This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 3df59b5 Improved: Prevent possible DOS attack done using Java
deserialisation (OFBIZ-12592)
3df59b5 is described below
commit 3df59b5e6d0a1ec07658e3a7b0ba883a50fa96ad
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Mar 28 12:32:40 2022 +0200
Improved: Prevent possible DOS attack done using Java deserialisation
(OFBIZ-12592)
Qing Xu, a security reporter, alerted us that, despite no current
vulnerability,
it could be maybe possible to do DOS attacks using Java deserialisation.
That has been fixed with https://openjdk.java.net/jeps/290 and even
implemented
in Java 8, but it needs a little effort on our side, here it is.
There is no real bug, to this is an improvement but a security improvement
so it
will be backported
Thanks: Qing Xu for report
Conflicts handled by hand gradle.properties
---
gradle.properties | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/gradle.properties b/gradle.properties
index a08ddcf..39ea90a 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -17,4 +17,9 @@
# under the License.
###############################################################################
-org.gradle.console=plain
\ No newline at end of file
+org.gradle.console=plain
+# If you experience heap memory problems during the Gradle build, for example
+# building with integrated plugins, the following setting might help
+#org.gradle.jvmargs=-Xms128m -Xmx1024m -XX:+CMSClassUnloadingEnabled
+# This is for "Prevent possible DOS attack done using Java deserialisation"
(OFBIZ-12592)
+-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000
