Author: jleroux
Date: Thu Aug 18 11:25:00 2016
New Revision: 1756758
URL:
http://svn.apache.org/viewvc?rev=1756758&view=revLog:
Updates for Gradle
Modified:
ofbiz/trunk/tools/security/notsoserial/README.txt
Modified: ofbiz/trunk/tools/security/notsoserial/README.txt
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/notsoserial/README.txt?rev=1756758&r1=1756757&r2=1756758&view=diff==============================================================================
--- ofbiz/trunk/tools/security/notsoserial/README.txt (original)
+++ ofbiz/trunk/tools/security/notsoserial/README.txt Thu Aug 18 11:25:00 2016
@@ -2,6 +2,6 @@ The notsoserial Java agent was introduce
We (PMC) decided to comment out RMI OOTB but we also decided to provide a simple way to protect yourself from all possible Java serialize vulnerabilities.
While working on the serialize vulnerability, I (Jacques Le Roux) stumbled upon this article
https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/ and found notsoserial was a Java agent better than the Contrast one I introduced at r1717058. Because notsoserial easily protects you from all possible serialize vulnerabilities as explained at
https://github.com/kantega/notsoserial#rejecting-deserialization-entirely-So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT at r1730735 + r1730736. To be safe in case you use RMI for instance, use one of the start*-secure ant targets or use the JVM arguments those targets use.
+So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT at r1730735 + r1730736. It's now embedded in OFBiz and called by all running Gradle tasks.
You might find more information at
https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability\ No newline at end of file
Locked
