Bug#851408: CVE-2016-6814
Emmanuel Bourg
ebourg at apache.org
Sun Jan 15 08:51:33 UTC 2017
Le 14/01/2017 à 16:59, Moritz Muehlenhoff a écrit :
> Source: groovy
> Severity: grave
> Tags: security
>
> Hi,
> please see http://seclists.org/oss-sec/2017/q1/92
>
> Cheers,
> Moritz
Hi Moritz,
Thank you for the info. Note that Groovy isn't to blame for this kind of
serialization issue, the real issue is applications relying on
serialization and not sanitizing the input data (i.e. applications
should whitelist the classes allowed to be deserialized, it's impossible
to use Java serialization securely otherwise).
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list