Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 29 Sep 2016 11:50:07 -0400
From: Mike Kienenberger <mkienenb@...il.com>
To: announce@...aces.apache.org, MyFaces Development <dev@...aces.apache.org>, 
	MyFaces Discussion <users@...aces.apache.org>
Cc: "security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com, 
	bugtraq@...urityfocus.com
Subject: [ANNOUNCE][CVE-2016-5019] Apache MyFaces Trinidad 2.0.2 released

The Apache MyFaces team is pleased to announce the release of Apache
MyFaces Trinidad 2.0.2.

MyFaces Trinidad is a feature-rich renderkit for JavaServer(tm) Faces
that provides an extendibles framework and extensive skinning support.
This version is designed to be used with the JSF 2.0 specification and
works with either Mojarra or MyFaces.

CVE-2016-5019:
Trinidad’s CoreResponseStateManager both reads and writes view state
strings using
ObjectInputStream/ObjectOutputStream directly.  By doing so, Trinidad
bypasses the
view state security features provided by the JSF implementations - ie. the view
state is not encrypted and is not MAC’ed.  Trinidad’s
CoreResponseStateManager will
blindly deserialize untrusted view state strings, which makes Trinidad-based
applications vulnerable to deserialization attacks.

Apache MyFaces Trinidad is available in both binary and source
distributions, and there are examples available as well:

    * http://myfaces.apache.org/trinidad/download.html

Apache MyFaces Trinidad is available in the central Maven repository
under Group ID "org.apache.myfaces.trinidad"

Release Notes - MyFaces Trinidad - Version 2.0.2

Bug
    [TRINIDAD-2542] - CVE-2016-5019: MyFaces Trinidad view state
deserialization security vulnerability

    [TRINIDAD-2218] - Need an ability for the WindowManager
implementation to be executed before all Configurators and filters and
to complete teh response
    [TRINIDAD-2224] - Client DateTimeConverter _fix2DYear does not
handle th_TH locale
    [TRINIDAD-2230] - adjustments to the UIXComponentBase
subscribeToEvent and unsubscribeFromEvent implementation
    [TRINIDAD-2233] - x-frame-options header not working in trinidad
    [TRINIDAD-2245] - ForEach tag throws ArrayIndexOfBoundsException
when the end attribute is same as the size of the List
    [TRINIDAD-2252] -
ViewDeclarationLanguageFactoryImpl$ChangeApplyingVDLWrapper does not
override non-abstract retargetMethodExpressions() causing composite
component actions not to fire
    [TRINIDAD-2260] - tr:inputListOfValues - no ReturnEvent is fired
when using facelets
    [TRINIDAD-2262] - UIXComponentBase calls setInView(false) before
the component is actually removed from tree
    [TRINIDAD-2263] - StateManagerImp.saveView should not check
current request token
    [TRINIDAD-2285] - avoid exceptions in design time for agent rules
    [TRINIDAD-2286] - alias wrongly specified in base-desktop.css
    [TRINIDAD-2289] - function _pprControlCapture() causes an error in
IE8 when it tries to focus on a PPR'd element
    [TRINIDAD-2299] - f:convertnumber throws error when the number
input by user has leading or trailing grouping separator char
    [TRINIDAD-2301] - avoid exceptions in design time when wrong style
sheet name is specified in trinidad-skins.xml
    [TRINIDAD-2303] - State saving skips facets (component resources).
    [TRINIDAD-2309] - perf: change the concurrenthashmap to arraymap
and fix the golden files
    [TRINIDAD-2327] - update RenderingContext.getIcon() documentation
    [TRINIDAD-2329] - remove acc datatable=0 from non data tables
    [TRINIDAD-2340] - LocaleElementsResourceLoader init dependency on
request path
    [TRINIDAD-2348] - HeadRenderer renders meta tags in wrong order for IE
    [TRINIDAD-2349] - TreeRenderer renders duplicate IDs
    [TRINIDAD-2393] - GlobalConfiguratorImpl will not always clean up resources
    [TRINIDAD-2408] - TrPage._getTextContent is not working in IE10
    [TRINIDAD-2525] - IE 11 - Unsupported JavaScript methods are used
in Trinidad

Improvement

    [TRINIDAD-2172] - pseudo classes missing from CSSGenerationUtils
    [TRINIDAD-2186] - Clirr runner tests should work off last revision
rather then a fixed label
    [TRINIDAD-2226] - Provide mechanism to reload skin definitions
from trinidad-skins.xml
    [TRINIDAD-2235] - Skinning: stable names for generated style sheets
    [TRINIDAD-2248] - Change component templating scheme to generate
superclasses of templated components rather than the templated
components themselves
    [TRINIDAD-2253] - Ability to synchronize UI view size with model cache size`
    [TRINIDAD-2292] - Update Clirr Runner tests to check against Trinidad 2.0.0
    [TRINIDAD-2330] - Add support for base64 encoded images in skin files.
    [TRINIDAD-2391] - Enhancements to allow for custom FileUpload code
    [TRINIDAD-2392] - Ability to control skin and compression programatically
    [TRINIDAD-2394] - LabeledFacesMessage is not appropriately serializable

New Feature

    [TRINIDAD-2234] - Pregeneration of skin style sheets

regards,

Mike Kienenberger

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.