Re: Comment out the SOAP and HTTP engines?
Le 30/03/2021 à 12:54, Jacques Le Roux a écrit : It should be noted that commenting out the HTTP engine de facto disallows entity sync. I have added https://issues.apache.org/jira/secure/attachment/13023181/13023181_OFBIZ-12212-Re+allow+Entity+Sync.patch for users to easily re-allow the Entity Sync feature. I did not test it yet, but it should be OK. It's straightforward to reactivate the HTTP engine anyway. Jacques
Re: Comment out the SOAP and HTTP engines?
Hi, It should be noted that commenting out the HTTP engine de facto disallows entity sync. I'll document that. I'll put a note in EntitySync-manual.adoc. https://cwiki.apache.org/confluence/display/OFBIZ/Sync+Setup+Notes+and+Example is not concerned, the (old) POS is in Attic I have renamed https://cwiki.apache.org/confluence/display/OFBIZ/Data+Synchronisation+between+an+OFBiz-Master+and+an+OFBiz-Slave by https://cwiki.apache.org/confluence/display/OFBIZ/Data+Synchronisation+between+an+OFBiz-Main+and+an+OFBiz-Secondary and replaced master by main and slave by secondary in text. I'll put a note there too. Jacques Le 25/03/2021 à 18:35, Jacques Le Roux a écrit : Hi, After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines like we did in the past for RMI[2], this obviously for security reason. I don't think we need a vote for that, but of course all opinions are welcome Thanks [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] " Jacques
Re: Comment out the SOAP and HTTP engines?
+1 Best, Girish On Mon, Mar 29, 2021 at 12:27 PM Nicolas Malin wrote: > +1 > > let each integrator to enable this with the related security needing for > this > > Nicolas > > On 25/03/2021 18:35, Jacques Le Roux wrote: > > Hi, > > > > After the recent fix for the CVE-2021-26295[1] we discussed with the > > security team about the opportunity need to comment out the SOAP and > > HTTP engines like we did in the past for RMI[2], this obviously for > > security reason. > > > > I don't think we need a vote for that, but of course all opinions are > > welcome > > > > Thanks > > > > [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a > > blacklist (to be renamed soon to denylist) in Java serialisation > > (CVE-2021-26295)" > > [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI > > related code because of the Java deserialization issue [CVE-2016-2170] " > > > > Jacques > > > > >
Re: Comment out the SOAP and HTTP engines?
+1 let each integrator to enable this with the related security needing for this Nicolas On 25/03/2021 18:35, Jacques Le Roux wrote: > Hi, > > After the recent fix for the CVE-2021-26295[1] we discussed with the > security team about the opportunity need to comment out the SOAP and > HTTP engines like we did in the past for RMI[2], this obviously for > security reason. > > I don't think we need a vote for that, but of course all opinions are > welcome > > Thanks > > [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a > blacklist (to be renamed soon to denylist) in Java serialisation > (CVE-2021-26295)" > [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI > related code because of the Java deserialization issue [CVE-2016-2170] " > > Jacques > >
Re: Comment out the SOAP and HTTP engines?
I created https://issues.apache.org/jira/browse/OFBIZ-12212 for that Le 25/03/2021 à 20:41, Michael Brohl a écrit : +1 Michael Am 25.03.2021 um 18:35 schrieb Jacques Le Roux : Hi, After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines like we did in the past for RMI[2], this obviously for security reason. I don't think we need a vote for that, but of course all opinions are welcome Thanks [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] " Jacques
Re: Comment out the SOAP and HTTP engines?
+1 Michael > Am 25.03.2021 um 18:35 schrieb Jacques Le Roux : > > Hi, > > After the recent fix for the CVE-2021-26295[1] we discussed with the security > team about the opportunity need to comment out the SOAP and HTTP engines > like we did in the past for RMI[2], this obviously for security reason. > > I don't think we need a vote for that, but of course all opinions are welcome > > Thanks > > [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to > be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" > [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related > code because of the Java deserialization issue [CVE-2016-2170] " > > Jacques >
