myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Kienenberger <mkien...@gmail.com>
Subject [ANNOUNCE][CVE-2016-5019] Apache MyFaces Trinidad 2.1.2 released
Date Thu, 29 Sep 2016 15:50:02 GMT
The Apache MyFaces team is pleased to announce the release of Apache
MyFaces Trinidad 2.1.2.
.
MyFaces Trinidad is a feature-rich renderkit for JavaServer(tm) Faces
that provides an extendibles framework and extensive skinning support.
This version is designed to be used with the JSF 2.1 specification.

CVE-2016-5019:
Trinidad’s CoreResponseStateManager both reads and writes view state
strings using
ObjectInputStream/ObjectOutputStream directly.  By doing so, Trinidad
bypasses the
view state security features provided by the JSF implementations - ie. the view
state is not encrypted and is not MAC’ed.  Trinidad’s
CoreResponseStateManager will
blindly deserialize untrusted view state strings, which makes Trinidad-based
applications vulnerable to deserialization attacks.

Apache MyFaces Trinidad is available in both binary and source
distributions, and there are examples available as well:

    * http://myfaces.apache.org/trinidad/download.html

Apache MyFaces Trinidad is available in the central Maven repository
under Group ID "org.apache.myfaces.trinidad"

Release Notes - MyFaces Trinidad - Version 2.1.2

Bug
    [TRINIDAD-2542] - CVE-2016-5019: MyFaces Trinidad view state
deserialization security vulnerability

    [TRINIDAD-2228] - java.lang.UnsupportedOperationException
    [TRINIDAD-2282] - In validateLength, a default hintRange message
is displayed instead of hintMaximum even when minimum value is not set
    [TRINIDAD-2436] - We should update Table's selection state during
invoke application phase
    [TRINIDAD-2445] - Prevent exceptions from propagating out of the
ServletFilter
    [TRINIDAD-2541] - Check UTF-8 encoding in example files

Improvement

    [TRINIDAD-2239] - Improve the ancestor based change filtering
mechanism by introducing a formal ComponentChangeFilter
    [TRINIDAD-2441] - URLUtil to escape a URL and remove invalid characters
    [TRINIDAD-2540] - Align Trinidad 2.1.x so it can be editable using
Netbeans 8

regards,

Mike Kienenberger

Mime
View raw message