You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2016/04/08 22:40:25 UTC
[jira] [Comment Edited] (OFBIZ-6942) Comment out RMI related code
because of the Java deserialization issue [CVE-2016-2170]
[ https://issues.apache.org/jira/browse/OFBIZ-6942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15205090#comment-15205090 ]
Jacques Le Roux edited comment on OFBIZ-6942 at 4/8/16 8:39 PM:
----------------------------------------------------------------
Done in
trunk r1736083+r1736087
R15.12 r1736084+r1736088
R14.12 r1736085+r1736089
R13.07 r1736092+1736154
was (Author: jacques.le.roux):
Done in
trunk r1736083+r1736087
R15.12 r1736084+r1736088
R14.12 r1736085+r1736089
R13.07 r1736092
> Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]
> ---------------------------------------------------------------------------------------
>
> Key: OFBIZ-6942
> URL: https://issues.apache.org/jira/browse/OFBIZ-6942
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 13.07.03, 15.12.01
>
>
> Because of the danger of Java deserialization when using RMI, we (PMC) have decided to comment out RMI related code.
> We decided to comment out as less as possible because when, in the start and both properties, the rmi part is off and the RMI test services are off there is no RMI related danger left (RMI test services are not a danger but would fail during tests run).
> It's then easier for users who need RMI in their projects to have only to uncomment those and not digg everywhere.
> Note that since the naming (JNDI) server relies on the rmi loader it will also fail.
> You can get more information in wiki page linked below in the "Issue Links" section.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)