This is an automated email from the ASF dual-hosted git repository.
github-bot pushed a commit to branch asf-site-v2
in repository https://gitbox.apache.org/repos/asf/dubbo-website.git
The following commit(s) were added to refs/heads/asf-site-v2 by this push:
new 2bdaa874a82 deploy: 2ce2ab46e1abb7fec082c43e3efd1ae734fdd0b3
2bdaa874a82 is described below
commit 2bdaa874a82fab298bfb287ffc657f525400295a
Author: AlbumenJ <[email protected]>
AuthorDate: Fri Oct 20 07:27:35 2023 +0000
deploy: 2ce2ab46e1abb7fec082c43e3efd1ae734fdd0b3
---
en/blog/1/01/01/serialization-protocol-security/index.html | 4 ++--
en/blog/index.xml | 10 ++++++++--
en/blog/page/5/index.html | 2 +-
en/blog/security-notices/index.xml | 10 ++++++++--
en/index.xml | 10 ++++++++--
en/sitemap.xml | 2 +-
en/tags/security-vulnerabilities/index.xml | 10 ++++++++--
sitemap.xml | 2 +-
8 files changed, 37 insertions(+), 13 deletions(-)
diff --git a/en/blog/1/01/01/serialization-protocol-security/index.html
b/en/blog/1/01/01/serialization-protocol-security/index.html
index c9962df71a5..ca013ca013a 100644
--- a/en/blog/1/01/01/serialization-protocol-security/index.html
+++ b/en/blog/1/01/01/serialization-protocol-security/index.html
@@ -1,4 +1,4 @@
-<!doctype html><html lang=en class=no-js><head><meta name=ROBOTS
content="INDEX, FOLLOW"><link rel=canonical
href=https://dubbo.apache.org/en/blog/1/01/01/serialization-protocol-security/><meta
charset=utf-8><meta name=viewport
content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta
name=generator content="Hugo 0.119.0"><link rel="shortcut icon" type=image/png
href=/imgs/favicon.png><link rel=apple-touch-icon
href=/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel [...]
+<!doctype html><html lang=en class=no-js><head><meta name=ROBOTS
content="INDEX, FOLLOW"><link rel=canonical
href=https://dubbo.apache.org/en/blog/1/01/01/serialization-protocol-security/><meta
charset=utf-8><meta name=viewport
content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta
name=generator content="Hugo 0.119.0"><link rel="shortcut icon" type=image/png
href=/imgs/favicon.png><link rel=apple-touch-icon
href=/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel [...]
<script>var
doNotTrack=!1;if(!doNotTrack){window.dataLayer=window.dataLayer||[];function
gtag(){dataLayer.push(arguments)}gtag("js",new
Date),gtag("config","G-1TFHM5YBH0",{anonymize_ip:!1})}</script><link
rel=preload
href=/scss/main.min.fe7176cbe3102a33d3e8c0c9cec61eb52508abd24a2cc1ae23ccf535a481ffde.css
as=style><link
href=/scss/main.min.fe7176cbe3102a33d3e8c0c9cec61eb52508abd24a2cc1ae23ccf535a481ffde.css
rel=stylesheet integrity><script src=/js/jquery-3.5.1.min.js
integrity="sha256-9/a [...]
<link rel=stylesheet href=https://cdn.jsdelivr.net/npm/@docsearch/css@3><meta
name=theme-color content="#326ce5"><link rel=stylesheet
href=/css/feature-states.css><meta name=description content="Safer use of
serialization protocols in Dubbo"><meta property="og:description"
content="Safer use of serialization protocols in Dubbo"><meta
name=twitter:description content="Safer use of serialization protocols in
Dubbo"><meta property="og:url"
content="https://dubbo.apache.org/en/blog/1/01/01/s [...]
<link href=/css/community.css rel=stylesheet><link href=/css/contactus.css
rel=stylesheet><link href=/css/language.css rel=stylesheet><script
src=/js/script.js></script></head><body class="td-page
td-documentation"><header><nav class="js-navbar-scroll navbar navbar-expand
navbar-dark flex-column flex-md-row td-navbar" data-auto-burger=primary><a
class=navbar-brand href=/en/><span class=navbar-logo></span><span
class="text-uppercase font-weight-bold">Apache Dubbo</span></a><div class="td-
[...]
@@ -51,7 +51,7 @@
<label for=m-enblog20200518past-releases-check><a
href=/en/blog/2020/05/18/past-releases/ class="align-left pl-0 td-sidebar-link
td-sidebar-link__page" id=m-enblog20200518past-releases><span>Past
Releases</span></a></label></li></ul></li><li
class="td-sidebar-nav__section-title td-sidebar-nav__section with-child"
id=m-enblogsecurity-notices-li><input type=checkbox
id=m-enblogsecurity-notices-check>
<label for=m-enblogsecurity-notices-check><a href=/en/blog/security-notices/
class="align-left pl-0 td-sidebar-link td-sidebar-link__section"
id=m-enblogsecurity-notices><span>Security notices</span></a></label><ul
class="ul-2 foldable"><li class="td-sidebar-nav__section-title
td-sidebar-nav__section without-child"
id=m-enblog10101serialization-protocol-security-li><input type=checkbox
id=m-enblog10101serialization-protocol-security-check>
<label for=m-enblog10101serialization-protocol-security-check><a
href=/en/blog/1/01/01/serialization-protocol-security/ class="align-left pl-0
td-sidebar-link td-sidebar-link__page"
id=m-enblog10101serialization-protocol-security><span>Serialization Protocol
Security</span></a></label></li><li class="td-sidebar-nav__section-title
td-sidebar-nav__section without-child" id=m-enblog10101security-li><input
type=checkbox id=m-enblog10101security-check>
-<label for=m-enblog10101security-check><a href=/en/blog/1/01/01/security/
class="align-left pl-0 td-sidebar-link td-sidebar-link__page"
id=m-enblog10101security><span>Security</span></a></label></li></ul></li></ul></li></ul></nav></div></div><main
class="col-12 col-md-9 col-xl-8 pl-md-5" role=main><nav aria-label=breadcrumb
class=td-breadcrumbs><ol class=breadcrumb><li class=breadcrumb-item><a
href=https://dubbo.apache.org/en/blog/>Blog</a></li><li
class=breadcrumb-item><a href=https://d [...]
+<label for=m-enblog10101security-check><a href=/en/blog/1/01/01/security/
class="align-left pl-0 td-sidebar-link td-sidebar-link__page"
id=m-enblog10101security><span>Security</span></a></label></li></ul></li></ul></li></ul></nav></div></div><main
class="col-12 col-md-9 col-xl-8 pl-md-5" role=main><nav aria-label=breadcrumb
class=td-breadcrumbs><ol class=breadcrumb><li class=breadcrumb-item><a
href=https://dubbo.apache.org/en/blog/>Blog</a></li><li
class=breadcrumb-item><a href=https://d [...]
<button class="btn btn-primary mb-4
feedback--no">No</button></div><script>const
yes=document.querySelector(".feedback--yes"),no=document.querySelector(".feedback--no");document.querySelectorAll(".feedback--link").forEach(e=>{e.href=e.href+window.location.pathname});const
sendFeedback=e=>{gtag||console.log("!gtag"),gtag("event","click",{event_category:"Helpful",event_label:window.location.pathname,value:e})},disableButtons=()=>{yes.disabled=!0,yes.classList.add("feedback--button__disable
[...]
<a
href="https://github.com/apache/dubbo-website/new/master/content/en/blog/security-notices/serialization-security.md?filename=change-me.md&value=---%0Atitle%3A+%22Long+Page+Title%22%0AlinkTitle%3A+%22Short+Nav+Title%22%0Aweight%3A+100%0Adescription%3A+%3E-%0A+++++Page+description+for+heading+and+indexes.%0A---%0A%0A%23%23+Heading%0A%0AEdit+this+template+to+create+your+new+page.%0A%0A%2A+Give+it+a+good+name%2C+ending+in+%60.md%60+-+e.g.+%60getting-started.md%60%0A%2A+Edit+the+%22fro
[...]
<a
href="https://github.com/apache/dubbo-website/issues/new?title=Serialization%20Protocol%20Security";
target=_blank><i class="fab fa-github fa-fw"></i> Create an issue</a>
diff --git a/en/blog/index.xml b/en/blog/index.xml
index b0f7e94e692..7ba820e2bac 100644
--- a/en/blog/index.xml
+++ b/en/blog/index.xml
@@ -1,8 +1,14 @@
<rss version="2.0"
xmlns:atom="http://www.w3.org/2005/Atom";><channel><title>Apache Dubbo – Apache
Dubbo
Blog</title><link>https://dubbo.apache.org/en/blog/</link><description>Recent
content in Apache Dubbo Blog on Apache Dubbo</description><generator>Hugo --
gohugo.io</generator><language>en</language><atom:link
href="https://dubbo.apache.org/en/blog/index.xml"; rel="self"
type="application/rss+xml"/><item><title>Blog: Serialization Protocol
Security</title><link>https://dubbo.apache.org/ [...]
-<p>Dubbo 3.0 has enhanced the security aspects of serialization protocols
and recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
+<p>Dubbo 3 has enhanced the security aspects of serialization protocols and
recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
<p>In the Triple protocol&rsquo;s Wrapper mode, compatibility with
other serialization data is allowed, offering good compatibility. However,
other protocols may have deserialization security flaws. For the Hessian2
protocol, users who require high-security attributes should enable whitelist
mode according to the sample code. The framework will enable blacklist mode by
default to block malicious calls.</p>
<p>Using other serialization protocols is not recommended. When an attacker
can access the Provider interface, security flaws in other serialization
protocols may lead to command execution through the Provider interface.</p>
-<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the
registry.</p></description></item><item><title>Blog: Advanced cloud native -
Dubbo 3.2 officially released</title><link>https://du [...]
+<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the registry.</p>
+<h2 id="notice">Notice</h2>
+<p>The following serializations are proved that not safe enough to transfer
on network and not recommend to use.</p>
+<ul>
+<li>native-hessian</li>
+<li>native-java (Java ObjectOutputStream and ObjectInputStream)</li>
+</ul></description></item><item><title>Blog: Advanced cloud native - Dubbo
3.2 officially
released</title><link>https://dubbo.apache.org/en/blog/2023/04/15/advanced-cloud-native-dubbo-3.2-officially-released/</link><pubDate>Sat,
15 Apr 2023 00:00:00
+0000</pubDate><guid>https://dubbo.apache.org/en/blog/2023/04/15/advanced-cloud-native-dubbo-3.2-officially-released/</guid><description>
<h2 id="background-introduction">Background introduction</h2>
<p>Apache Dubbo is an RPC service development framework, which is used to
solve service governance and communication problems under the microservice
architecture. It officially provides multi-language SDK implementations such as
Java and Golang. The microservices developed using Dubbo are natively capable
of remote address discovery and communication with each other. Using the rich
service governance features provided by Dubbo, service governance demands such
as service discovery, loa [...]
<h2 id="rest-protocol-support">Rest protocol support</h2>
diff --git a/en/blog/page/5/index.html b/en/blog/page/5/index.html
index 5e72c31d3f5..78a046afab3 100644
--- a/en/blog/page/5/index.html
+++ b/en/blog/page/5/index.html
@@ -55,7 +55,7 @@ Files in these directories will be listed in reverse
chronological order."><meta
<label for=m-enblogsecurity-notices-check><a href=/en/blog/security-notices/
class="align-left pl-0 td-sidebar-link td-sidebar-link__section"
id=m-enblogsecurity-notices><span>Security notices</span></a></label><ul
class="ul-2 foldable"><li class="td-sidebar-nav__section-title
td-sidebar-nav__section without-child"
id=m-enblog10101serialization-protocol-security-li><input type=checkbox
id=m-enblog10101serialization-protocol-security-check>
<label for=m-enblog10101serialization-protocol-security-check><a
href=/en/blog/1/01/01/serialization-protocol-security/ class="align-left pl-0
td-sidebar-link td-sidebar-link__page"
id=m-enblog10101serialization-protocol-security><span>Serialization Protocol
Security</span></a></label></li><li class="td-sidebar-nav__section-title
td-sidebar-nav__section without-child" id=m-enblog10101security-li><input
type=checkbox id=m-enblog10101security-check>
<label for=m-enblog10101security-check><a href=/en/blog/1/01/01/security/
class="align-left pl-0 td-sidebar-link td-sidebar-link__page"
id=m-enblog10101security><span>Security</span></a></label></li></ul></li></ul></li></ul></nav></div></div><main
class="col-12 col-md-9 col-xl-8 pl-md-5" role=main><nav aria-label=breadcrumb
class="td-breadcrumbs td-breadcrumbs__single"><ol class=breadcrumb><li
class="breadcrumb-item active" aria-current=page><a
href=https://dubbo.apache.org/en/blog/ aria [...]
-We strongly encourage folks to report such problems to our private security
…</p><p class=pt-0><a href=/en/blog/1/01/01/security/ aria-label="Read more -
Security">Read more</a></p></div></li><li class="media mb-4"><div
class=media-body><h5 class="mt-0 mb-1"><a
href=/en/blog/1/01/01/serialization-protocol-security/>Serialization Protocol
Security</a></h5><p class="mb-2 mb-md-3"><small class=text-muted>Monday,
January 01, 0001 in Security notices</small></p><header class=article-meta><div
[...]
+We strongly encourage folks to report such problems to our private security
…</p><p class=pt-0><a href=/en/blog/1/01/01/security/ aria-label="Read more -
Security">Read more</a></p></div></li><li class="media mb-4"><div
class=media-body><h5 class="mt-0 mb-1"><a
href=/en/blog/1/01/01/serialization-protocol-security/>Serialization Protocol
Security</a></h5><p class="mb-2 mb-md-3"><small class=text-muted>Monday,
January 01, 0001 in Security notices</small></p><header class=article-meta><div
[...]
In the Triple protocol’s Wrapper …</p><p class=pt-0><a
href=/en/blog/1/01/01/serialization-protocol-security/ aria-label="Read more -
Serialization Protocol Security">Read
more</a></p></div></li></ul></div></div><div class="row pl-2 pt-2"><div
class=col><ul class="pagination pagination-default"><li class=page-item><a
href=/en/blog/ aria-label=First class=page-link role=button><span
aria-hidden=true>««</span></a></li><li class=page-item><a
href=/en/blog/page/4/ aria-label= [...]
<button class="btn btn-primary mb-4
feedback--no">No</button></div><script>const
yes=document.querySelector(".feedback--yes"),no=document.querySelector(".feedback--no");document.querySelectorAll(".feedback--link").forEach(e=>{e.href=e.href+window.location.pathname});const
sendFeedback=e=>{gtag||console.log("!gtag"),gtag("event","click",{event_category:"Helpful",event_label:window.location.pathname,value:e})},disableButtons=()=>{yes.disabled=!0,yes.classList.add("feedback--button__disable
[...]
<a
href="https://github.com/apache/dubbo-website/new/master/content/en/blog/_index.md?filename=change-me.md&value=---%0Atitle%3A+%22Long+Page+Title%22%0AlinkTitle%3A+%22Short+Nav+Title%22%0Aweight%3A+100%0Adescription%3A+%3E-%0A+++++Page+description+for+heading+and+indexes.%0A---%0A%0A%23%23+Heading%0A%0AEdit+this+template+to+create+your+new+page.%0A%0A%2A+Give+it+a+good+name%2C+ending+in+%60.md%60+-+e.g.+%60getting-started.md%60%0A%2A+Edit+the+%22front+matter%22+section+at+the+top+o
[...]
diff --git a/en/blog/security-notices/index.xml
b/en/blog/security-notices/index.xml
index b940ce900db..5f065a08a89 100644
--- a/en/blog/security-notices/index.xml
+++ b/en/blog/security-notices/index.xml
@@ -1,8 +1,14 @@
<rss version="2.0"
xmlns:atom="http://www.w3.org/2005/Atom";><channel><title>Apache Dubbo –
Security
notices</title><link>https://dubbo.apache.org/en/blog/security-notices/</link><description>Recent
content in Security notices on Apache Dubbo</description><generator>Hugo --
gohugo.io</generator><language>en</language><atom:link
href="https://dubbo.apache.org/en/blog/security-notices/index.xml"; rel="self"
type="application/rss+xml"/><item><title>Blog: Serialization Protocol
Security</title [...]
-<p>Dubbo 3.0 has enhanced the security aspects of serialization protocols
and recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
+<p>Dubbo 3 has enhanced the security aspects of serialization protocols and
recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
<p>In the Triple protocol&rsquo;s Wrapper mode, compatibility with
other serialization data is allowed, offering good compatibility. However,
other protocols may have deserialization security flaws. For the Hessian2
protocol, users who require high-security attributes should enable whitelist
mode according to the sample code. The framework will enable blacklist mode by
default to block malicious calls.</p>
<p>Using other serialization protocols is not recommended. When an attacker
can access the Provider interface, security flaws in other serialization
protocols may lead to command execution through the Provider interface.</p>
-<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the
registry.</p></description></item><item><title>Blog:
Security</title><link>https://dubbo.apache.org/en/blog/1/01/01/security/</lin
[...]
+<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the registry.</p>
+<h2 id="notice">Notice</h2>
+<p>The following serializations are proved that not safe enough to transfer
on network and not recommend to use.</p>
+<ul>
+<li>native-hessian</li>
+<li>native-java (Java ObjectOutputStream and ObjectInputStream)</li>
+</ul></description></item><item><title>Blog:
Security</title><link>https://dubbo.apache.org/en/blog/1/01/01/security/</link><pubDate>Mon,
01 Jan 0001 00:00:00
+0000</pubDate><guid>https://dubbo.apache.org/en/blog/1/01/01/security/</guid><description>
<h2 id="reporting-security-issues">Reporting security issues</h2>
<p>The Apache Software Foundation takes a very active stance in eliminating
security problems and denial of service attacks against its products.</p>
<p>We strongly encourage folks to report such problems to our private
security mailing list first, before disclosing them in a public forum.</p>
diff --git a/en/index.xml b/en/index.xml
index 7f212572e47..02a59518d61 100644
--- a/en/index.xml
+++ b/en/index.xml
@@ -1,8 +1,14 @@
<rss version="2.0"
xmlns:atom="http://www.w3.org/2005/Atom";><channel><title>Apache Dubbo – Apache
Dubbo</title><link>https://dubbo.apache.org/en/</link><description>Recent
content on Apache Dubbo</description><generator>Hugo --
gohugo.io</generator><language>en</language><atom:link
href="https://dubbo.apache.org/en/index.xml"; rel="self"
type="application/rss+xml"/><item><title>Blog: Serialization Protocol
Security</title><link>https://dubbo.apache.org/en/blog/1/01/01/serialization-protoc
[...]
-<p>Dubbo 3.0 has enhanced the security aspects of serialization protocols
and recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
+<p>Dubbo 3 has enhanced the security aspects of serialization protocols and
recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
<p>In the Triple protocol&rsquo;s Wrapper mode, compatibility with
other serialization data is allowed, offering good compatibility. However,
other protocols may have deserialization security flaws. For the Hessian2
protocol, users who require high-security attributes should enable whitelist
mode according to the sample code. The framework will enable blacklist mode by
default to block malicious calls.</p>
<p>Using other serialization protocols is not recommended. When an attacker
can access the Provider interface, security flaws in other serialization
protocols may lead to command execution through the Provider interface.</p>
-<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the
registry.</p></description></item><item><title>Blog: Advanced cloud native -
Dubbo 3.2 officially released</title><link>https://du [...]
+<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the registry.</p>
+<h2 id="notice">Notice</h2>
+<p>The following serializations are proved that not safe enough to transfer
on network and not recommend to use.</p>
+<ul>
+<li>native-hessian</li>
+<li>native-java (Java ObjectOutputStream and ObjectInputStream)</li>
+</ul></description></item><item><title>Blog: Advanced cloud native - Dubbo
3.2 officially
released</title><link>https://dubbo.apache.org/en/blog/2023/04/15/advanced-cloud-native-dubbo-3.2-officially-released/</link><pubDate>Sat,
15 Apr 2023 00:00:00
+0000</pubDate><guid>https://dubbo.apache.org/en/blog/2023/04/15/advanced-cloud-native-dubbo-3.2-officially-released/</guid><description>
<h2 id="background-introduction">Background introduction</h2>
<p>Apache Dubbo is an RPC service development framework, which is used to
solve service governance and communication problems under the microservice
architecture. It officially provides multi-language SDK implementations such as
Java and Golang. The microservices developed using Dubbo are natively capable
of remote address discovery and communication with each other. Using the rich
service governance features provided by Dubbo, service governance demands such
as service discovery, loa [...]
<h2 id="rest-protocol-support">Rest protocol support</h2>
diff --git a/en/sitemap.xml b/en/sitemap.xml
index 84dfb9c5db4..da37740477d 100644
--- a/en/sitemap.xml
+++ b/en/sitemap.xml
@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?><urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9";
xmlns:xhtml="http://www.w3.org/1999/xhtml";><url><loc>https://dubbo.apache.org/en/docs3-v2/java-sdk/faq/0/</loc><lastmod>2023-01-02T18:18:49+08:00</lastmod><changefreq>monthly</changefreq><priority>0.5</priority></url><url><loc>https://dubbo.apache.org/en/docs3-v2/java-sdk/faq/0/1/</loc><lastmod>2023-01-03T15:09:00+08:00</lastmod><changefreq>monthly</changefreq><priority>0.5<
[...]
\ No newline at end of file
+<?xml version="1.0" encoding="utf-8" standalone="yes"?><urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9";
xmlns:xhtml="http://www.w3.org/1999/xhtml";><url><loc>https://dubbo.apache.org/en/docs3-v2/java-sdk/faq/0/</loc><lastmod>2023-01-02T18:18:49+08:00</lastmod><changefreq>monthly</changefreq><priority>0.5</priority></url><url><loc>https://dubbo.apache.org/en/docs3-v2/java-sdk/faq/0/1/</loc><lastmod>2023-01-03T15:09:00+08:00</lastmod><changefreq>monthly</changefreq><priority>0.5<
[...]
\ No newline at end of file
diff --git a/en/tags/security-vulnerabilities/index.xml
b/en/tags/security-vulnerabilities/index.xml
index 50f9091a59b..217db8cda8e 100644
--- a/en/tags/security-vulnerabilities/index.xml
+++ b/en/tags/security-vulnerabilities/index.xml
@@ -1,5 +1,11 @@
<rss version="2.0"
xmlns:atom="http://www.w3.org/2005/Atom";><channel><title>Apache Dubbo –
Security
Vulnerabilities</title><link>https://dubbo.apache.org/en/tags/security-vulnerabilities/</link><description>Recent
content in Security Vulnerabilities on Apache
Dubbo</description><generator>Hugo --
gohugo.io</generator><language>en</language><atom:link
href="https://dubbo.apache.org/en/tags/security-vulnerabilities/index.xml";
rel="self" type="application/rss+xml"/><item><title>Blog: Serial [...]
-<p>Dubbo 3.0 has enhanced the security aspects of serialization protocols
and recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
+<p>Dubbo 3 has enhanced the security aspects of serialization protocols and
recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.</p>
<p>In the Triple protocol&rsquo;s Wrapper mode, compatibility with
other serialization data is allowed, offering good compatibility. However,
other protocols may have deserialization security flaws. For the Hessian2
protocol, users who require high-security attributes should enable whitelist
mode according to the sample code. The framework will enable blacklist mode by
default to block malicious calls.</p>
<p>Using other serialization protocols is not recommended. When an attacker
can access the Provider interface, security flaws in other serialization
protocols may lead to command execution through the Provider interface.</p>
-<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the
registry.</p></description></item></channel></rss>
\ No newline at end of file
+<p>If you must use other serialization protocols and wish to maintain some
level of security, you should enable the Token authentication mechanism. This
will prevent threats to the Provider&rsquo;s security from unauthenticated
and untrusted request sources. When enabling Token authentication, you should
also enable the authentication feature in the registry.</p>
+<h2 id="notice">Notice</h2>
+<p>The following serializations are proved that not safe enough to transfer
on network and not recommend to use.</p>
+<ul>
+<li>native-hessian</li>
+<li>native-java (Java ObjectOutputStream and ObjectInputStream)</li>
+</ul></description></item></channel></rss>
\ No newline at end of file
diff --git a/sitemap.xml b/sitemap.xml
index 111145d56aa..2a64691c03d 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?><sitemapindex
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9";><sitemap><loc>https://dubbo.apache.org/zh-cn/sitemap.xml</loc><lastmod>2023-10-19T19:26:31+08:00</lastmod></sitemap><sitemap><loc>https://dubbo.apache.org/en/sitemap.xml</loc><lastmod>2023-10-18T10:05:04+08:00</lastmod></sitemap></sitemapindex>
\ No newline at end of file
+<?xml version="1.0" encoding="utf-8" standalone="yes"?><sitemapindex
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9";><sitemap><loc>https://dubbo.apache.org/zh-cn/sitemap.xml</loc><lastmod>2023-10-19T19:26:31+08:00</lastmod></sitemap><sitemap><loc>https://dubbo.apache.org/en/sitemap.xml</loc><lastmod>2023-10-20T15:21:02+08:00</lastmod></sitemap></sitemapindex>
\ No newline at end of file
