src/site/xdoc/release_3_2_2.xml - commons-collections - Git at Google

 <?xml version="1.0"?>
 <!--
    Licensed to the Apache Software Foundation (ASF) under one or more
    contributor license agreements.  See the NOTICE file distributed with
    this work for additional information regarding copyright ownership.
    The ASF licenses this file to You under the Apache License, Version 2.0
    (the "License"); you may not use this file except in compliance with
    the License.  You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
 <document>
  <properties>
   <title>Release notes for v3.2.2</title>
   <author email="dev@commons.apache.org">Commons Documentation Team</author>
  </properties>
 <body>

 <section name="Release notes for v3.2.2">
 <hr />
 <p>
 Commons collections is a project to develop and maintain collection classes
 based on and inspired by the JDK collection framework.
 This project is JDK 1.3 compatible, and does not use JDK 1.5 generics.
 </p>
 <p>
 This v3.2.2 release is a bugfix release, fixing several bugs present in the previous
 releases of the 3.2 branch. Additionally, this release provides a mitigation for a
 known remote code exploitation via the standard java object serialization mechanism.
 By default, serialization support for unsafe classes in the functor package is
 disabled and will result in an exception when either trying to serialize or de-serialize
 an instance of these classes. For more details, please refer to COLLECTIONS-580.
 </p>
 <p>
 All users are strongly encouraged to updated to this release.
 </p>

 <h3>Compatibility</h3>
 <p>
 This release is fully source and binary compatible with v3.2. For changes since the
 v3.1 see the <a href="release_3_2.html">v3.2 Release Notes</a>. Note that the method
 'protected java.util.Set createSetBasedOnList(java.util.Set, java.util.List)' has been
 added.
 </p>

 <h3>Security Changes</h3>
 <table>
 <tr>
  <td><b>COLLECTIONS-580</b></td>
  <td>Serialization support for unsafe classes in the functor package is
      disabled by default as this can be exploited for remote code execution
      attacks. To re-enable the feature the system property
      "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true".
      Classes considered to be unsafe are: CloneTransformer, ForClosure,
      InstantiateFactory, InstantiateTransformer, InvokerTransformer,
      PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.</td>
 </tr>
 </table>

 <p>
 For a full list of changes in this release, refer to the <a href="changes-report.html#a3.2.2">Change report</a>.
 </p>
 </section>

 </body>
 </document>
	<?xml version="1.0"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<document>
	<properties>
	<title>Release notes for v3.2.2</title>
	<author email="dev@commons.apache.org">Commons Documentation Team</author>
	</properties>
	<body>

	<section name="Release notes for v3.2.2">
	<hr />
	<p>
	Commons collections is a project to develop and maintain collection classes
	based on and inspired by the JDK collection framework.
	This project is JDK 1.3 compatible, and does not use JDK 1.5 generics.
	</p>
	<p>
	This v3.2.2 release is a bugfix release, fixing several bugs present in the previous
	releases of the 3.2 branch. Additionally, this release provides a mitigation for a
	known remote code exploitation via the standard java object serialization mechanism.
	By default, serialization support for unsafe classes in the functor package is
	disabled and will result in an exception when either trying to serialize or de-serialize
	an instance of these classes. For more details, please refer to COLLECTIONS-580.
	</p>
	<p>
	All users are strongly encouraged to updated to this release.
	</p>

	<h3>Compatibility</h3>
	<p>
	This release is fully source and binary compatible with v3.2. For changes since the
	v3.1 see the <a href="release_3_2.html">v3.2 Release Notes</a>. Note that the method
	'protected java.util.Set createSetBasedOnList(java.util.Set, java.util.List)' has been
	added.
	</p>

	<h3>Security Changes</h3>
	<table>
	<tr>
	<td><b>COLLECTIONS-580</b></td>
	<td>Serialization support for unsafe classes in the functor package is
	disabled by default as this can be exploited for remote code execution
	attacks. To re-enable the feature the system property
	"org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true".
	Classes considered to be unsafe are: CloneTransformer, ForClosure,
	InstantiateFactory, InstantiateTransformer, InvokerTransformer,
	PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.</td>
	</tr>
	</table>

	<p>
	For a full list of changes in this release, refer to the <a href="changes-report.html#a3.2.2">Change report</a>.
	</p>
	</section>

	</body>
	</document>