[
https://issues.apache.org/jira/browse/OFBIZ-6942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-6942:
-----------------------------------
Labels: CVE (was: )
> Comment out RMI related code because of the Java deserialization issue
> [CVE-2016-2170]
> ---------------------------------------------------------------------------------------
>
> Key: OFBIZ-6942
> URL: https://issues.apache.org/jira/browse/OFBIZ-6942
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Labels: CVE
> Fix For: 14.12.01, 13.07.03, 15.12.01
>
>
> Because of the danger of Java deserialization when using RMI, we (PMC) have
> decided to comment out RMI related code.
> We decided to comment out as less as possible because when, in the start and
> both properties, the rmi part is off and the RMI test services are off there
> is no RMI related danger left (RMI test services are not a danger but would
> fail during tests run).
> It's then easier for users who need RMI in their projects to have only to
> uncomment those and not digg everywhere.
> Note that since the naming (JNDI) server relies on the rmi loader it will
> also fail.
> You can get more information in wiki page linked below in the "Issue Links"
> section.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
