Apache Commons Collections Version 3.2.2 RELEASE NOTES INTRODUCTION: Commons collections is a project to develop and maintain collection classes based on and inspired by the JDK collection framework. This release is JDK1.3 compatible, and does not use JDK1.5 generics. This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580. All users are strongly encouraged to updated to this release. Changes in this version include: CHANGES ======= o COLLECTIONS-580: Serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure. BUGFIXES ======== o COLLECTIONS-538: "ExtendedProperties" will now use a privileged action to access the "file.separator" system property. In case the class does not have permission to read system properties, the "File#separator" field will be used instead. Thanks to Trejkaz. o COLLECTIONS-447: Tree traversal with a TreeListIterator will not be affected anymore by the removal of an element directly after a call to previous(). Thanks to Jeffrey Barnes. o COLLECTIONS-444: SetUniqueList.set(int, Object) now works correctly if the object to be inserted is already placed at the given position. Thanks to Thomas Vahrst, John Vasileff. o COLLECTIONS-350: Removed debug output in "MapUtils#getNumber(Map)". Thanks to Michael Akerman. o COLLECTIONS-335: Fixed cache assignment for "TreeBidiMap#entrySet". Thanks to sebb. o COLLECTIONS-334: Synchronized access to lock in "StaticBucketMap#size()". Thanks to sebb. o COLLECTIONS-307: "SetUniqueList#subList()#contains(Object)" will now correctly check the subList rather than the parent list. Thanks to Christian Semrau. o COLLECTIONS-304: "SetUniqueList#set(int, Object)" will now correctly enforce the uniqueness constraint. Thanks to Rafa? Figas,Bjorn Townsend. o COLLECTIONS-294: "CaseInsensitiveMap" will now convert input strings to lower-case in a locale-independent manner. Thanks to Benjamin Bentmann. o COLLECTIONS-266: "MultiKey" will now be correctly serialized/de-serialized. Thanks to Joerg Schaible. o COLLECTIONS-261: "Flat3Map#remove(Object)" will now return the correct value mapped to the removed key if the size of the map is less or equal 3. Thanks to ori. o COLLECTIONS-249: "SetUniqueList.addAll(int, Collection)" now correctly add the collection at the provided index. Thanks to Joe Kelly. o COLLECTIONS-228: "MultiValueMap#put(Object, Object)" and "MultiValueMap#putAll(Object, Collection)" now correctly return if the map has changed by this operation. o COLLECTIONS-219: "CollectionUtils#removeAll" wrongly called "ListUtils#retainAll". Thanks to Tom Leccese. o COLLECTIONS-217: Calling "setValue(Object)" on any Entry returned by a "Flat3Map" will now correctly set the value for the current entry. Thanks to Matt Bishop. For complete information on Apache Commons Collections, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Collections website: http://commons.apache.org/collections/