[
https://issues.apache.org/jira/browse/VELOCITY-982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claude Brisson closed VELOCITY-982.
-----------------------------------
Fix Version/s: 2.4
Assignee: Claude Brisson
Resolution: Fixed
Requested restrictions have been added by commit 2c15764e
> Velocity 2.x - Velocity.properties - Additional introspector.restrict.classes
> -----------------------------------------------------------------------------
>
> Key: VELOCITY-982
> URL: https://issues.apache.org/jira/browse/VELOCITY-982
> Project: Velocity
> Issue Type: Improvement
> Components: Build
> Affects Versions: 2.0, 2.1, 2.2, 2.3, 2.4.2
> Reporter: John Tal
> Assignee: Claude Brisson
> Priority: Major
> Fix For: 2.4
>
>
> In Velocity.properties, the introspector.restrict.classes entries.
> I assume additions to this file in that section resolved for CVE-2020-13936
> (templating can interact with the system)? Please confirm what commits or
> classes, settings did indeed resolve CVE-2020-13936. We really need to know
> because we are stuck on 1.7 and need to fork/patch.
> Along these lines of further security hardening, aren't there more entries
> needed in the introspect.restrict.classes section such as:
> java.lang.ProcessBuilder
> java.lang.Reflect
> javax.management.MBeanServer
> java.net.Socket
> javax.script.ScriptEngine
>
> Finally, please confirm whether Velocity is largely in CVE patch mode only
> and is not really an active project given that there is much more talk today
> about Apache FreeMarker. Just trying to determine the level of support and
> engagement from the Apache Velocity maintainers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
