commons-collections/RELEASE-NOTES.txt

72 lines
4.2 KiB
Plaintext

Apache Commons Collections
Version 3.2.2
RELEASE NOTES
INTRODUCTION:
Commons collections is a project to develop and maintain collection classes
based on and inspired by the JDK collection framework.
This release is JDK1.3 compatible, and does not use JDK1.5 generics.
This v3.2.2 release is a bugfix release, fixing several bugs present in the previous
releases of the 3.2 branch. Additionally, this release provides a mitigation for a
known remote code exploitation via the standard java object serialization mechanism.
By default, serialization support for unsafe classes in the functor package is
disabled and will result in an exception when either trying to serialize or de-serialize
an instance of these classes. For more details, please refer to COLLECTIONS-580.
All users are strongly encouraged to updated to this release.
Changes in this version include:
CHANGES
=======
o COLLECTIONS-580: Serialization support for unsafe classes in the functor package is
disabled by default as this can be exploited for remote code execution
attacks. To re-enable the feature the system property
"org.apache.commons.collections.enableUnsafeSerialization" needs to be
set to "true".
Classes considered to be unsafe are: CloneTransformer, ForClosure,
InstantiateFactory, InstantiateTransformer, InvokerTransformer,
PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.
BUGFIXES
========
o COLLECTIONS-538: "ExtendedProperties" will now use a privileged action to access the
"file.separator" system property. In case the class does not have
permission to read system properties, the "File#separator" field will
be used instead. Thanks to Trejkaz.
o COLLECTIONS-447: Tree traversal with a TreeListIterator will not be affected anymore by
the removal of an element directly after a call to previous(). Thanks to Jeffrey Barnes.
o COLLECTIONS-444: SetUniqueList.set(int, Object) now works correctly if the object to be inserted
is already placed at the given position. Thanks to Thomas Vahrst, John Vasileff.
o COLLECTIONS-350: Removed debug output in "MapUtils#getNumber(Map)". Thanks to Michael Akerman.
o COLLECTIONS-335: Fixed cache assignment for "TreeBidiMap#entrySet". Thanks to sebb.
o COLLECTIONS-334: Synchronized access to lock in "StaticBucketMap#size()". Thanks to sebb.
o COLLECTIONS-307: "SetUniqueList#subList()#contains(Object)" will now correctly check the subList
rather than the parent list. Thanks to Christian Semrau.
o COLLECTIONS-304: "SetUniqueList#set(int, Object)" will now correctly enforce the uniqueness constraint.
Thanks to Rafa? Figas,Bjorn Townsend.
o COLLECTIONS-294: "CaseInsensitiveMap" will now convert input strings to lower-case in a
locale-independent manner. Thanks to Benjamin Bentmann.
o COLLECTIONS-266: "MultiKey" will now be correctly serialized/de-serialized. Thanks to Joerg Schaible.
o COLLECTIONS-261: "Flat3Map#remove(Object)" will now return the correct value mapped to the removed key
if the size of the map is less or equal 3. Thanks to ori.
o COLLECTIONS-249: "SetUniqueList.addAll(int, Collection)" now correctly add the collection at the
provided index. Thanks to Joe Kelly.
o COLLECTIONS-228: "MultiValueMap#put(Object, Object)" and "MultiValueMap#putAll(Object, Collection)"
now correctly return if the map has changed by this operation.
o COLLECTIONS-219: "CollectionUtils#removeAll" wrongly called "ListUtils#retainAll". Thanks to Tom Leccese.
o COLLECTIONS-217: Calling "setValue(Object)" on any Entry returned by a "Flat3Map" will now
correctly set the value for the current entry. Thanks to Matt Bishop.
For complete information on Apache Commons Collections, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons Collections website:
http://commons.apache.org/collections/