Date: Fri, 13 Nov 2015 08:21:18 -0600 From: Mark Felder <feld@...d.me> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw On Thu, Nov 12, 2015, at 17:22, Tim wrote: > > > The currently proposed "fix" is to disable functionality that is > > being used. This will break applications that need them. > > > >  https://issues.apache.org/jira/browse/COLLECTIONS-580 > > > I just read through that thread and I did not see anyone indicating > that the fix breaks applications. Only speculation. Perhaps you > meant to link us somewhere else? > > tim The patch attached to that JIRA report would disable serialization by default. Any application that needs it would require a code change to re-enable it. This would break existing applications. + "Serialization and deserialization of InvokerTransformer are disabled for security reasons. " + + "To re-enable it set, system property '" + DESERIALIZE + "' to 'true'." + + "See https://issues.apache.org/jira/browse/COLLECTIONS-580 for details.");  https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch -- Mark Felder feld@...d.me
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