[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17311514#comment-17311514
]
Jacques Le Roux commented on OFBIZ-12212:
-
bq. Documents that the EntitySync feature is no longer available OOTB. You need
first to re allow the HTTP engine
Here is a patch which re allows the EntitySync feature (disclaimer: not tested
yet, but easy stuff anyway): [^OFBIZ-12212-Re allow Entity Sync.patch]
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch
>
> Attachments: OFBIZ-12212-Re allow Entity Sync.patch
>
>
> mThe SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17311419#comment-17311419
]
ASF subversion and git services commented on OFBIZ-12212:
-
Commit e5809580bb469322ed4f999fa8ee5abc15a06a05 in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=e580958 ]
Documented: Comment out the SOAP and HTTP engines (OFBIZ-12212)
Documents that the EntitySync feature is no longer available OOTB.
You need first to re allow the HTTP engine
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch
>
>
> mThe SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17311420#comment-17311420
]
ASF subversion and git services commented on OFBIZ-12212:
-
Commit 62e657f3a718c654a6c18e448662069e1de46fb0 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=62e657f ]
Documented: Comment out the SOAP and HTTP engines (OFBIZ-12212)
Documents that the EntitySync feature is no longer available OOTB.
You need first to re allow the HTTP engine
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch
>
>
> mThe SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17311407#comment-17311407
]
Jacques Le Roux commented on OFBIZ-12212:
-
It should be noted that commenting out the HTTP engine de facto disallows
entity sync. I'll document that. I'll put a note in EntitySync-manual.adoc.
https://cwiki.apache.org/confluence/display/OFBIZ/Sync+Setup+Notes+and+Example
is not concerned, the (old) POS is in Attic
I have renamed
https://cwiki.apache.org/confluence/display/OFBIZ/Data+Synchronisation+between+an+OFBiz-Master+and+an+OFBiz-Slave
by
https://cwiki.apache.org/confluence/display/OFBIZ/Data+Synchronisation+between+an+OFBiz-Main+and+an+OFBiz-Secondary
and replaced master by main and slave by secondary in text.
I'll put a note there too.
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch
>
>
> mThe SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17310594#comment-17310594
]
ASF subversion and git services commented on OFBIZ-12212:
-
Commit a3438121d8f50545b3a5c397c589fe97ca33202b in ofbiz-plugins's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=a343812 ]
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
After the recent fix for the CVE-2021-26295[1] we discussed with the
security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
I just put a small comment in webtools and scrumm controllers, it should be
enough.
The tests pass
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
>
> The SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17310591#comment-17310591
]
ASF subversion and git services commented on OFBIZ-12212:
-
Commit 340c98b3b0f23d2a418e4e6eb75d298171118206 in ofbiz-plugins's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=340c98b ]
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
After the recent fix for the CVE-2021-26295[1] we discussed with the
security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
I just put a small comment in webtools and scrumm controllers, it should be
enough.
The tests pass
Conflicts handled by hand
scrum/servicedef/services.xml
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
>
> The SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17310588#comment-17310588
]
ASF subversion and git services commented on OFBIZ-12212:
-
Commit 32a310ca143717efc9f6d1167450b3e5a508ee14 in ofbiz-plugins's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=32a310c ]
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
After the recent fix for the CVE-2021-26295[1] we discussed with the
security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
I just put a small comment in webtools and scrumm controllers, it should be
enough.
The tests pass
Conflicts handled by hand
scrum/servicedef/services.xml
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
>
> The SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17310579#comment-17310579
]
ASF subversion and git services commented on OFBIZ-12212:
-
Commit 703a32b41f337ae999746d42599484ffefdd5abc in ofbiz-framework's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=703a32b ]
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
After the recent fix for the CVE-2021-26295[1] we discussed with the
security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
I just put a small comment in webtools controller, it should be enough.
The tests pass
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
>
> The SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines
[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17310585#comment-17310585
]
ASF subversion and git services commented on OFBIZ-12212:
-
Commit 643b9c7ea7dfc3e9df4b80527bf83d162f3bc39f in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=643b9c7 ]
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
After the recent fix for the CVE-2021-26295[1] we discussed with the
security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
I just put a small comment in webtools controller, it should be enough.
The tests pass
> Comment out the SOAP and HTTP engines
> -
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/service
>Affects Versions: 18.12.01, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
>
> The SOAP and HTTP engines are open doors to security issues. At
> https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
> as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
