On 10/11/2015 10:17, Jochen Wiedmann wrote: > On Tue, Nov 10, 2015 at 10:51 AM, Mark Thomas <ma...@apache.org> > >> You only need a CVE ID if there is a vulnerability. >> >> I would argue (and the OPs appear to agree with me) that this is NOT a >> vulnerability in Apache Commons Collections. The vulnerability lies in >> applications that are blindly deserializing data from an untrusted >> source. Given the nature of Java deserialization, that is somewhere on >> the scale between foolish and reckless. >> >> Commons is taking action to reduce the risk to developers if they do >> deserialize untrusted data but that doesn't change the fact that the >> root cause / vulnerability is the deserialization of untrusted data, not >> what Commons Collections then does with it. > > I won't argue on that. Fact is, there are such applications out there > (as of yet, we are aware of Jenkings, OpenNMS, WebSphere, JBoss, and > WebLogic [1], but the list is most likely incomplete, and there are > unidentified applications), and there is a vulnerability.Hence the > need for an identifier.
Those products need an identifier. We don't. It isn't our vulnerability so we can't ask for one to be assigned. We can reference it once one is assigned. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
