[
https://issues.apache.org/jira/browse/OFBIZ-6942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15205090#comment-15205090
]
Jacques Le Roux edited comment on OFBIZ-6942 at 4/8/16 8:39 PM:
----------------------------------------------------------------
Done in
trunk r1736083+r1736087
R15.12 r1736084+r1736088
R14.12 r1736085+r1736089
R13.07 r1736092+1736154
was (Author: jacques.le.roux):
Done in
trunk r1736083+r1736087
R15.12 r1736084+r1736088
R14.12 r1736085+r1736089
R13.07 r1736092
> Comment out RMI related code because of the Java deserialization issue
> [CVE-2016-2170]
> ---------------------------------------------------------------------------------------
>
> Key: OFBIZ-6942
> URL: https://issues.apache.org/jira/browse/OFBIZ-6942
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 13.07.03, 15.12.01
>
>
> Because of the danger of Java deserialization when using RMI, we (PMC) have
> decided to comment out RMI related code.
> We decided to comment out as less as possible because when, in the start and
> both properties, the rmi part is off and the RMI test services are off there
> is no RMI related danger left (RMI test services are not a danger but would
> fail during tests run).
> It's then easier for users who need RMI in their projects to have only to
> uncomment those and not digg everywhere.
> Note that since the naming (JNDI) server relies on the rmi loader it will
> also fail.
> You can get more information in wiki page linked below in the "Issue Links"
> section.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
