You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Mike Kienenberger <mk...@gmail.com> on 2016/09/29 15:50:02 UTC
[ANNOUNCE][CVE-2016-5019] Apache MyFaces Trinidad 2.1.2 released
The Apache MyFaces team is pleased to announce the release of Apache
MyFaces Trinidad 2.1.2.
.
MyFaces Trinidad is a feature-rich renderkit for JavaServer(tm) Faces
that provides an extendibles framework and extensive skinning support.
This version is designed to be used with the JSF 2.1 specification.
CVE-2016-5019:
Trinidad’s CoreResponseStateManager both reads and writes view state
strings using
ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad
bypasses the
view state security features provided by the JSF implementations - ie. the view
state is not encrypted and is not MAC’ed. Trinidad’s
CoreResponseStateManager will
blindly deserialize untrusted view state strings, which makes Trinidad-based
applications vulnerable to deserialization attacks.
Apache MyFaces Trinidad is available in both binary and source
distributions, and there are examples available as well:
* http://myfaces.apache.org/trinidad/download.html
Apache MyFaces Trinidad is available in the central Maven repository
under Group ID "org.apache.myfaces.trinidad"
Release Notes - MyFaces Trinidad - Version 2.1.2
Bug
[TRINIDAD-2542] - CVE-2016-5019: MyFaces Trinidad view state
deserialization security vulnerability
[TRINIDAD-2228] - java.lang.UnsupportedOperationException
[TRINIDAD-2282] - In validateLength, a default hintRange message
is displayed instead of hintMaximum even when minimum value is not set
[TRINIDAD-2436] - We should update Table's selection state during
invoke application phase
[TRINIDAD-2445] - Prevent exceptions from propagating out of the
ServletFilter
[TRINIDAD-2541] - Check UTF-8 encoding in example files
Improvement
[TRINIDAD-2239] - Improve the ancestor based change filtering
mechanism by introducing a formal ComponentChangeFilter
[TRINIDAD-2441] - URLUtil to escape a URL and remove invalid characters
[TRINIDAD-2540] - Align Trinidad 2.1.x so it can be editable using
Netbeans 8
regards,
Mike Kienenberger