升級的Apache Commons Collections中到V4.1 #94
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4.0版有一個CVSS漏洞10.0。這是最壞的一種存在漏洞。僅僅通過對現有的類路徑,該庫將導致Java序列分析器整個JVM進程從一個狀態機圖靈機去。圖靈機與代碼執行的功能! https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
|
修復這個問題是非常重要的。如果與安全漏洞版本的Apache Commons Collections中是由任何傳遞依賴添加到Java類路徑,Java的反序列化對於整個JVM變得容易受到攻擊。該病毒是機載。這引起了可怕的痛苦為眾多開發者。所以這種變化並不僅僅保持這個項目的安全。這種變化也保證了ES用戶不會被攻擊。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
借助最崇高的敬意我要通知你,巨大的不幸降臨你的項目。Apache Commons Collections的4.0版具有CVSS漏洞的10.0。這是最壞的一種存在漏洞。僅僅通過對現有的類路徑,該庫將導致Java序列分析器整個JVM進程從一個狀態機圖靈機去。圖靈機與代碼執行的功能!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/