+1 Best, Girish
On Mon, Mar 29, 2021 at 12:27 PM Nicolas Malin <nicolas.ma...@nereide.fr> wrote: > +1 > > let each integrator to enable this with the related security needing for > this > > Nicolas > > On 25/03/2021 18:35, Jacques Le Roux wrote: > > Hi, > > > > After the recent fix for the CVE-2021-26295[1] we discussed with the > > security team about the opportunity need to comment out the SOAP and > > HTTP engines like we did in the past for RMI[2], this obviously for > > security reason. > > > > I don't think we need a vote for that, but of course all opinions are > > welcome > > > > Thanks > > > > [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a > > blacklist (to be renamed soon to denylist) in Java serialisation > > (CVE-2021-26295)" > > [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI > > related code because of the Java deserialization issue [CVE-2016-2170] " > > > > Jacques > > > > >
