oss-sec mailing list archives
Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 12 Nov 2015 15:22:45 -0800
The currently proposed "fix"[1] is to disable functionality that is being used. This will break applications that need them. [1] https://issues.apache.org/jira/browse/COLLECTIONS-580
I just read through that thread and I did not see anyone indicating that the fix breaks applications. Only speculation. Perhaps you meant to link us somewhere else? tim
Current thread:
- Assign CVE for common-collections remote code execution on deserialisation flaw Jason Shepherd (Nov 08)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Florian Weimer (Nov 08)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Pedro Vaz De Sousa Grilo (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 09)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 10)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Moritz Bechler (Nov 11)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 11)
- CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Tim (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 12)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Lisa Bradley (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Oracle Security Alerts (Thomas) (Nov 17)
- Re: Assign CVE for common-collections remote code execution on deserialisation flaw Florian Weimer (Nov 08)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Mark Felder (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 13)
- Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw Gsunde Orangen (Nov 15)