Comment 3 for bug 1514985

Upstream has released 3.2.2, acknowledging the affected code in 3.0 thru 3.2.1 as dangerously broken.
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=15006492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15006492

Oracle seems to be okay with using CVE-2015-4852 for this vulnerability. For that reason, I think a seperate CVE may not be forthcoming.
-> http://www.openwall.com/lists/oss-security/2015/11/18/1

Upstream will not release a fixed 3.2.1
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=14996208&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14996208

For Ubuntu, I see two options:
* Upgrade to 3.2.2
* Cherrypick the changes between 3.2.2 and 3.2.1 that affect deserialization