Author: jleroux Date: Tue Sep 13 06:43:34 2016 New Revision: 1760484 URL: http://svn.apache.org/viewvc?rev=1760484&view=rev Log: Completes: Put notsoserial in Attic OFBIZ-8241
We decided to no longer support notsoserial because we not only have no longer issues OOTB, but also because the classes protected by default are now also covered by the external libs themselves, even those we don't use OOTB. Those who use RMI, JNDI, JMX or Spring and maybe other Java classes OFBiz does not use OOTB would still be at risk if they don't use a tool like notsoserial. So we will amend the https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialization+vulnerability Wiki page to let them know about that. The main OFBiz README.MD file is also modified to be sure this is known by our users. BTW adding a security section is certainly a good idea. Removed: ofbiz/trunk/tools/security/notsoserial/ Modified: ofbiz/trunk/README.md ofbiz/trunk/build.gradle Modified: ofbiz/trunk/README.md URL: http://svn.apache.org/viewvc/ofbiz/trunk/README.md?rev=1760484&r1=1760483&r2=1760484&view=diff ============================================================================== --- ofbiz/trunk/README.md (original) +++ ofbiz/trunk/README.md Tue Sep 13 06:43:34 2016 @@ -26,6 +26,15 @@ command `gradlew eclipse` before creatin This command will prepare OFBiz for Eclipse with the correct classpath and settings by creating the.classpath and .project files. +Security +------------------- +You can trust the OFBiz Project Management Committee members and committers do their best to keep OFBiz secure from external exploits, and fix vulnerabilities as soon as they are known. Despite these efforts, if ever you find and want to report a security issue, please report at: security @ ofbiz.apache.org, before disclosing them in a public forum. + +>_Note_: Be sure to read this Wiki page if ever you plan to use RMI, JNDI, JMX or Spring and maybe other Java classes OFBiz does not use Out Of The Box (OOTB): [The infamous Java serialization vulnerability](https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialization+vulnerability) + +You can find more information about security in OFBiz at [Keeping OFBiz secure](https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure) + + Quick start ----------- Modified: ofbiz/trunk/build.gradle URL: http://svn.apache.org/viewvc/ofbiz/trunk/build.gradle?rev=1760484&r1=1760483&r2=1760484&view=diff ============================================================================== --- ofbiz/trunk/build.gradle (original) +++ ofbiz/trunk/build.gradle Tue Sep 13 06:43:34 2016 @@ -31,11 +31,7 @@ apply from: 'common.gradle' ext.os = System.getProperty('os.name').toLowerCase() // java settings -def jvmArguments = ['-Xms128M', '-Xmx1024M', - "-javaagent:${rootDir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar", - "-Dnotsoserial.whitelist=${rootDir}/tools/security/notsoserial/empty.txt", - "-Dnotsoserial.dryrun=${rootDir}/tools/security/notsoserial/is-deserialized.txt", - "-Dnotsoserial.trace=${rootDir}/tools/security/notsoserial/deserialize-trace.txt"] +def jvmArguments = ['-Xms128M', '-Xmx1024M'] ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start' javadoc.failOnError = false sourceCompatibility = '1.8'
