OFBiz OFBiz - Dev

Re: Comment out the SOAP and HTTP engines?

Posted by Jacques Le Roux on
URL: http://ofbiz.116.s1.nabble.com/Comment-out-the-SOAP-and-HTTP-engines-tp4767218p4767427.html

Hi,

It should be noted that commenting out the HTTP engine de facto disallows entity sync. I'll document that. I'll put a note in EntitySync-manual.adoc.

https://cwiki.apache.org/confluence/display/OFBIZ/Sync+Setup+Notes+and+Example is not concerned, the (old) POS is in Attic

I have renamed

https://cwiki.apache.org/confluence/display/OFBIZ/Data+Synchronisation+between+an+OFBiz-Master+and+an+OFBiz-Slave

by

https://cwiki.apache.org/confluence/display/OFBIZ/Data+Synchronisation+between+an+OFBiz-Main+and+an+OFBiz-Secondary

and replaced master by main and slave by secondary in text.

I'll put a note there too.

Jacques

Le 25/03/2021 à 18:35, Jacques Le Roux a écrit :

> Hi,
>
> After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP
> engines like we did in the past for RMI[2], this obviously for security reason.
>
> I don't think we need a vote for that, but of course all opinions are welcome
>
> Thanks
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] "
>
> Jacques
>
Free forum by Nabble Edit this page