coheigea opened a new pull request, #283: URL: https://github.com/apache/directory-ldap-api/pull/283
The deserialization code in SequencedHashMap is a security risk: ``` SequencedHashMap.readExternal() calls in.readObject() for both keys and values without any type restriction, which is a classic gadget-chain deserialization vector. The other readExternal implementations deserialize known types via internal delegation, but are all exposed to any caller that passes an untrusted ObjectInput. ``` We don't use it in the API or Directory Server so let's just remove it -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
