Le 14/01/2017 à 16:59, Moritz Muehlenhoff a écrit : > Source: groovy > Severity: grave > Tags: security > > Hi, > please see http://seclists.org/oss-sec/2017/q1/92 > > Cheers, > Moritz
Hi Moritz, Thank you for the info. Note that Groovy isn't to blame for this kind of serialization issue, the real issue is applications relying on serialization and not sanitizing the input data (i.e. applications should whitelist the classes allowed to be deserialized, it's impossible to use Java serialization securely otherwise). Emmanuel Bourg __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
