"This 3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580." "Serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure." Full change list: https://commons.apache.org/proper/commons-collections/changes-report.html#a3.2.2
Note that 4.x isn't vulnerable, but <3.2.2 is, so we need to bump to 3.2.2 here *or* just cleanup 3.x if possible.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e90a6173247f06514731825677f3fc67c62bdc52 commit e90a6173247f06514731825677f3fc67c62bdc52 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-21 09:31:11 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-21 09:33:09 +0000 dev-java/commons-collections: bump to 3.2.2 Bug: https://bugs.gentoo.org/739348 Closes: https://bugs.gentoo.org/784131 Closes: https://bugs.gentoo.org/780153 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-collections/Manifest | 1 + .../commons-collections-3.2.2.ebuild | 67 +++++++ .../files/commons-collections-3.2.2-fixes.patch | 201 +++++++++++++++++++++ 3 files changed, 269 insertions(+)
it should be safe to stabilize
Thanks!
amd64 done
ppc64 done
x86 done all arches done
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a commit c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-27 05:36:49 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-27 05:36:49 +0000 dev-java/commons-collections: removed obsolete and vulnerable 3.2.1-r1 Bug: https://bugs.gentoo.org/739348 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-collections/Manifest | 1 - .../commons-collections-3.2.1-r1.ebuild | 74 ---------- .../files/commons-collections-3.2.1-Java-8.patch | 160 --------------------- dev-java/commons-collections/metadata.xml | 3 - 4 files changed, 238 deletions(-)
the tree is clean now, you can proceed.
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-37 at https://security.gentoo.org/glsa/202107-37 by GLSA coordinator John Helmert III (ajak).