7 Replies Latest reply on Nov 4, 2011 12:36 PM by Serkan Eskici

    Seam 2.2.2.Final security release

    Marek Novotny Newbie

      Today I have released SECURITY release - Seam 2.2.2.Final. It is recommended to upgrade to this version. Seam Team thanks to Martin Kouba, who reported the security issue. Details can be found at https://www.redhat.com/security/data/cve/CVE-2011-1484.html


      The release fixed also 3 other issues which were important and was already fixed in 2.2 branch before security issue report. See Release Notes


      Seam 2 Distribution Downloads page is updated for the release or you can directly download it at sourceforge.net

        • 1. Re: Seam 2.2.2.Final security release
          Joshua D Novice

          This error started happening post migration to 2.2.2.Final from 2.2.1.Final. Can someone shed some light on this.


              /** {@inheritDoc} */
              @Override
              protected void initDefaultMessages() {
                  Expressions expressions = new Expressions();
          
                  setCreatedMessage(expressions.createValueExpression(null));
                  setUpdatedMessage(expressions.createValueExpression(null));
                  setDeletedMessage(expressions.createValueExpression(null));
              }
          



          I get the following error on the first setCreatedMessage call.


          Caused by: java.lang.NullPointerException
          at org.jboss.seam.core.Expressions.checkELExpression(Expr
          essions.java:311)
          at org.jboss.seam.core.Expressions.createValueExpression(
          Expressions.java:122)
          at org.jboss.seam.core.Expressions.createValueExpression(
          Expressions.java:100)
          at com.mycompany.action.CalendarHome.init
          DefaultMessages(CalendarHome.java:185)
          at org.jboss.seam.framework.Home.create(Home.java:107)
          at org.jboss.seam.framework.EntityHome.create(EntityHome.
          java:30)
          



          • 2. Re: Seam 2.2.2.Final security release
            Marek Novotny Newbie

            This seems like a bug, sorry :-(. Could you file an issue? Anyway a workaround can be to not use NULL value for creating EL expression.

            • 3. Re: Seam 2.2.2.Final security release
              rayudu g Newbie

              pls help me on seam and tide configuration for flex 3.0 application.



              • 4. Re: Seam 2.2.2.Final security release
                Marek Novotny Newbie

                Sorry, I haven't used Seam2 with Flex yet. But I know there are basically 2 options - Flamingo or GraniteDS.


                Try to follow:
                Flamingo Tutorial
                or
                Exadel's Flamingo project page


                With regarding GraniteDS you can look at GraniteDS project

                • 5. Re: Seam 2.2.2.Final security release
                  Serkan Eskici Novice

                  I don't know if this is the correct place to post this, but I've discovered an error in the Query class which builds a wrong count-query if you select more than 1 columns in your select statement and when there is a groupby in the SQL.


                  I had the following ejbql in my EntityQuery:


                  select min(e.receivedDate), count(*) 
                  from Entity e 
                  where ... 
                  groupby date_trunc('year', e.receivedDate) #{searchCriteria.getGroupBy()}
                  



                  The generated count query was this:


                  select distinct date_trunc('year', l.receivedDate) #{reportCriteria.getGroupBy()}
                  from etc.
                  



                  And this is wrong.


                  To fix this I had to change getCountQuery in the Query class to this:


                  protected String getCountEjbql() {
                  ...
                  ...
                  ...
                          String subject;
                          if (useWildcardAsCountQuerySubject) {
                              subject = "*";
                          }
                          // to be JPA-compliant, we need to make this query like "select count(u) from User u"
                          // however, Hibernate produces queries some databases cannot run when the primary key is
                          // composite
                          else {
                              Matcher subjectMatcher = SUBJECT_PATTERN.matcher(ejbql);
                              if (subjectMatcher.find()) {
                                  subject = subjectMatcher.group(1);
                              }
                              else {
                                  throw new IllegalStateException("invalid select clause for query");
                              }
                          }
                  }
                  



                  I removed the if(getGroupby != null) check and I've set the useWildcardAsCountQuerySubject = true in a subclass of EntityQuery and now my count query gets generated correctly.


                  I hope this helps someone and hopefully this will be fixed in later versions.

                  • 6. Re: Seam 2.2.2.Final security release
                    Marek Novotny Newbie

                    It seems similar like JBSEAM-4694, could you file jira issue if not?



                    Serkan Eskici wrote on Nov 04, 2011 07:10:


                    I don't know if this is the correct place to post this, but I've discovered an error in the Query class which builds a wrong count-query if you select more than 1 columns in your select statement and when there is a groupby in the SQL.

                    I had the following ejbql in my EntityQuery:

                    select min(e.receivedDate), count(*) 
                    from Entity e 
                    where ... 
                    groupby date_trunc('year', e.receivedDate) #{searchCriteria.getGroupBy()}
                    



                    The generated count query was this:

                    select distinct date_trunc('year', l.receivedDate) #{reportCriteria.getGroupBy()}
                    from etc.
                    



                    And this is wrong.

                    To fix this I had to change getCountQuery in the Query class to this:

                    protected String getCountEjbql() {
                    ...
                    ...
                    ...
                            String subject;
                            if (useWildcardAsCountQuerySubject) {
                                subject = "*";
                            }
                            // to be JPA-compliant, we need to make this query like "select count(u) from User u"
                            // however, Hibernate produces queries some databases cannot run when the primary key is
                            // composite
                            else {
                                Matcher subjectMatcher = SUBJECT_PATTERN.matcher(ejbql);
                                if (subjectMatcher.find()) {
                                    subject = subjectMatcher.group(1);
                                }
                                else {
                                    throw new IllegalStateException("invalid select clause for query");
                                }
                            }
                    }
                    



                    I removed the if(getGroupby != null) check and I've set the useWildcardAsCountQuerySubject = true in a subclass of EntityQuery and now my count query gets generated correctly.

                    I hope this helps someone and hopefully this will be fixed in later versions.


                    Click HELP for text formatting instructions. Then edit this text and check the preview.