On 01/15/2014 08:13 AM, Richard Seddon wrote:
Just thought I'd let you know that we released a patched version of XStream to
address the vulnerability our use of XStream deserialization caused in Sonatype
Nexus.
The code can be found here:
https://github.com/sonatype/xstream-whitelist
This code is designed specifically for use in Nexus, it isn't intended as for
use in other projects.
A high level overview of it is here (this link is for end users, so is
simplified a lot):
https://sonatype.zendesk.com/entries/37551958-Configuring-Xstream-Whitelist
If any of the code in the github repo is of use to you please feel free to take
it.
Regards,
Rich
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
Thanks for the heads up, Rich. I'm just a bit confused as to whether it
is the correct thing moving forward for Nexus to use a different CVE ID
than XStream itself. MITRE assigned CVE-2013-7285 to this issue in XStream:
http://www.openwall.com/lists/oss-security/2014/01/10/1
It would make sense for Nexus to have its own CVE ID if the Nexus patch
was made to code independent of XStream, but it looks like the patch has
been made directly to the XStream library, and as discussed in this
thread, is basically an alternative implementation to XStream's own
patch for CVE-2013-7285. Based on my understanding of the CVE assignment
rules, the Nexus flaw should also be identified by CVE-2013-7285, but I
could be wrong. I absolutely understand why Nexus assigned a CVE ID
independently for this flaw, but I think it is a duplicate of
CVE-2013-7285. I have copied cve@mitre on this message for their input.
Thanks
David
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
