Based on RC3

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[VOTE] Release Commons Collections 3.2.2 Based on RC3

Thomas Neidhart
Hi all,

in order to provide a work-around for the known remote code exploit via
java de-serialization of malicious InvokerTransformer instances, I would
like to start a vote to release Commons Collections 3.2.2 based on RC3.

Notes:

 * the site will not be published, it just serves as a reference to
access the various reports. After a successful vote, the current 4.X
branch site will be updated with relevant information and published.

 * some tests might fail with various IBM JDK 6 JREs, these are known
issues and have been worked-around in the 4.X branch but are not
back-ported to this release.

 * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
with a newly introduced default method in the Map interface.

 * the collections-testframework.jar that has been published in previous
versions is not included in this release

Changes from RC2:

 * fixed false positives in RAT report
 * fixed test execution and compilation problems with JDK 1.4 and 1.5

Changes from RC1:

 * fixed RAT report
 * fixed NOTICE file
 * improve the security fix: it has been made symmetric in the sense
   that also the serialization of an unsafe class is disabled by
   default and will result in an exception
 * changed the system property to re-enable serialization of unsafe
   classes. It is now
   "org.apache.commons.collections.enableUnsafeSerialization"
 * all classes in the functor package which (based on current
   knowledge) have to be considered unsafe cannot be serialized/
   de-serialized any more by default. This includes the following
   classes:

 ** CloneTransformer
 ** PrototypeFactory (inner classes
                      PrototypeCloneFactory and
                      PrototypeSerializationFactory)
 ** InstantiateFactory
 ** InstantiateTransformer
 ** ForClosure
 ** WhileClosure
 ** InvokerTransformer



Collections 3.2.2 RC3 is available for review here:
    https://dist.apache.org/repos/dist/dev/commons/collections/
    (svn revision 11167)

Maven artifacts are here:

https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/

Details of changes since 3.2.1 are in the release notes:

https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt

http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html

The tag is here:

https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
    (svn revision 1714131)

Site:
    http://people.apache.org/builds/commons/collections/3.2.2/RC3/

Clirr Report (compared to 3.2.1):

http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html

RAT Report:

http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html

KEYS:
  https://www.apache.org/dist/commons/KEYS

Please review the release candidate and vote.


Considering that this is a security related release and that RC2 did not
show any functional problems with the release, I plan to close this vote
in 24h from now, i.e. after 0100 GMT 14-November 2015

  [ ] +1 Release these artifacts
  [ ] +0 OK, but...
  [ ] -0 OK, but really should fix...
  [ ] -1 I oppose this release because...

Thanks,

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

Luc Maisonobe-2
Le 13/11/2015 00:31, Thomas Neidhart a écrit :

> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>
> Notes:
>
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
> Changes from RC2:
>
>  * fixed false positives in RAT report
>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
>
> Changes from RC1:
>
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
>
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC3 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11167)
>
> Maven artifacts are here:
>
> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>
> The tag is here:
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
>     (svn revision 1714131)
>
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
>   [X] +1 Release these artifacts


Luc

>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

Jörg Schaible
In reply to this post by Thomas Neidhart
+1

Builds fine now with my compiler zoo.

Thomas Neidhart wrote:

> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>
> Notes:
>
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
> Changes from RC2:
>
>  * fixed false positives in RAT report
>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
>
> Changes from RC1:
>
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
>
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC3 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11167)
>
> Maven artifacts are here:
>
>
https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3

>     (svn revision 1714131)
>
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

garydgregory
In reply to this post by Thomas Neidhart
+1

Tested with src zip.

BUT:

- The site Javadoc link is labeled "3.2.1" (fixed in
https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
)
- The site history does not mentioned (fixed in svn)

ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?

Reports OK.

