Hi Rich, Richard Seddon wrote:
> > Just thought I'd let you know that we released a patched version of > XStream to address the vulnerability our use of XStream deserialization > caused in Sonatype Nexus. > > The code can be found here: > > https://github.com/sonatype/xstream-whitelist > > This code is designed specifically for use in Nexus, it isn't intended as > for use in other projects. > > A high level overview of it is here (this link is for end users, so is > simplified a lot): > > https://sonatype.zendesk.com/entries/37551958-Configuring-Xstream-Whitelist > > If any of the code in the github repo is of use to you please feel free to > take it. Well, normally I am happy, if someone contributes code, but here I wonder, why suddenly an alternate implementation is presented to the existing one, without further notice before, that you want to work on the stuff or which requirements were not met with the existing code. You implemented actually a slightly different approach than that what we have in trunk. We have similar possibilities to allow/deny types. Configuration will follow our standard pattern using the XStream facade. Documentation is not finished and trunk has to be merged into the 1.4.x branch, but that's done as soon as possible. Regards, Jörg --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email
