Update Apache XML-RPC #3934
Merged
Update Apache XML-RPC #3934
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 tasks
adamretter
force-pushed
the
security/update-apache-xmlrpc
branch
from
2e6a12c to
ed8ca86
Compare
Member
|
@adamretter Many thanks for this contribution. |
line-o
reviewed
Jun 18, 2021
Member
line-o
left a comment
line-o
left a comment
There was a problem hiding this comment.
Looks good. I will approve after a local test.
Contributor
Author
@line-o I can't say. I don't know gulp-exist or what it does or how it works, the author of that should be able to tell you. |
|
SonarCloud Quality Gate failed. |
dizzzz
approved these changes
Jun 21, 2021
18 tasks
adamretter
force-pushed
the
security/update-apache-xmlrpc
branch
from
ed8ca86 to
13efbf1
Compare
… Evolved Binary. Addresses CVE-2019-17570 and CVE-2016-5002 Note - this does change the XML-RPC API (and therefore also the XML:DB remote API) where ACL's are communicated Closes eXist-db#3063
adamretter
force-pushed
the
security/update-apache-xmlrpc
branch
from
13efbf1 to
cf74509
Compare
|
SonarCloud Quality Gate failed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update to Apache XML-RPC with latest Security Patches from Evolved Binary.
Addresses CVE-2019-17570 and CVE-2016-5002
Note - This PR changes XML-RPC API (and therefore also the XML:DB remote API).
Previously eXist-db was relying on the in-built Java Serialization for communicating ACL's, unfortunately that facility is inherently insecure. This PR now adds a custom XML-RPC Serializer and Parser for ACLs to ensure this is secure; the upshot is that the wire-protocol has to change to support this. This means users of the XML-RPC and XML:DB APIs (e.g. Java Admin Client, oXygen XML Editor, etc) will need to upgrade their libraries as this is not backwards compatible.
Closes #3063