Bug 1316430 - Version 3.2.1 has a CVSS 10.0 vulnerability
Version 3.2.1 has a CVSS 10.0 vulnerability
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: apache-commons-collections (Show other bugs)
23
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Michael Simacek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-10 03:41 EST by Ding-Yi Chen
Modified: 2016-04-02 00:20 EDT (History)
5 users (show)

See Also:
Fixed In Version: apache-commons-collections-3.2.2-3.fc22 apache-commons-collections-3.2.2-3.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-02 00:17:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ding-Yi Chen 2016-03-10 03:41:26 EST
Description of problem:

Forward from Jennifer Winer:

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/


Version-Release number of selected component (if applicable):
Fedora 24 is already upgrade to 3.2.2, but not Fedora 23 and 22


Actual results:
Fedora 23 and Fedora 22 are still with apache-commons-collections-3.2.1


Expected results:
Fedora 23 should be updated to apache-commons-collections-3.2.2
If you see fit, please also update Fedora 22 as well.


Additional info:
Comment 1 Fedora Update System 2016-03-10 09:01:38 EST
apache-commons-collections-3.2.2-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc3740c56e
Comment 2 Fedora Update System 2016-03-10 09:02:24 EST
apache-commons-collections-3.2.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0c5838abc5
Comment 3 Fedora Update System 2016-03-12 11:54:01 EST
apache-commons-collections-3.2.2-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc3740c56e
Comment 4 Fedora Update System 2016-03-12 12:25:59 EST
apache-commons-collections-3.2.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0c5838abc5
Comment 5 Fedora Update System 2016-03-23 03:49:15 EDT
apache-commons-collections-3.2.2-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0c5838abc5
Comment 6 Fedora Update System 2016-03-23 03:49:45 EDT
apache-commons-collections-3.2.2-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc3740c56e
Comment 7 Fedora Update System 2016-03-23 21:01:28 EDT
apache-commons-collections-3.2.2-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc3740c56e
Comment 8 Fedora Update System 2016-03-23 21:53:47 EDT
apache-commons-collections-3.2.2-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0c5838abc5
Comment 9 Fedora Update System 2016-04-02 00:17:28 EDT
apache-commons-collections-3.2.2-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-04-02 00:20:51 EDT
apache-commons-collections-3.2.2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.