You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by Mike Kienenberger <mk...@gmail.com> on 2015/11/23 22:37:16 UTC
Upgrade commons-collections to 3.2.2.
Before we do another release, let's upgrade our commons-collections
dependency to 3.2.2 as certain JSF configurations likely present
attack vectors.
https://issues.apache.org/jira/browse/COLLECTIONS-580
Re: Upgrade commons-collections to 3.2.2.
Posted by Dennis Kieselhorst <ma...@dekies.de>.
I agree with Leonardo but I've created MYFACES-4020 and updated it for
the next version.
Regards
Dennis
Am 23.11.2015 um 22:45 schrieb Leonardo Uribe:
> Hi
>
> Ouch, I'm already running the TCK (artifacts already on nexus).
>
> I don't thing that one affects JSF, because the viewState is
> encrypted/tampered by default. No need to do it right now, but
> good to know that for further releases (or if we do a rollback
> of the current one).
>
> regards,
>
> Leonardo Uribe
>
> 2015-11-23 16:37 GMT-05:00 Mike Kienenberger <mkienenb@gmail.com
> <ma...@gmail.com>>:
>
> Before we do another release, let's upgrade our commons-collections
> dependency to 3.2.2 as certain JSF configurations likely present
> attack vectors.
>
> https://issues.apache.org/jira/browse/COLLECTIONS-580
>
>
Re: Upgrade commons-collections to 3.2.2.
Posted by Leonardo Uribe <lu...@gmail.com>.
Hi
Ouch, I'm already running the TCK (artifacts already on nexus).
I don't thing that one affects JSF, because the viewState is
encrypted/tampered by default. No need to do it right now, but
good to know that for further releases (or if we do a rollback
of the current one).
regards,
Leonardo Uribe
2015-11-23 16:37 GMT-05:00 Mike Kienenberger <mk...@gmail.com>:
> Before we do another release, let's upgrade our commons-collections
> dependency to 3.2.2 as certain JSF configurations likely present
> attack vectors.
>
> https://issues.apache.org/jira/browse/COLLECTIONS-580
>