Control: severity -1 important Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit :
> The following vulnerability was published for jodd. I'm filling it as > RC severity since altough one might dispute the severity for the issue > itself, it looks that in Debian there was ever only one upload of > jodd, there are no reverse (build) dependencies neither. > > Is the package acutally of some use or planned use? Thank you for the report Salvatore. jodd is a new dependency of JMeter 3, I haven't finished the packaging yet. Note that the fix for CVE-2018-21234 merely adds an optional whitelisting feature to check the classes being deserialized. But the default behavior is still the same (no check), so the charge of addressing the vulnerability is actually shifted to the applications using jodd. Emmanuel Bourg