Apache Commons logo Commons Collections

Release notes for v3.2.2


Commons collections is a project to develop and maintain collection classes based on and inspired by the JDK collection framework. This project is JDK 1.3 compatible, and does not use JDK 1.5 generics.

This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580.

All users are strongly encouraged to updated to this release.

Compatibility

This release is fully source and binary compatible with v3.2. For changes since the v3.1 see the v3.2 Release Notes. Note that the method 'protected java.util.Set createSetBasedOnList(java.util.Set, java.util.List)' has been added.

Security Changes

COLLECTIONS-580 Serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.

For a full list of changes in this release, refer to the Change report.