John Tal created VELOCITY-982:
---------------------------------
Summary: Velocity 2.x - Velocity.properties - Additional
introspector.restrict.classes
Key: VELOCITY-982
URL: https://issues.apache.org/jira/browse/VELOCITY-982
Project: Velocity
Issue Type: Improvement
Components: Build
Affects Versions: 2.3, 2.2, 2.1, 2.0, 2.4.2
Reporter: John Tal
In Velocity.properties, the introspector.restrict.classes entries.
I assume additions to this file in that section resolved for CVE-2020-13936
(templating can interact with the system)? Please confirm what commits or
classes, settings did indeed resolve CVE-2020-13936. We really need to know
because we are stuck on 1.7 and need to fork/patch.
Along these lines of further security hardening, aren't there more entries
needed in the introspect.restrict.classes section such as:
java.lang.ProcessBuilder
java.lang.Reflect
javax.management.MBeanServer
java.net.Socket
javax.script.ScriptEngine
Finally, please confirm whether Velocity is largely in CVE patch mode only and
is not really an active project given that there is much more talk today about
Apache FreeMarker. Just trying to determine the level of support and
engagement from the Apache Velocity maintainers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
