[
https://issues.apache.org/jira/browse/OFBIZ-6752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15043281#comment-15043281
]
Jacques Le Roux commented on OFBIZ-6752:
----------------------------------------
Actually working with "OWASP Dependency Check" on OFBiz to identify and
possibly fix dependencies vulnerabilities is very tedious (you need to check
issues one by one and put the possible suppress information in the suppression
file and run again the check, etc.). It appears, I guess because it's disputed
by the Tomcat team[1], CVE-2013-2185 is also not fixed in Tomcat to 7.0.65, and
I guess will not be either in Tomcat 8 or 9.
[1]<<The dispute appears to regard whether it is the responsibility of
applications to avoid providing untrusted data to be deserialized, or whether
this class should inherently protect against this issue.>>
> Updates Tomcat to 7.0.65
> ------------------------
>
> Key: OFBIZ-6752
> URL: https://issues.apache.org/jira/browse/OFBIZ-6752
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 13.07.03, Upcoming Branch
>
>
> Though disputed CVE-2013-2185 indicates a possible vulnerabilty with
> jasper.jar. Better safe than sorry: I will backport to all concerned branches
> (R14 and R13)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
