You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm a security researcher doing some historical digging and trying to figure out when Kryo.registrationRequired was set as true by default. Do you know if a CVE was ever issued when this became the default behaviour? I'm wondering because it would be good to encourage end users to upgrade beyond this version. The best way to do this can be by issuing a CVE number.
The text was updated successfully, but these errors were encountered:
Much appreciated. As this is a serious security improvement, do you mind if I work with a CNA to issue a CVE number for all versions of Kryo prior to 5.0.0 to make sure your end users are aware of this important security improvement and that they should update?
There is no need to upgrade if you are on an older version of Kryo. Users can simply set setRegistrationRequired(true) on older versions. And a lot of users will already have set it, because registering classes upfront is faster.
Since Kryo is not backwards-compatible between major versions, upgrading Kryo to 5.x can be a lot of work if you have persistent data. Existing data has to be read with the older version and written with the newer version. It doesn't make sense to force/urge users to go through this, just because of a change to a default value that they can already set themselves in their current version.
I'm a security researcher doing some historical digging and trying to figure out when
Kryo.registrationRequired
was set astrue
by default. Do you know if a CVE was ever issued when this became the default behaviour? I'm wondering because it would be good to encourage end users to upgrade beyond this version. The best way to do this can be by issuing a CVE number.The text was updated successfully, but these errors were encountered: