Please consider Releasing 4.2 with Security patch

stephan.m Aug 1, 2013 7:09 AM

Hi there,

please consider releasing the security patch also for the 4.2 tree. I try to migrate our project to 4.3.3 but due to Mojarra 2.1 and the new resource loading strategy this seem to be a big task.

If you don't want to release a version for 4.2, please point me to the files which need modification. I would like to patch RF on my own.

Thanks

1. Re: Please consider Releasing 4.2 with Security patch

bleathem Aug 2, 2013 5:27 PM (in response to stephan.m)

Have a look at this comment:
http://www.bleathem.ca/blog/2013/07/richfaces-CVE-2013-2165.html#comment-964624749

If it would help, we can prepare a git branch with the patch applied.

I'm curious, can you be more specific about what's holding you back from moving from RF 4.2 to 4.3? Maybe that's something we can overcome and you can use the latest jar with the security patch applied.
Actions
2. Re: Please consider Releasing 4.2 with Security patch

stephan.m Aug 7, 2013 5:33 AM (in response to bleathem)

Thanks I have patched 4.2 with this
https://source.jboss.org/changelog/RichFacesCore?cs=12ee1166f04806b3ba072d27f9a9b3b3feae2ec9

and it seems to work flawlessly.

At the moment we can't update to 4.3 due to resource loading changes. We overloading css styles and javascripts differently on alot of pages. So we can't easily migrate to a higher version without reconsidering the complete resource stuff. This task is too big considering the current page will be rewritten from scratch next year.

Best Regards
Actions

Go to original post