You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@dubbo.apache.org by Jun Liu <li...@apache.org> on 2020/06/02 16:17:34 UTC

Re: Lots of issues

AFAIK, 2.7.7 has just released one vulnerability issue, there’s another one still under development in 2.7.8.

I will help to check and confirm with the release manager when come back to office.

Jun

> On May 26, 2020, at 6:32 PM, Apache Security Team <se...@apache.org> wrote:
> 
> PING please respond.
> 
> Mark
> 
> On Wed, May 13, 2020 at 2:09 PM Apache Security Team
> <se...@apache.org> wrote:
>> 
>> Hi, We've not seen any progress on these, do you have an update?
>> Thank you, Mark
>> 
>> On Tue, Mar 31, 2020 at 1:42 PM Mark J Cox <mj...@apache.org> wrote:
>>> 
>>> Hi team, you got a lot of issues recently.  Can you confirm if you have investigated them and/or talked to the reporters?
>>> 
>>> dubbo: Dubbo after-deserialization vulnerability [43 days] [dubbo/2020-02-17]
>>> dubbo: Apache Dubbo rmi deserialization vulnerability [46 days] [dubbo/2020-02-17]
>>> dubbo: Dubbo Security Vulnerability Report [43 days] [dubbo/2020-02-17]
>>> dubbo: Dubbo hessian deserialization vulnerability (cause by rome-1.7.0.jar) [35 days] [dubbo/2020-02-26]
>>> dubbo: Re: Dubbo Provider default deserialization cause RCE [49 days] [dubbo/CVE-2020-1948]
>>> 
>>> I do note that Hessian was mentioned in other reports to other projects; in one case (Cayenne) they noted that "upgrade Java to 1.8.0_242" was a solution and therefore we didn't treat these as issues in Cayenne/Hessian at all.
>>> 
>>> Thanks,
>>> Mark J Cox
>>> VP ASF Security
>>> 
>>>