| <?xml version="1.0"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <document> |
| <properties> |
| <title>Release notes for v3.2.2</title> |
| <author email="dev@commons.apache.org">Commons Documentation Team</author> |
| </properties> |
| <body> |
| |
| <section name="Release notes for v3.2.2"> |
| <hr /> |
| <p> |
| Commons collections is a project to develop and maintain collection classes |
| based on and inspired by the JDK collection framework. |
| This project is JDK 1.3 compatible, and does not use JDK 1.5 generics. |
| </p> |
| <p> |
| This v3.2.2 release is a bugfix release, fixing several bugs present in the previous |
| releases of the 3.2 branch. Additionally, this release provides a mitigation for a |
| known remote code exploitation via the standard java object serialization mechanism. |
| By default, serialization support for unsafe classes in the functor package is |
| disabled and will result in an exception when either trying to serialize or de-serialize |
| an instance of these classes. For more details, please refer to COLLECTIONS-580. |
| </p> |
| <p> |
| All users are strongly encouraged to updated to this release. |
| </p> |
| |
| <h3>Compatibility</h3> |
| <p> |
| This release is fully source and binary compatible with v3.2. For changes since the |
| v3.1 see the <a href="release_3_2.html">v3.2 Release Notes</a>. Note that the method |
| 'protected java.util.Set createSetBasedOnList(java.util.Set, java.util.List)' has been |
| added. |
| </p> |
| |
| <h3>Security Changes</h3> |
| <table> |
| <tr> |
| <td><b>COLLECTIONS-580</b></td> |
| <td>Serialization support for unsafe classes in the functor package is |
| disabled by default as this can be exploited for remote code execution |
| attacks. To re-enable the feature the system property |
| "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". |
| Classes considered to be unsafe are: CloneTransformer, ForClosure, |
| InstantiateFactory, InstantiateTransformer, InvokerTransformer, |
| PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.</td> |
| </tr> |
| </table> |
| |
| <p> |
| For a full list of changes in this release, refer to the <a href="changes-report.html#a3.2.2">Change report</a>. |
| </p> |
| </section> |
| |
| </body> |
| </document> |