You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2015/11/30 06:49:11 UTC
[jira] [Comment Edited] (OFBIZ-6568) Updates Groovy to 2.4.4
version
[ https://issues.apache.org/jira/browse/OFBIZ-6568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15030934#comment-15030934 ]
Jacques Le Roux edited comment on OFBIZ-6568 at 11/30/15 5:48 AM:
------------------------------------------------------------------
Thanks to Jacopo, here is the most interesting thing we know about this issue https://mail-archives.apache.org/mod_mbox/incubator-groovy-users/201509.mbox/%3C2077FA8D-553F-41B6-B344-C986E049B503@gmail.com%3E
Since then, the Groovy team did not care much. I guess it's to us to get that done, not sure how yet...
But because I was wrong above (OFBiz is not secure since we have an older than 2.4.4 Groovy version in the classpath which is actually enough for an exploit) and we can't let this as is until we are able to upgrade Groovy to 2.4.4 I just committed a temporary workaround fix in
trunk r1717058+1717180
R14.12 r1717059+1717182
R13.07 r1717060+1717183
R12.04 r1717061+1717184+1717185
It should be used by anyone responsible for OFBiz security.
Note that we are safe from an exploit done using the commons collections, see OFBIZ-6726. OFBiz does not use Spring OOTB, but if you use it you will be safe by patching with revisions above.
was (Author: jacques.le.roux):
Thanks to Jacopo, here is the most interesting thing we know about this issue https://mail-archives.apache.org/mod_mbox/incubator-groovy-users/201509.mbox/%3C2077FA8D-553F-41B6-B344-C986E049B503@gmail.com%3E
Since then, the Groovy team did not care much. I guess it's to us to get that done, not sure how yet...
But because I was wrong above (OFBiz is not secure since we have an older than 2.4.4 Groovy version in the classpath which is actually enough for an exploit) and we can't let this as is until we are able to upgrade Groovy to 2.4.4 I just committed a temporary workaround fix in
trunk r1717058
R14.12 r1717059
R13.07 r1717060
R12.04 r1717061
It should be used by anyone responsible for OFBiz security.
Note that we are safe from an exploit done using the commons collections, see OFBIZ-6726. OFBiz does not use Spring OOTB, but if you use it you will be safe by patching with revisions above.
> Updates Groovy to 2.4.4 version
> --------------------------------
>
> Key: OFBIZ-6568
> URL: https://issues.apache.org/jira/browse/OFBIZ-6568
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 12.04, Release Branch 13.07, Release Branch 14.12, Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 12.04.06, 13.07.03, Upcoming Branch
>
>
> Since it's a security fix we should also update all supported releases branches. http://groovy-lang.org/security.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)