[CONFSERVER-40130] Upgrade to version 3.2.2 of apache commons-collections

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.9.3, 6.0.0-OD-2016.01
Affects Version/s: 5.8.17
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580.

https://commons.apache.org/proper/commons-collections/release_3_2_2.html

is related to

JRASERVER-47638 Upgrade to version 3.2.2 of apache commons-collections

Closed

relates to

CONFSERVER-39919 InvokerTransformer vulnerability

Closed

included in

CPU-179 Confluence 6.0.0-OD-2016.01.1-0002

CPU-180 Confluence 6.0.0-OD-2016.01.1-0003

mentioned in: Page Failed to load

Katherine Yabut made changes - 13/Nov/2018 4:43 AM

Workflow

Original: JAC Bug Workflow v3 [ 2893778 ]

New: CONFSERVER Bug Workflow v4 [ 2985995 ]

Owen made changes - 11/Oct/2018 8:59 AM

Workflow	Original: JAC Bug Workflow v2 [ 2775471 ]	New: JAC Bug Workflow v3 [ 2893778 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:11 PM

Workflow

Original: JAC Bug Workflow [ 2735971 ]

New: JAC Bug Workflow v2 [ 2775471 ]

Owen made changes - 02/Jul/2018 7:12 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2395002 ]

New: JAC Bug Workflow [ 2735971 ]

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:50 AM

Labels

Original: affects-server bugfix deserialization loyalty no-cvss-required security

New: affects-server deserialization loyalty no-cvss-required security

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:41 AM

Labels

Original: affects-server bugfix deserialization no-cvss-required security

New: affects-server bugfix deserialization loyalty no-cvss-required security

Katherine Yabut made changes - 22/Jun/2017 6:51 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2290736 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2395002 ]

Katherine Yabut made changes - 31/May/2017 5:37 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2228698 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2290736 ]

Katherine Yabut made changes - 31/May/2017 4:59 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2185063 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2228698 ]

Katherine Yabut made changes - 31/May/2017 2:02 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1929724 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2185063 ]

Assignee:: Feng Xu (Inactive)

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 04/Dec/2015 6:12 AM

Updated:: 11/Oct/2018 8:59 AM

Resolved:: 15/Dec/2015 12:26 AM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates