When I launch ovirt 4.3.6, I see in the command line of the ovirt-engine: -Djackson.deserialization.whitelist.packages=org,com,java,javax
That whitelist almost everything. Isn't that dangerous ? When I read this: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 I think the white list should be as small as possible. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/GZODZPENEN2RU5LJDWXSEYKVRCFPIHOU/