Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-12 Thread Gary Gregory
I think I saw a /. article about this yesterday... yikes. G On Wed, Nov 11, 2015 at 12:30 AM, Bernd Eckenfels wrote: > Hello, > > BTW Oracle issued a "Strange" Security alert: > > 2015-4852 was released on November 10th, 2015. > > This vulnerability, which involves the

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-11 Thread Bernd Eckenfels
Hello, BTW Oracle issued a "Strange" Security alert: 2015-4852 was released on November 10th, 2015. This vulnerability, which involves the Apache Commons and Oracle WebLogic Server, has received a CVSS Base Score of 7.5. ... Bernd > Am 08.11.2015 um 10:41 schrieb Benedikt Ritter

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Benedikt Ritter
Hello Bernd, very nice. I found two typos: "It is possible to limit the impact when using a custom ObjecrtInputStream which overwrites" - should be ObjectInputStream "However it should be clear, this is not the only known (and especially not yet know) gadget" - should be "and especially not yet

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Bernd Eckenfels
Am Mon, 9 Nov 2015 09:36:41 +0100 schrieb Benedikt Ritter : > Hello Bernd, > > very nice. I found two typos: > > "It is possible to limit the impact when using a custom > ObjecrtInputStream which overwrites" - should be ObjectInputStream fixed > "However it should be

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Bernd Eckenfels
Thanks Timo! Am Mon, 9 Nov 2015 10:18:18 +0100 schrieb Timo : > Hello Bernd, > > nice article and I would be happy to see this on the ASF blog to point > people to it. > > I also found some typos: > > "Both research work shows that developers" > should be > "Both research

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Bernd Eckenfels
Hello, attached is the draft, thanks for Gary and Gabriel (did I miss any contribution?) I think "Bernd Eckenfels and Gary Gregory for Apache Commons" would be the author (includes a thanks to Gabriel at the end). What is the procedure to get this published? Title? "Apache Commons statement to

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-09 Thread Timo
Hello Bernd, nice article and I would be happy to see this on the ASF blog to point people to it. I also found some typos: "Both research work shows that developers" should be "Both research works show that developers" "final type is checked lot of code" should be "final type is checked a lot

[COLLECTIONS] Bad press on twitter following serialization issue

2015-11-08 Thread Benedikt Ritter
Hi, there is a lot of bad talk going on at twitter [1,2,3] and I'm wondering whether we should respond to this via the Apache blog. Thoughts? Benedikt [1] https://twitter.com/JustineTunney/status/662937508980723712 [2] https://twitter.com/kennwhite/status/662709833464872960 [3]

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-08 Thread Bernd Eckenfels
Hello Gary, thanks for the offer. I will sent you a edit-link for the article, here is a comment-only version for people to check: https://oasis.sandstorm.io/shared/prUMi3zkPMx9bdQ8X2vkX7nt7JW79G3b28IKhS_F8vQ Greetings Bernd Am Sun, 8 Nov 2015 12:20:55 -0800 schrieb Gary Gregory

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-08 Thread Gary Gregory
Hi All: What about agreeing on a plan before we post anything? My proposal would be to follow up on an idea posted on the dev ML: Use a system property to enable the risky feature. This would change the default behavior to disallow the feature. And possibly add a new config option on the

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-08 Thread Gary Gregory
Sounds good. I'll be happy to edit if you'd like. Gary On Sun, Nov 8, 2015 at 11:19 AM, Bernd Eckenfels wrote: > Hello Gary, > > if we can release a fixed version quickly I would agree, but it is not > really needed for a reply to the ongoing FUD. > > A statement would

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-08 Thread Bernd Eckenfels
Hello Gary, if we can release a fixed version quickly I would agree, but it is not really needed for a reply to the ongoing FUD. A statement would be "the dicovered vulnerability is in applications using JavaObject serialisation from untrusted sources and not implementing additional precaution

Re: [COLLECTIONS] Bad press on twitter following serialization issue

2015-11-08 Thread Gabriel Lawrence
If you guys want to put together a blog post about this, Chris and I would be happy to help. We've tried to be pretty clear to people that this isnt a problem with the libraries, but something that should be addressed by the deserializer either by not deserializing from a trusted source or by