ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11353) Temporarily comment out the "stream" request-map in commonext controller.xml for security reason
Date Wed, 19 Feb 2020 08:44:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039807#comment-17039807
] 

ASF subversion and git services commented on OFBIZ-11353:
---------------------------------------------------------

Commit 3d85b1ca1e5e7c218b92cd97a8b110315642b1ba in ofbiz-framework's branch refs/heads/release17.12
from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3d85b1c ]

Fixed: Temporarily comment out the "stream" request-map in commonext controller
for security reason
(OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to
release the 17.12.01 version with this vulnerability fixed we need to require
(maybe only temporarily) the "stream" request-map in commonext controller
to need authentication.

We will later check that this has no impact and if necessary remove the
mandatory authentication, see OFBIZ-11349


> Temporarily comment out the "stream" request-map in commonext controller.xml for security
reason
> ------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-11353
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11353
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL COMPONENTS
>    Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch 18.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Blocker
>             Fix For: 17.12.01, Upcoming Branch, Release Branch 18.12
>
>
> A vulnerability has been reported to the OFBiz security team.  To be able to release
the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the
"stream" request-map in commonext controller. We will later fix the specific issue to put
back the functionnalities allowed by the "stream" request-map in commonext controller.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message