id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 29708 Deprecate PickleSerializer and move it out of core Alex Gaynor Adam Johnson "Pickle serializer has long been known to be dangerous. This is mitigated by requiring MAC on pickle in cookies, but nevertheless, RCEs continue to happen: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/ To further discourage it's use, we should consider deprecating PickleSerializer and moving it into a third party package." Cleanup/optimization closed contrib.sessions dev Normal fixed Adam Johnson Ready for checkin 1 0 0 0 0 0