16 Oct
2019
16 Oct
'19
1:09 p.m.
When I launch ovirt 4.3.6, I see in the command line of the ovirt-engine: -Djackson.deserialization.whitelist.packages=org,com,java,javax That whitelist almost everything. Isn't that dangerous ? When I read this: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you... I think the white list should be as small as possible.