[beanutils2] CVE-2014-0114 Pull Request

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[beanutils2] CVE-2014-0114 Pull Request

Melloware Inc
Hey All!,

First time contributor here.  My company has a corporate goal to only use
open source libraries with NO open Security CVE's marked as critical.

BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket:
https://issues.apache.org/jira/browse/BEANUTILS-520

I submitted my first Apache Commons PR which addresses the issue which I
was hoping I could get code reviewed and hopefully merged.  I followed all
guidelines and included a specific unit test to prove the issue and the fix.

Pull Request:  https://github.com/apache/commons-beanutils/pull/7

I really feel like this is an important fix to have security on by default
and still allow the ability to opt-out and make it backwards compatible.  I
hope the Apache community feels the same way!

Thanks,
    Melloware
Reply | Threaded
Open this post in threaded view
|

Re: [beanutils2] CVE-2014-0114 Pull Request

Matt Sicker
Hi, I've gone ahead and approved it after review. Since I'm not active
in beanutils, I'd prefer someone else to either merge it or add an
approval review first. My company has also been moving toward
eliminating vulnerable versions of dependencies, and we use beanutils
(1.9.x currently) in some limited fashion.

On Thu, 23 May 2019 at 06:29, Melloware Inc <[hidden email]> wrote:

>
> Hey All!,
>
> First time contributor here.  My company has a corporate goal to only use
> open source libraries with NO open Security CVE's marked as critical.
>
> BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket:
> https://issues.apache.org/jira/browse/BEANUTILS-520
>
> I submitted my first Apache Commons PR which addresses the issue which I
> was hoping I could get code reviewed and hopefully merged.  I followed all
> guidelines and included a specific unit test to prove the issue and the fix.
>
> Pull Request:  https://github.com/apache/commons-beanutils/pull/7
>
> I really feel like this is an important fix to have security on by default
> and still allow the ability to opt-out and make it backwards compatible.  I
> hope the Apache community feels the same way!
>
> Thanks,
>     Melloware



--
Matt Sicker <[hidden email]>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [beanutils2] CVE-2014-0114 Pull Request

Rob Tompkins


> On May 25, 2019, at 3:15 PM, Matt Sicker <[hidden email]> wrote:
>
> Hi, I've gone ahead and approved it after review. Since I'm not active
> in beanutils, I'd prefer someone else to either merge it or add an
> approval review first. My company has also been moving toward
> eliminating vulnerable versions of dependencies, and we use beanutils
> (1.9.x currently) in some limited fashion.

Will put eyes on this in the next 24 hours.  -Rob

>
>> On Thu, 23 May 2019 at 06:29, Melloware Inc <[hidden email]> wrote:
>>
>> Hey All!,
>>
>> First time contributor here.  My company has a corporate goal to only use
>> open source libraries with NO open Security CVE's marked as critical.
>>
>> BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket:
>> https://issues.apache.org/jira/browse/BEANUTILS-520
>>
>> I submitted my first Apache Commons PR which addresses the issue which I
>> was hoping I could get code reviewed and hopefully merged.  I followed all
>> guidelines and included a specific unit test to prove the issue and the fix.
>>
>> Pull Request:  https://github.com/apache/commons-beanutils/pull/7
>>
>> I really feel like this is an important fix to have security on by default
>> and still allow the ability to opt-out and make it backwards compatible.  I
>> hope the Apache community feels the same way!
>>
>> Thanks,
>>    Melloware
>
>
>
> --
> Matt Sicker <[hidden email]>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [beanutils] Towards 1.10

Melloware Inc
In reply to this post by Melloware Inc
Rob,

I 100% agree since CVE-2014-0114 has been fixed in BeanUtils I think we
need a release.

However the 1.X branch seems dormant it seems for the last 3 years
everything has been working on is BeanUtils2 which is where all the
fixes have been made?

Mello


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [beanutils] Towards 1.10

garydgregory
Note that BeanUtils 2 is a major update with a package name change, meaning
it is not a drop in replacement.

The one main remaining issue to discuss IIRC is whether the BU API should
make public Commons Collections interface and classes, as opposed to more
generic JRE Collections.

Gary

On Wed, Jun 5, 2019 at 8:10 AM Melloware <[hidden email]> wrote:

> Rob,
>
> I 100% agree since CVE-2014-0114 has been fixed in BeanUtils I think we
> need a release.
>
> However the 1.X branch seems dormant it seems for the last 3 years
> everything has been working on is BeanUtils2 which is where all the
> fixes have been made?
>
> Mello
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [beanutils] Towards 1.10

Rob Tompkins
In reply to this post by Melloware Inc
I can try to backport the fix to the 1.X branch.

-Rob

On 6/5/2019 8:09 AM, Melloware wrote:

> Rob,
>
> I 100% agree since CVE-2014-0114 has been fixed in BeanUtils I think
> we need a release.
>
> However the 1.X branch seems dormant it seems for the last 3 years
> everything has been working on is BeanUtils2 which is where all the
> fixes have been made?
>
> Mello
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [beanutils] Towards 1.10

Melloware Inc
Do you think we could also get a BeanUtils2 release while we are at it? 
It supports Java 8 and has many fixes in the last 3 years.


On 6/5/2019 8:37 AM, Rob Tompkins wrote:

> I can try to backport the fix to the 1.X branch.
>
> -Rob
>
> On 6/5/2019 8:09 AM, Melloware wrote:
>> Rob,
>>
>> I 100% agree since CVE-2014-0114 has been fixed in BeanUtils I think
>> we need a release.
>>
>> However the 1.X branch seems dormant it seems for the last 3 years
>> everything has been working on is BeanUtils2 which is where all the
>> fixes have been made?
>>
>> Mello
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [beanutils] Towards 1.10

Rob Tompkins
I suppose doing both wouldn’t be unreasonable. It’ll take me a few weeks as I’m in the ramp up phase at a new gig. But I’ll start heading that direction.

-Rob

> On Jun 5, 2019, at 8:39 AM, Melloware <[hidden email]> wrote:
>
> Do you think we could also get a BeanUtils2 release while we are at it?  It supports Java 8 and has many fixes in the last 3 years.
>
>
> On 6/5/2019 8:37 AM, Rob Tompkins wrote:
>> I can try to backport the fix to the 1.X branch.
>>
>> -Rob
>>
>> On 6/5/2019 8:09 AM, Melloware wrote:
>>> Rob,
>>>
>>> I 100% agree since CVE-2014-0114 has been fixed in BeanUtils I think we need a release.
>>>
>>> However the 1.X branch seems dormant it seems for the last 3 years everything has been working on is BeanUtils2 which is where all the fixes have been made?
>>>
>>> Mello
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]