CVE 2011-1484 was fixed in https://sourceforge.net/projects/jboss/files/JBoss%20Seam/2.2.2.Final
CVE 2011-2196 was fixed in Seam 2: 2.3.0.ALPHA this version is still using JSF 1.2 so you can go with that if you need to stick with JSF 1, the 2.3.0.ALPHA is just mavenized 2.2.2.Final and a bunch of fixes.
thanks for your reply. I couldn't find any hint in the changelog for that fix or a JBSEAM ticket for that.
What I like to do is fix our current version 2.2.0, however I cannot find a commit in the git repository. Would you please provide some information which commit number that was or at least who fixed that issue?
Thanks in advance,
It is in Release notes - Release Notes - JBoss Issue Tracker
The related issues are:
- [#JBSEAM-4844] Seam 2 does not properly block access to EL expressions - JBoss Issue Tracker
- [#JBSEAM-4816] NullPointerException in EL Expression evaluation - JBoss Issue Tracker
You should apply commits: