[
https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732
]
Moritz Bechler commented on AMQ-6013:
-------------------------------------
Yes, that's correct.
There has been some discussion about how to assign CVE's for these issues on
oss-security that imho has not really come to a sensible conclusion (these both
directly refer to commons-collections, I think we should have a more general
one). If you don't want to go through that again, I think refering to
CVE-2015-4852 would be most appropriate choice (at least Oracle has suggested
that they are okay with it's reuse: http://seclists.org/oss-sec/2015/q4/306).
Maybe you should check back with the Apache Security Team to see what's their
opinion on this.
> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
> Key: AMQ-6013
> URL: https://issues.apache.org/jira/browse/AMQ-6013
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.12.0
> Reporter: Dejan Bosanac
> Assignee: Dejan Bosanac
> Fix For: 5.11.3, 5.13.0
>
>
> At some points we do (de)serialization of JMS Object messages inside the
> broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can
> be serialized in this way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
