From db6d1e79bf7937a00b2c7d06f02439fa6ff92733 Mon Sep 17 00:00:00 2001 From: Andrew Brampton Date: Tue, 8 Mar 2016 23:21:08 -0800 Subject: [PATCH] Upgrade Apache Commons Collections to v3.2.2 Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function! https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ --- open_source_licenses.txt | 4 ++-- .../resources/projects/non-exported-deps/build.gradle | 2 +- .../projects/remapping-multiproject/build.gradle | 4 ++-- .../resources/projects/sts2405/main/build.gradle | 2 +- .../ide/eclipse/gradle/core/test/GradleImportTests.java | 4 ++-- .../ide/eclipse/gradle/core/test/JarRemappingTests.java | 8 ++++---- .../feature.properties | 4 ++-- .../open_source_licenses.txt | 2 +- org.springsource.ide.eclipse.gradle.toolingapi/.classpath | 2 +- .../META-INF/MANIFEST.MF | 2 +- .../embedded-libs.properties | 4 ++-- toolingapi/updateLibs/build.gradle | 2 +- 12 files changed, 20 insertions(+), 20 deletions(-) diff --git a/open_source_licenses.txt b/open_source_licenses.txt index d3235f0..4361c62 100644 --- a/open_source_licenses.txt +++ b/open_source_licenses.txt @@ -36,7 +36,7 @@ SECTION 1: BSD-STYLE, MIT-STYLE, OR SIMILAR STYLE LICENSES SECTION 2: Apache License, V2.0 - >>> commons-collections-3.2.1 + >>> commons-collections-3.2.2 >>> gradle-base-services-2.2.1 >>> gradle-base-services-groovy-2.2.1 >>> gradle-core-2.2.1 @@ -171,7 +171,7 @@ all copies or substantial portions of the Software. Apache License, V2.0 is applicable to the following component(s). ->>> commons-collections-3.2.1 +>>> commons-collections-3.2.2 Apache Commons Collections Copyright 2001-2008 The Apache Software Foundation diff --git a/org.springsource.ide.eclipse.gradle.core.test/resources/projects/non-exported-deps/build.gradle b/org.springsource.ide.eclipse.gradle.core.test/resources/projects/non-exported-deps/build.gradle index 27f4e52..cce8128 100644 --- a/org.springsource.ide.eclipse.gradle.core.test/resources/projects/non-exported-deps/build.gradle +++ b/org.springsource.ide.eclipse.gradle.core.test/resources/projects/non-exported-deps/build.gradle @@ -16,6 +16,6 @@ project(":main") { project(":lib") { dependencies { - compile "commons-collections:commons-collections:3.2.1" + compile "commons-collections:commons-collections:3.2.2" } } \ No newline at end of file diff --git a/org.springsource.ide.eclipse.gradle.core.test/resources/projects/remapping-multiproject/build.gradle b/org.springsource.ide.eclipse.gradle.core.test/resources/projects/remapping-multiproject/build.gradle index d3f0eeb..e1e8af7 100644 --- a/org.springsource.ide.eclipse.gradle.core.test/resources/projects/remapping-multiproject/build.gradle +++ b/org.springsource.ide.eclipse.gradle.core.test/resources/projects/remapping-multiproject/build.gradle @@ -42,7 +42,7 @@ project(":main") { project(":lib") { dependencies { compile project(":sublib") - compile "commons-collections:commons-collections:3.2.1" + compile "commons-collections:commons-collections:3.2.2" } } @@ -50,4 +50,4 @@ project(":sublib") { dependencies { compile "commons-collections:commons-collections:3.2" } -} \ No newline at end of file +} diff --git a/org.springsource.ide.eclipse.gradle.core.test/resources/projects/sts2405/main/build.gradle b/org.springsource.ide.eclipse.gradle.core.test/resources/projects/sts2405/main/build.gradle index 987026f..2efc588 100644 --- a/org.springsource.ide.eclipse.gradle.core.test/resources/projects/sts2405/main/build.gradle +++ b/org.springsource.ide.eclipse.gradle.core.test/resources/projects/sts2405/main/build.gradle @@ -24,7 +24,7 @@ repositories { dependencies { // compile group: 'com.kdvolder', name: 'myCrap', version: '0.1.1' compile group: 'com.kdvolder', name: 'myLib', version: '0.0.1-SNAPSHOT' - compile group: 'commons-collections', name: 'commons-collections', version: '3.2.1' + compile group: 'commons-collections', name: 'commons-collections', version: '3.2.2' testCompile group: 'junit', name: 'junit', version: '4.