Comment 4 for bug 1514985

The patch is here:
-> https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch

Suggestion for the Ubuntu changelog if the cherrypick approach is taken:

The commons-collections library was discovered by foxglovesecurity to allow pre-auth code execution in environments that may deserialize user input. This is particularly true of JBoss, because it has its management interface attached to the default web socket. Any application using commons-collections is at risk if there is a way to input crafted serialized data.

Cherrypick COLLECTIONS-580.patch from commons-collections3-3.2.2.jar to fix the vulnerability referred to in CVE-2015-4852 (No CVE has been assigned to commons-collections, where the actual implementation issue is).

The patch disables deserialization of untrusted data by default. By setting the system property DESERIALIZE to true, the old (dangerous) behavior can be reinstated.