Upstream has released 3.2.2, acknowledging the affected code in 3.0 thru 3.2.1 as dangerously broken. -> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=15006492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15006492
Oracle seems to be okay with using CVE-2015-4852 for this vulnerability. For that reason, I think a seperate CVE may not be forthcoming. -> http://www.openwall.com/lists/oss-security/2015/11/18/1
Upstream will not release a fixed 3.2.1 -> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=14996208&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14996208
For Ubuntu, I see two options: * Upgrade to 3.2.2 * Cherrypick the changes between 3.2.2 and 3.2.1 that affect deserialization
Upstream has released 3.2.2, acknowledging the affected code in 3.0 thru 3.2.1 as dangerously broken. /issues. apache. org/jira/ browse/ COLLECTIONS- 580?focusedComm entId=15006492& page=com. atlassian. jira.plugin. system. issuetabpanels: comment- tabpanel# comment- 15006492
-> https:/
Oracle seems to be okay with using CVE-2015-4852 for this vulnerability. For that reason, I think a seperate CVE may not be forthcoming. www.openwall. com/lists/ oss-security/ 2015/11/ 18/1
-> http://
Upstream will not release a fixed 3.2.1 /issues. apache. org/jira/ browse/ COLLECTIONS- 580?focusedComm entId=14996208& page=com. atlassian. jira.plugin. system. issuetabpanels: comment- tabpanel# comment- 14996208
-> https:/
For Ubuntu, I see two options:
* Upgrade to 3.2.2
* Cherrypick the changes between 3.2.2 and 3.2.1 that affect deserialization