Issue2491

classification
Title: a security issue in jython
Type: security Severity: critical
Components: Any Versions: Jython 2.7
Milestone:
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: fwierzbicki, jeff.allen, redrain
Priority: Keywords:

Created on 2016-04-13.02:32:47 by redrain, last changed 2018-02-25.09:02:25 by jeff.allen.

Messages
msg10833 (view) Author: redrain (redrain) Date: 2016-04-13.02:32:46 
i found a vulnerability about deserialization , but i didn't find any security issue reporting email address.
i want to know the best way to report this vunerability, create a open issue or email?
msg10834 (view) Author: redrain (redrain) Date: 2016-04-13.02:34:46 
rootredrain@gmail.com
msg11710 (view) Author: Jeff Allen (jeff.allen) Date: 2018-02-25.09:02:25 
Deserialization is the execution of arbitrary code from the source. Are we talking about pickle here or Java serialization? Anything not covered by:

https://blog.nelhage.com/2011/03/exploiting-pickle/
https://www.ibm.com/developerworks/library/j-5things1/

Adding the PM as nosy.
History
Date User Action Args
2018-02-25 09:02:25jeff.allensetnosy: + jeff.allen, fwierzbicki
messages: + msg11710
milestone: Jython 2.7.0 ->
2016-04-13 02:40:27redrainsetseverity: normal -> critical
2016-04-13 02:34:46redrainsetmessages: + msg10834
2016-04-13 02:32:47redraincreate

Supported by Python Software Foundation,
Powered by Roundup