Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31598

Bump commons-collections lib from 3.2.1 to 3.2.2

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      JENKINS-31496 mentioned a security issue related to the library commons-collections:

      Security problem
      http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

      Fixed
      http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java?view=log

      Which has lead to [SECURITY-218] and Jenkins is no more vulnerable since 1.638 and 1.625.2.

      It would be nice to bump the embedded library nonetheless. The 3.2.1 version being reported as facing a security risks by audit tools.

          [JENKINS-31598] Bump commons-collections lib from 3.2.1 to 3.2.2

          Code changed in jenkins
          User: PJ Fanning
          Path:
          core/pom.xml
          test/src/test/java/jenkins/security/Security218CliTest.java
          http://jenkins-ci.org/commit/jenkins/46d3f2e1d0bee7098e630d9c6913fe25bb2b3753
          Log:
          JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1 (#2761)

          • JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1
          • Fix broken tests

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: PJ Fanning Path: core/pom.xml test/src/test/java/jenkins/security/Security218CliTest.java http://jenkins-ci.org/commit/jenkins/46d3f2e1d0bee7098e630d9c6913fe25bb2b3753 Log: JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1 (#2761) JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1 Fix broken tests

          Oleg Nenashev added a comment -

          Oleg Nenashev added a comment - Fixed in 2.48: https://github.com/jenkinsci/jenkins/commit/46d3f2e1d0bee7098e630d9c6913fe25bb2b3753

          Code changed in jenkins
          User: Jesse Glick
          Path:
          test/src/test/java/jenkins/security/Security218CliTest.java
          http://jenkins-ci.org/commit/jenkins/0c3d2ac5bc0c934468cbe264601b6c2f2ae479ca
          Log:
          Seems that #2761 (JENKINS-31598) blocks the attack with or without SignedObject.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: test/src/test/java/jenkins/security/Security218CliTest.java http://jenkins-ci.org/commit/jenkins/0c3d2ac5bc0c934468cbe264601b6c2f2ae479ca Log: Seems that #2761 ( JENKINS-31598 ) blocks the attack with or without SignedObject.

            Unassigned Unassigned
            hashar Antoine Musso
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: