Author: jleroux
Date: Thu Aug 18 11:25:00 2016
New Revision: 1756758
URL: http://svn.apache.org/viewvc?rev=1756758&view=rev
Log:
Updates for Gradle
Modified:
ofbiz/trunk/tools/security/notsoserial/README.txt
Modified: ofbiz/trunk/tools/security/notsoserial/README.txt
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/notsoserial/README.txt?rev=1756758&r1=1756757&r2=1756758&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/notsoserial/README.txt (original)
+++ ofbiz/trunk/tools/security/notsoserial/README.txt Thu Aug 18 11:25:00 2016
@@ -2,6 +2,6 @@ The notsoserial Java agent was introduce
We (PMC) decided to comment out RMI OOTB but we also decided to provide a
simple way to protect yourself from all possible Java serialize vulnerabilities.
While working on the serialize vulnerability, I (Jacques Le Roux) stumbled
upon this article
https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/
and found notsoserial was a Java agent better than the Contrast one I
introduced at r1717058. Because notsoserial easily protects you from all
possible serialize vulnerabilities as explained at
https://github.com/kantega/notsoserial#rejecting-deserialization-entirely
-So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT at r1730735 +
r1730736. To be safe in case you use RMI for instance, use one of the
start*-secure ant targets or use the JVM arguments those targets use.
+So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT at r1730735 +
r1730736. It's now embedded in OFBiz and called by all running Gradle tasks.
You might find more information at
https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability
\ No newline at end of file
