AFAIK, 2.7.7 has just released one vulnerability issue, there’s another one still under development in 2.7.8.
I will help to check and confirm with the release manager when come back to office. Jun > On May 26, 2020, at 6:32 PM, Apache Security Team <[email protected]> wrote: > > PING please respond. > > Mark > > On Wed, May 13, 2020 at 2:09 PM Apache Security Team > <[email protected]> wrote: >> >> Hi, We've not seen any progress on these, do you have an update? >> Thank you, Mark >> >> On Tue, Mar 31, 2020 at 1:42 PM Mark J Cox <[email protected]> wrote: >>> >>> Hi team, you got a lot of issues recently. Can you confirm if you have >>> investigated them and/or talked to the reporters? >>> >>> dubbo: Dubbo after-deserialization vulnerability [43 days] >>> [dubbo/2020-02-17] >>> dubbo: Apache Dubbo rmi deserialization vulnerability [46 days] >>> [dubbo/2020-02-17] >>> dubbo: Dubbo Security Vulnerability Report [43 days] [dubbo/2020-02-17] >>> dubbo: Dubbo hessian deserialization vulnerability (cause by >>> rome-1.7.0.jar) [35 days] [dubbo/2020-02-26] >>> dubbo: Re: Dubbo Provider default deserialization cause RCE [49 days] >>> [dubbo/CVE-2020-1948] >>> >>> I do note that Hessian was mentioned in other reports to other projects; in >>> one case (Cayenne) they noted that "upgrade Java to 1.8.0_242" was a >>> solution and therefore we didn't treat these as issues in Cayenne/Hessian >>> at all. >>> >>> Thanks, >>> Mark J Cox >>> VP ASF Security >>> >>>