+' } diff --git a/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/GradleImportTests.java b/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/GradleImportTests.java index fcf4c29..a63c58a 100644 --- a/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/GradleImportTests.java +++ b/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/GradleImportTests.java @@ -763,8 +763,8 @@ public void testNonExportedDependencies() throws Exception { @Override public boolean test() throws Exception { - assertClasspathJarEntry("commons-collections-3.2.1.jar", getGradleProject("main")); - assertClasspathJarEntry("commons-collections-3.2.1.jar", getGradleProject("lib")); + assertClasspathJarEntry("commons-collections-3.2.2.jar", getGradleProject("main")); + assertClasspathJarEntry("commons-collections-3.2.2.jar", getGradleProject("lib")); assertClasspathProjectEntry(getProject("lib"), getJavaProject("main")); return true; } diff --git a/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/JarRemappingTests.java b/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/JarRemappingTests.java index 6c672f9..d99ccc1 100644 --- a/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/JarRemappingTests.java +++ b/org.springsource.ide.eclipse.gradle.core.test/src/org/springsource/ide/eclipse/gradle/core/test/JarRemappingTests.java @@ -339,9 +339,9 @@ public void testRemappingMultiProject() throws Exception { new ACondition() { public boolean test() throws Exception { - assertClasspathJarEntry("commons-collections-3.2.1.jar", main); + assertClasspathJarEntry("commons-collections-3.2.2.jar", main); assertNoClasspathJarEntry("commons-collections-3.2.jar", main); //thanks to custom model this problem can be solved! - assertClasspathJarEntry("commons-collections-3.2.1.jar", lib); + assertClasspathJarEntry("commons-collections-3.2.2.jar", lib); assertClasspathJarEntry("commons-collections-3.2.jar", sublib); assertClasspathProjectEntry(lib, main); @@ -364,7 +364,7 @@ public boolean test() throws Exception { new ACondition() { public boolean test() throws Exception { - assertClasspathJarEntry("commons-collections-3.2.1.jar", main); + assertClasspathJarEntry("commons-collections-3.2.2.jar", main); assertNoClasspathJarEntry("commons-collections-3.2.jar", main); //thanks to custom model this problem can be solved! // assertClasspathJarEntry("commons-collections-3.2.1.jar", lib); // CLOSED! not applicable assertClasspathJarEntry("commons-collections-3.2.jar", sublib); @@ -382,7 +382,7 @@ public boolean test() throws Exception { new ACondition() { public boolean test() throws Exception { - assertClasspathJarEntry("commons-collections-3.2.1.jar", main); + assertClasspathJarEntry("commons-collections-3.2.2.jar", main); assertNoClasspathJarEntry("commons-collections-3.2.jar", main); //thanks to custom model this problem can be solved! // assertClasspathJarEntry("commons-collections-3.2.1.jar", lib); // CLOSED! not applicable // assertClasspathJarEntry("commons-collections-3.2.jar", sublib); // CLOSED! not applicable diff --git a/org.springsource.ide.eclipse.gradle.feature/feature.properties b/org.springsource.ide.eclipse.gradle.feature/feature.properties index 95624dd..4aba519 100644 --- a/org.springsource.ide.eclipse.gradle.feature/feature.properties +++ b/org.springsource.ide.eclipse.gradle.feature/feature.properties @@ -62,7 +62,7 @@ SECTION 1: BSD-STYLE, MIT-STYLE, OR SIMILAR STYLE LICENSES\n\ \n\ SECTION 2: Apache License, V2.0\n\ \n\ - >>> commons-collections-3.2.1\n\ + >>> commons-collections-3.2.2\n\ >>> gradle-base-services-2.2.1\n\ >>> gradle-base-services-groovy-2.2.1\n\ >>> gradle-core-2.2.1\n\ @@ -197,7 +197,7 @@ all copies or substantial portions of the Software.