Comment out the SOAP and HTTP engines?

> Am 25.03.2021 um 18:35 schrieb Jacques Le Roux <[hidden email]>:
>
> Hi,
>
> After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
>
> I don't think we need a vote for that, but of course all opinions are welcome
>
> Thanks
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] "
>
> Jacques
>

> +1
>
> Michael
>
>> Am 25.03.2021 um 18:35 schrieb Jacques Le Roux <[hidden email]>:
>>
>> Hi,
>>
>> After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines
>> like we did in the past for RMI[2], this obviously for security reason.
>>
>> I don't think we need a vote for that, but of course all opinions are welcome
>>
>> Thanks
>>
>> [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
>> [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] "
>>
>> Jacques
>>

> Hi,
>
> After the recent fix for the CVE-2021-26295[1] we discussed with the
> security team about the opportunity need to comment out the SOAP and
> HTTP engines like we did in the past for RMI[2], this obviously for
> security reason.
>
> I don't think we need a vote for that, but of course all opinions are
> welcome
>
> Thanks
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a
> blacklist (to be renamed soon to denylist) in Java serialisation
> (CVE-2021-26295)"
> [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI
> related code because of the Java deserialization issue [CVE-2016-2170] "
>
> Jacques
>
>

> +1
>
> let each integrator to enable this with the related security needing for
> this
>
> Nicolas
>
> On 25/03/2021 18:35, Jacques Le Roux wrote:
> > Hi,
> >
> > After the recent fix for the CVE-2021-26295[1] we discussed with the
> > security team about the opportunity need to comment out the SOAP and
> > HTTP engines like we did in the past for RMI[2], this obviously for
> > security reason.
> >
> > I don't think we need a vote for that, but of course all opinions are
> > welcome
> >
> > Thanks
> >
> > [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a
> > blacklist (to be renamed soon to denylist) in Java serialisation
> > (CVE-2021-26295)"
> > [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI
> > related code because of the Java deserialization issue [CVE-2016-2170] "
> >
> > Jacques
> >
> >
>

> Hi,
>
> After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP
> engines like we did in the past for RMI[2], this obviously for security reason.
>
> I don't think we need a vote for that, but of course all opinions are welcome
>
> Thanks
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] "
>
> Jacques
>