Apache Commons logo Commons Collections

Release notes for version 3.2.2


Commons collections is a project to develop and maintain collection classes based on and inspired by the JDK collection framework. This project is Java 1.3 compatible, and does not use Java 5 generics.

This 3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580.

All users are strongly encouraged to updated to this release.

Compatibility

This release is fully source and binary compatible with 3.2. For changes since the 3.1 release see the 3.2 Release Notes. Note that the method 'protected java.util.Set createSetBasedOnList(java.util.Set, java.util.List)' has been added.

Security Changes

COLLECTIONS-580 Serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.

For a full list of changes in this release, refer to the Change report.