Tested building with:

Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
2015-04-22T04:57:37-07:00)
Maven home: C:\Java\apache-maven-3.3.3\bin\..
Java version: 1.7.0_79, vendor: Oracle Corporation
Java home: C:\Program Files\Java\jdk1.7.0_79\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"

and:

Apache Ant(TM) version 1.9.6 compiled on June 29 2015

Gary

On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <[hidden email]>
wrote:

> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>
> Notes:
>
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
> Changes from RC2:
>
>  * fixed false positives in RAT report
>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
>
> Changes from RC1:
>
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
>
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC3 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11167)
>
> Maven artifacts are here:
>
>
> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>
> The tag is here:
>
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
>     (svn revision 1714131)
>
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>
> Clirr Report (compared to 3.2.1):
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>
> RAT Report:
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
E-Mail: [hidden email] | [hidden email]
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

Thomas Neidhart
On 11/13/2015 08:26 PM, Gary Gregory wrote:

> +1
>
> Tested with src zip.
>
> BUT:
>
> - The site Javadoc link is labeled "3.2.1" (fixed in
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> )
> - The site history does not mentioned (fixed in svn)

as I said the site will not be published from the 3.2.2 release but from
the 4.X branch.

> ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?
>
> Reports OK.
>
> Tested building with:
>
> Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> 2015-04-22T04:57:37-07:00)
> Maven home: C:\Java\apache-maven-3.3.3\bin\..
> Java version: 1.7.0_79, vendor: Oracle Corporation
> Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> Default locale: en_US, platform encoding: Cp1252
> OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
>
> and:
>
> Apache Ant(TM) version 1.9.6 compiled on June 29 2015
>
> Gary
>
> On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <[hidden email]>
> wrote:
>
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>>
>> Notes:
>>
>>  * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>>  * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>>  * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>> Changes from RC2:
>>
>>  * fixed false positives in RAT report
>>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
>>
>> Changes from RC1:
>>
>>  * fixed RAT report
>>  * fixed NOTICE file
>>  * improve the security fix: it has been made symmetric in the sense
>>    that also the serialization of an unsafe class is disabled by
>>    default and will result in an exception
>>  * changed the system property to re-enable serialization of unsafe
>>    classes. It is now
>>    "org.apache.commons.collections.enableUnsafeSerialization"
>>  * all classes in the functor package which (based on current
>>    knowledge) have to be considered unsafe cannot be serialized/
>>    de-serialized any more by default. This includes the following
>>    classes:
>>
>>  ** CloneTransformer
>>  ** PrototypeFactory (inner classes
>>                       PrototypeCloneFactory and
>>                       PrototypeSerializationFactory)
>>  ** InstantiateFactory
>>  ** InstantiateTransformer
>>  ** ForClosure
>>  ** WhileClosure
>>  ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC3 is available for review here:
>>     https://dist.apache.org/repos/dist/dev/commons/collections/
>>     (svn revision 11167)
>>
>> Maven artifacts are here:
>>
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>>
>> The tag is here:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
>>     (svn revision 1714131)
>>
>> Site:
>>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>>
>> Clirr Report (compared to 3.2.1):
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>>
>> RAT Report:
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>>
>> KEYS:
>>   https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC2 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24h from now, i.e. after 0100 GMT 14-November 2015
>>
>>   [ ] +1 Release these artifacts
>>   [ ] +0 OK, but...
>>   [ ] -0 OK, but really should fix...
>>   [ ] -1 I oppose this release because...
>>
>> Thanks,
>>
>> Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

Luc Maisonobe-2
In reply to this post by garydgregory
Le 13/11/2015 20:26, Gary Gregory a écrit :

> +1
>
> Tested with src zip.
>
> BUT:
>
> - The site Javadoc link is labeled "3.2.1" (fixed in
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> )
> - The site history does not mentioned (fixed in svn)
>
> ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?

Yes. I check this for every release.

