[
https://issues.apache.org/jira/browse/OFBIZ-6752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15043281#comment-15043281 ]
Jacques Le Roux commented on OFBIZ-6752:
----------------------------------------
Actually working with "OWASP Dependency Check" on OFBiz to identify and possibly fix dependencies vulnerabilities is very tedious (you need to check issues one by one and put the possible suppress information in the suppression file and run again the check, etc.). It appears, I guess because it's disputed by the Tomcat team[1], CVE-2013-2185 is also not fixed in Tomcat to 7.0.65, and I guess will not be either in Tomcat 8 or 9.
[1]<<The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.>>
> Updates Tomcat to 7.0.65
> ------------------------
>
> Key: OFBIZ-6752
> URL:
https://issues.apache.org/jira/browse/OFBIZ-6752> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 13.07.03, Upcoming Branch
>
>
> Though disputed CVE-2013-2185 indicates a possible vulnerabilty with jasper.jar. Better safe than sorry: I will backport to all concerned branches (R14 and R13)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
