-
1. Re: Fix for CVE2011-2196 for Seam 2.2.x Community Edititon
manarh Aug 27, 2013 10:33 AM (in response to eddykaya)CVE 2011-1484 was fixed in https://sourceforge.net/projects/jboss/files/JBoss%20Seam/2.2.2.Final
CVE 2011-2196 was fixed in Seam 2: 2.3.0.ALPHA this version is still using JSF 1.2 so you can go with that if you need to stick with JSF 1, the 2.3.0.ALPHA is just mavenized 2.2.2.Final and a bunch of fixes.
-
2. Re: Fix for CVE2011-2196 for Seam 2.2.x Community Edititon
manarh Aug 27, 2013 10:41 AM (in response to eddykaya)FYI Download is here http://sourceforge.net/projects/jboss/files/JBoss%20Seam/2.3.0.ALPHA/
-
3. Re: Fix for CVE2011-2196 for Seam 2.2.x Community Edititon
eddykaya Aug 28, 2013 3:02 AM (in response to manarh)Hello Marek,
thanks for your reply. I couldn't find any hint in the changelog for that fix or a JBSEAM ticket for that.
What I like to do is fix our current version 2.2.0, however I cannot find a commit in the git repository. Would you please provide some information which commit number that was or at least who fixed that issue?
Thanks in advance,
Eddy
-
4. Re: Fix for CVE2011-2196 for Seam 2.2.x Community Edititon
manarh Aug 28, 2013 4:45 AM (in response to eddykaya)It is in Release notes - Release Notes - JBoss Issue Tracker
The related issues are:
- [#JBSEAM-4844] Seam 2 does not properly block access to EL expressions - JBoss Issue Tracker
- [#JBSEAM-4816] NullPointerException in EL Expression evaluation - JBoss Issue Tracker
You should apply commits:
-
5. Re: Fix for CVE2011-2196 for Seam 2.2.x Community Edititon
eddykaya Aug 28, 2013 5:05 AM (in response to manarh)Thanks alot!