Luc

>
> Reports OK.
>
> Tested building with:
>
> Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> 2015-04-22T04:57:37-07:00)
> Maven home: C:\Java\apache-maven-3.3.3\bin\..
> Java version: 1.7.0_79, vendor: Oracle Corporation
> Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> Default locale: en_US, platform encoding: Cp1252
> OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
>
> and:
>
> Apache Ant(TM) version 1.9.6 compiled on June 29 2015
>
> Gary
>
> On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <[hidden email]>
> wrote:
>
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC3.
>>
>> Notes:
>>
>>  * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>>  * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>>  * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>> Changes from RC2:
>>
>>  * fixed false positives in RAT report
>>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
>>
>> Changes from RC1:
>>
>>  * fixed RAT report
>>  * fixed NOTICE file
>>  * improve the security fix: it has been made symmetric in the sense
>>    that also the serialization of an unsafe class is disabled by
>>    default and will result in an exception
>>  * changed the system property to re-enable serialization of unsafe
>>    classes. It is now
>>    "org.apache.commons.collections.enableUnsafeSerialization"
>>  * all classes in the functor package which (based on current
>>    knowledge) have to be considered unsafe cannot be serialized/
>>    de-serialized any more by default. This includes the following
>>    classes:
>>
>>  ** CloneTransformer
>>  ** PrototypeFactory (inner classes
>>                       PrototypeCloneFactory and
>>                       PrototypeSerializationFactory)
>>  ** InstantiateFactory
>>  ** InstantiateTransformer
>>  ** ForClosure
>>  ** WhileClosure
>>  ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC3 is available for review here:
>>     https://dist.apache.org/repos/dist/dev/commons/collections/
>>     (svn revision 11167)
>>
>> Maven artifacts are here:
>>
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
>>
>> The tag is here:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
>>     (svn revision 1714131)
>>
>> Site:
>>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
>>
>> Clirr Report (compared to 3.2.1):
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
>>
>> RAT Report:
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
>>
>> KEYS:
>>   https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC2 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24h from now, i.e. after 0100 GMT 14-November 2015
>>
>>   [ ] +1 Release these artifacts
>>   [ ] +0 OK, but...
>>   [ ] -0 OK, but really should fix...
>>   [ ] -1 I oppose this release because...
>>
>> Thanks,
>>
>> Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

garydgregory
On Fri, Nov 13, 2015 at 12:12 PM, Luc Maisonobe <[hidden email]> wrote:

> Le 13/11/2015 20:26, Gary Gregory a écrit :
> > +1
> >
> > Tested with src zip.
> >
> > BUT:
> >
> > - The site Javadoc link is labeled "3.2.1" (fixed in
> >
> https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X
> > )
> > - The site history does not mentioned (fixed in svn)
> >
> > ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right?
>
> Yes. I check this for every release.
>

Great, thank you for clarifying that.

