I created https://issues.apache.org/jira/browse/OFBIZ-12212 for that
Le 25/03/2021 à 20:41, Michael Brohl a écrit :
+1
Michael
Am 25.03.2021 um 18:35 schrieb Jacques Le Roux <jacques.le.r...@les7arts.com>:
Hi,
After the recent fix for the CVE-2021-26295[1] we discussed with the security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
I don't think we need a vote for that, but of course all opinions are welcome
Thanks
[1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code
because of the Java deserialization issue [CVE-2016-2170] "
Jacques
