I think I saw a /. article about this yesterday... yikes.
G
On Wed, Nov 11, 2015 at 12:30 AM, Bernd Eckenfels
wrote:
> Hello,
>
> BTW Oracle issued a "Strange" Security alert:
>
> 2015-4852 was released on November 10th, 2015.
>
> This vulnerability, which involves the
Hello,
BTW Oracle issued a "Strange" Security alert:
2015-4852 was released on November 10th, 2015.
This vulnerability, which involves the Apache Commons and Oracle WebLogic
Server, has received a CVSS Base Score of 7.5.
...
Bernd
> Am 08.11.2015 um 10:41 schrieb Benedikt Ritter
Hello Bernd,
very nice. I found two typos:
"It is possible to limit the impact when using a custom ObjecrtInputStream
which overwrites" - should be ObjectInputStream
"However it should be clear, this is not the only known (and especially not
yet know) gadget" - should be "and especially not yet
Am Mon, 9 Nov 2015 09:36:41 +0100
schrieb Benedikt Ritter :
> Hello Bernd,
>
> very nice. I found two typos:
>
> "It is possible to limit the impact when using a custom
> ObjecrtInputStream which overwrites" - should be ObjectInputStream
fixed
> "However it should be
Thanks Timo!
Am Mon, 9 Nov 2015 10:18:18 +0100
schrieb Timo :
> Hello Bernd,
>
> nice article and I would be happy to see this on the ASF blog to point
> people to it.
>
> I also found some typos:
>
> "Both research work shows that developers"
> should be
> "Both research
Hello,
attached is the draft, thanks for Gary and Gabriel (did I miss any
contribution?)
I think "Bernd Eckenfels and Gary Gregory for Apache Commons" would be
the author (includes a thanks to Gabriel at the end).
What is the procedure to get this published?
Title? "Apache Commons statement to
Hello Bernd,
nice article and I would be happy to see this on the ASF blog to point
people to it.
I also found some typos:
"Both research work shows that developers"
should be
"Both research works show that developers"
"final type is checked lot of code"
should be
"final type is checked a lot
Hi,
there is a lot of bad talk going on at twitter [1,2,3] and I'm wondering
whether we should respond to this via the Apache blog.
Thoughts?
Benedikt
[1] https://twitter.com/JustineTunney/status/662937508980723712
[2] https://twitter.com/kennwhite/status/662709833464872960
[3]
Hello Gary,
thanks for the offer. I will sent you a edit-link for the article, here
is a comment-only version for people to check:
https://oasis.sandstorm.io/shared/prUMi3zkPMx9bdQ8X2vkX7nt7JW79G3b28IKhS_F8vQ
Greetings
Bernd
Am Sun, 8 Nov 2015
12:20:55 -0800 schrieb Gary Gregory
Hi All:
What about agreeing on a plan before we post anything? My proposal would be
to follow up on an idea posted on the dev ML: Use a system property to
enable the risky feature. This would change the default behavior to
disallow the feature. And possibly add a new config option on the
Sounds good. I'll be happy to edit if you'd like.
Gary
On Sun, Nov 8, 2015 at 11:19 AM, Bernd Eckenfels
wrote:
> Hello Gary,
>
> if we can release a fixed version quickly I would agree, but it is not
> really needed for a reply to the ongoing FUD.
>
> A statement would
Hello Gary,
if we can release a fixed version quickly I would agree, but it is not
really needed for a reply to the ongoing FUD.
A statement would be "the dicovered vulnerability is in applications
using JavaObject serialisation from untrusted sources and not
implementing additional precaution
If you guys want to put together a blog post about this, Chris and I would
be happy to help. We've tried to be pretty clear to people that this isnt a
problem with the libraries, but something that should be addressed by the
deserializer either by not deserializing from a trusted source or by
13 matches
Mail list logo