The following is an interesting slide:
https://speakerdeck.com/pwntester/surviving-the-java-deserialization-apocalypse?slide=31
Oracle has stated they will not fix these security issues with
Collection classes for de-serialization.
River-49 also identifies serial form issues with
On Fri, Oct 9, 2020 at 7:03 PM Peter Firmstone
wrote:
>
> Currently the trunk branch is a stable branch, it is not for development
> code, let's make it so we can develop in trunk. The vote concludes in
> two weeks.
+1 (non-binding) from me
Phil