[ https://issues.apache.org/jira/browse/OFBIZ-6926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-6926. ---------------------------------- Resolution: Fixed > Replace the contrast Java agent by the notsoserial Java agent > ------------------------------------------------------------- > > Key: OFBIZ-6926 > URL: https://issues.apache.org/jira/browse/OFBIZ-6926 > Project: OFBiz > Issue Type: Sub-task > Components: tools/security > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: 14.12.01, Upcoming Branch > > > The goal is to replace the contrast Java agent by the notsoserial Java agent > which can be used to protect OFBiz instances from possible Java serialize > vulnerabilities. > For that we need to modifie the *-secure targets (start-secure, > start-batch-secure, start-pos-secure, start-both-secure) to use the > notsoserial Java agent with its most secure setting. > See > https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability > for more information > The notsoserial Java agent is placed in the tools/security/notsoserial folder > and a dependency-check folder created under the tools/security folder to move > there the dependency-check files from the tools/security folder. > The trunk demo will be using the notsoserial Java agent ASAP. The older ones > will keep the contrast Java agent which should be enough as soon as we will > comment out the RMI stuff in OFBiz. > Users need to care anyway... -- This message was sent by Atlassian JIRA (v6.3.4#6332)