[
https://issues.apache.org/jira/browse/OFBIZ-6568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14998306#comment-14998306
]
Jacques Le Roux commented on OFBIZ-6568:
----------------------------------------
I checked (using 7Zip) this advice from
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thefix
{quote}
For those faint of heart, you can be a little more surgical about it. If we
examine the two exploits provided by the “ysoserial” tool, we can see that they
both rely on the “InvokerTransformer” class. If we remove this class file
everywhere it exists, any attempted exploits should fail. Feel free to open up
your jar files with your expired copy of Winzip and delete the file at
“org/apache/commons/collections/functors/InvokerTransformer.class”.
{quote}
We have no use of InvokerTransformer in our code nor the libs we use rely on it
AFAIK
> Updates Groovy to 2.4.4 version
> --------------------------------
>
> Key: OFBIZ-6568
> URL: https://issues.apache.org/jira/browse/OFBIZ-6568
> Project: OFBiz
> Issue Type: Task
> Components: framework
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 12.04.06, 13.07.03, Upcoming Branch
>
>
> Since it's a security fix we should also update all releases branches.
> http://groovy-lang.org/security.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
