https://bz.apache.org/bugzilla/show_bug.cgi?id=58662
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|REOPENED |RESOLVED
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
If a system admin adds a JAR then it is a non-issue. To repeat my previous
comment:
<quote>
The recent spate of deserialization issues is only of concern if an application
accepts untrusted data and deserializes without validation/sanitization. A
default Tomcat install does not expose any such mechanism.
</quote>
Therefore, adding one of the known enabling JARs - or some currently unknown
enablign JAR - to Tomcat does not create a security issue that can be exploited
by a remote attacker.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
