| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2020-11973: Apache Camel Netty enables Java deserialization by default |
| |
| Severity: MEDIUM |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Camel 2.25.0, Camel 3.0.0 to 3.1.0. The unsupported Camel 2.x (2.24 and earlier) versions may be also affected. |
| |
| Description: Apache Camel Netty enables Java deserialization by default |
| |
| Mitigation: 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-14447 refers to the various commits that resovoled the issue, and have more details. |
| |
| Credit: This issue was discovered by Colm O. HEigeartaigh <coheigea at apache dot org> from Apache Software Foundation |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v2.0.22 (GNU/Linux) |
| |
| iQEcBAEBAgAGBQJevUX3AAoJEONOnzgC/0EANycIAJD8FSGAr+HGQPBig7wvTR3D |
| NAOCQjjPrC3KiLrBTW82JBU/0n/tWYTx9hSa1DmafKa4Cu/yO3SWaKbH/V6pT5QC |
| NJZPn/bOIEyfNErRKIVuLmf9/I0Cwd2rb3CJVN3OhQv0xvE8PcyXQ0F/wDYVXlbR |
| Lu3HR5dWaNVUC9bs/DCrC2SKI9XKq17JhSYu+W6hHGWrYSIcMvgxV8wOK5gigjLf |
| Yih+gO378cI1kuq5anf2xAiRxGmDL41uuwQXC+lmrG61UM7ozZe+Tz8/QdBJc4hZ |
| sxD40oW1UXRqAnmcUkJEpEdSqa740XSWcVVgSOCCn78YAOHm96pcSN0S6JZf1f8= |
| =Ks1J |
| -----END PGP SIGNATURE----- |