On 08/11/2015 03:27, Gabriel Lawrence wrote: > Howdy, > > Thought I'd dive in here. Sorry that things got pointed in your direction > on this. That was out of our control. Chris and I had a bunch of > conversations about if we thought this was worth reporting to you when we > discovered it. Perhaps we made the wrong decision, hard to say. We don't > think this is a problem with the functionality in your library, instead its > with the core Serialization/Deserialization logic flows. Blaming you is > like blaming a library used to build a ROP chain and suggesting we brake or > remove the assembly that contributes to that ROP chain. > > Assuming you fix/change your code, then its just a matter of finding > another similar gadget somewhere else....
Indeed. Although I'd guess the chances of Oracle changing the way serialization works are pretty low. Unfortunately that leaves us playing wack-a-mole. > Just thought i'd join in the discussion. I've joined the maillist. Welcome. Your input on this - or any other topic - is much appreciated. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