\n\ Apache License, V2.0 is applicable to the following component(s).\n\ \n\ \n\ ->>> commons-collections-3.2.1\n\ +>>> commons-collections-3.2.2\n\ \n\ Apache Commons Collections\n\ Copyright 2001-2008 The Apache Software Foundation\n\ diff --git a/org.springsource.ide.eclipse.gradle.feature/open_source_licenses.txt b/org.springsource.ide.eclipse.gradle.feature/open_source_licenses.txt index d3235f0..c2f8234 100644 --- a/org.springsource.ide.eclipse.gradle.feature/open_source_licenses.txt +++ b/org.springsource.ide.eclipse.gradle.feature/open_source_licenses.txt @@ -36,7 +36,7 @@ SECTION 1: BSD-STYLE, MIT-STYLE, OR SIMILAR STYLE LICENSES SECTION 2: Apache License, V2.0 - >>> commons-collections-3.2.1 + >>> commons-collections-3.2.2 >>> gradle-base-services-2.2.1 >>> gradle-base-services-groovy-2.2.1 >>> gradle-core-2.2.1 diff --git a/org.springsource.ide.eclipse.gradle.toolingapi/.classpath b/org.springsource.ide.eclipse.gradle.toolingapi/.classpath index 8ee63a8..e1462fa 100644 --- a/org.springsource.ide.eclipse.gradle.toolingapi/.classpath +++ b/org.springsource.ide.eclipse.gradle.toolingapi/.classpath @@ -6,7 +6,7 @@ - + diff --git a/org.springsource.ide.eclipse.gradle.toolingapi/META-INF/MANIFEST.MF b/org.springsource.ide.eclipse.gradle.toolingapi/META-INF/MANIFEST.MF index ee29896..f622099 100644 --- a/org.springsource.ide.eclipse.gradle.toolingapi/META-INF/MANIFEST.MF +++ b/org.springsource.ide.eclipse.gradle.toolingapi/META-INF/MANIFEST.MF @@ -13,7 +13,7 @@ Bundle-ClassPath: ., lib/gradle-core-2.2.1.jar, lib/gradle-tooling-api-2.2.1.jar, lib/gradle-wrapper-2.2.1.jar, - lib/commons-collections-3.2.1.jar, + lib/commons-collections-3.2.2.jar, lib/slf4j-simple-1.7.7.jar, lib/model-1.0.jar, lib/slf4j-api-1.7.7.jar, diff --git a/org.springsource.ide.eclipse.gradle.toolingapi/embedded-libs.properties b/org.springsource.ide.eclipse.gradle.toolingapi/embedded-libs.properties index b2de86d..55d040e 100644 --- a/org.springsource.ide.eclipse.gradle.toolingapi/embedded-libs.properties +++ b/org.springsource.ide.eclipse.gradle.toolingapi/embedded-libs.properties @@ -3,7 +3,7 @@ objenesis-1.2.jar-version=1.2 gradle-base-services-2.2.1.jar-name=gradle-base-services reflectasm-1.07-shaded.jar-name=reflectasm -commons-collections-3.2.1.jar-name=commons-collections +commons-collections-3.2.2.jar-name=commons-collections gradle-wrapper-2.2.1.jar-name=gradle-wrapper slf4j-api-1.7.7.jar-name=slf4j-api gradle-resources-2.2.1.jar-version=2.2.1 @@ -21,7 +21,7 @@ gradle-resources-2.2.1.jar-name=gradle-resources plugin-1.0.jar-name=plugin reflectasm-1.07-shaded.jar-version=1.07 gradle-messaging-2.2.1.jar-name=gradle-messaging -commons-collections-3.2.1.jar-version=3.2.1 +commons-collections-3.2.2.jar-version=3.2.2 gradle-tooling-api-2.2.1.jar-name=gradle-tooling-api asm-4.0.jar-name=asm kryo-2.20.jar-version=2.20 diff --git a/toolingapi/updateLibs/build.gradle b/toolingapi/updateLibs/build.gradle index 80deb56..fc9524c 100644 --- a/toolingapi/updateLibs/build.gradle +++ b/toolingapi/updateLibs/build.gradle @@ -31,7 +31,7 @@ dependencies { "org.gradle:gradle-core:$project.gradleApiVersion", "org.gradle:gradle-tooling-api:$project.gradleApiVersion", "org.gradle:gradle-wrapper:$project.gradleApiVersion", - "commons-collections:commons-collections:3.2.1", + "commons-collections:commons-collections:3.2.2", "org.slf4j:slf4j-simple:1.7.7" ].each { dep -> eclipseBundle dep