Gary


>
> Luc
>
> >
> > Reports OK.
> >
> > Tested building with:
> >
> > Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06;
> > 2015-04-22T04:57:37-07:00)
> > Maven home: C:\Java\apache-maven-3.3.3\bin\..
> > Java version: 1.7.0_79, vendor: Oracle Corporation
> > Java home: C:\Program Files\Java\jdk1.7.0_79\jre
> > Default locale: en_US, platform encoding: Cp1252
> > OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
> >
> > and:
> >
> > Apache Ant(TM) version 1.9.6 compiled on June 29 2015
> >
> > Gary
> >
> > On Thu, Nov 12, 2015 at 3:31 PM, Thomas Neidhart <
> [hidden email]>
> > wrote:
> >
> >> Hi all,
> >>
> >> in order to provide a work-around for the known remote code exploit via
> >> java de-serialization of malicious InvokerTransformer instances, I would
> >> like to start a vote to release Commons Collections 3.2.2 based on RC3.
> >>
> >> Notes:
> >>
> >>  * the site will not be published, it just serves as a reference to
> >> access the various reports. After a successful vote, the current 4.X
> >> branch site will be updated with relevant information and published.
> >>
> >>  * some tests might fail with various IBM JDK 6 JREs, these are known
> >> issues and have been worked-around in the 4.X branch but are not
> >> back-ported to this release.
> >>
> >>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> >> with a newly introduced default method in the Map interface.
> >>
> >>  * the collections-testframework.jar that has been published in previous
> >> versions is not included in this release
> >>
> >> Changes from RC2:
> >>
> >>  * fixed false positives in RAT report
> >>  * fixed test execution and compilation problems with JDK 1.4 and 1.5
> >>
> >> Changes from RC1:
> >>
> >>  * fixed RAT report
> >>  * fixed NOTICE file
> >>  * improve the security fix: it has been made symmetric in the sense
> >>    that also the serialization of an unsafe class is disabled by
> >>    default and will result in an exception
> >>  * changed the system property to re-enable serialization of unsafe
> >>    classes. It is now
> >>    "org.apache.commons.collections.enableUnsafeSerialization"
> >>  * all classes in the functor package which (based on current
> >>    knowledge) have to be considered unsafe cannot be serialized/
> >>    de-serialized any more by default. This includes the following
> >>    classes:
> >>
> >>  ** CloneTransformer
> >>  ** PrototypeFactory (inner classes
> >>                       PrototypeCloneFactory and
> >>                       PrototypeSerializationFactory)
> >>  ** InstantiateFactory
> >>  ** InstantiateTransformer
> >>  ** ForClosure
> >>  ** WhileClosure
> >>  ** InvokerTransformer
> >>
> >>
> >>
> >> Collections 3.2.2 RC3 is available for review here:
> >>     https://dist.apache.org/repos/dist/dev/commons/collections/
> >>     (svn revision 11167)
> >>
> >> Maven artifacts are here:
> >>
> >>
> >>
> https://repository.apache.org/content/repositories/orgapachecommons-1117/commons-collections/commons-collections/3.2.2/
> >>
> >> Details of changes since 3.2.1 are in the release notes:
> >>
> >>
> >>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/changes-report.html
> >>
> >> The tag is here:
> >>
> >>
> >>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC3
> >>     (svn revision 1714131)
> >>
> >> Site:
> >>     http://people.apache.org/builds/commons/collections/3.2.2/RC3/
> >>
> >> Clirr Report (compared to 3.2.1):
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/clirr-report.html
> >>
> >> RAT Report:
> >>
> >>
> >>
> http://people.apache.org/builds/commons/collections/3.2.2/RC3/rat-report.html
> >>
> >> KEYS:
> >>   https://www.apache.org/dist/commons/KEYS
> >>
> >> Please review the release candidate and vote.
> >>
> >>
> >> Considering that this is a security related release and that RC2 did not
> >> show any functional problems with the release, I plan to close this vote
> >> in 24h from now, i.e. after 0100 GMT 14-November 2015
> >>
> >>   [ ] +1 Release these artifacts
> >>   [ ] +0 OK, but...
> >>   [ ] -0 OK, but really should fix...
> >>   [ ] -1 I oppose this release because...
> >>
> >> Thanks,
> >>
> >> Thomas
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
E-Mail: [hidden email] | [hidden email]
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

Stefan Bodewig
In reply to this post by Thomas Neidhart
On 2015-11-13, Thomas Neidhart wrote:

> Please review the release candidate and vote.

+1

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3

Thomas Neidhart
In reply to this post by Thomas Neidhart
On 11/13/2015 12:31 AM, Thomas Neidhart wrote:
> Hi all,

[snip]

> Considering that this is a security related release and that RC2 did not
> show any functional problems with the release, I plan to close this vote
> in 24h from now, i.e. after 0100 GMT 14-November 2015

Here is a tally of the VOTE

Commons PMC:
 +1 from Luc, Joerg, Gary, Stefan, Thomas

No other votes have been recorded.

This VOTE, therefore, passes.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3

Uwe Barthel
Thx Thomas.

The fix for the Java serialization vulnerability is on the way.
Now should we add some information on
http://commons.apache.org/security.html like Commons Compress did?

-- Uwe



On November 14, 2015 10:59:52 AM Thomas Neidhart
<[hidden email]> wrote:

> On 11/13/2015 12:31 AM, Thomas Neidhart wrote:
>> Hi all,
>
> [snip]
>
>> Considering that this is a security related release and that RC2 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24h from now, i.e. after 0100 GMT 14-November 2015
>
> Here is a tally of the VOTE
>
> Commons PMC:
>  +1 from Luc, Joerg, Gary, Stefan, Thomas
>
> No other votes have been recorded.
>
> This VOTE, therefore, passes.
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [RESULT][VOTE] Release Commons Collections 3.2.2 Based on RC3

Thomas Neidhart
On 11/14/2015 04:20 PM, Uwe Barthel wrote:
> Thx Thomas.
>
> The fix for the Java serialization vulnerability is on the way.
> Now should we add some information on
> http://commons.apache.org/security.html like Commons Compress did?

yes, we will do something similar.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]