Hi All
I am the security response manager for Red Hat's middleware products,
many of which ship XStream. I've been following the discussion in the
"Security Guidance to use XStream safely" thread, trying to determine
whether the fix for this issue is going to be in XStream itself, or
whether each application using XStream would be considered independently
vulnerable if it was passing arbitrary user-supplied content to XStream.
Based on the discussion on this list, it sounds like a fix is going to
be possible in XStream itself, based on one of the two options Joe
Walnes outlined. I would like to request that a CVE ID be assigned to
this flaw, with the resolution to that CVE ID mapped to the version of
XStream which introduces the fix. Before requesting a CVE ID on the
oss-security list, I wanted to confirm that the XStream developer
community is happy to say that XStream will ship a fix, and not simply
document the issue and defer to users of XStream to fix their individual
applications. If that was the case, assigning a CVE ID for XStream
itself would probably not be the right approach.
Please let me know if it is appropriate for me to go ahead and request
assignment of a CVE ID.
Thanks
--
David Jorm / Red Hat Security Response Team
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
