[
https://issues.jboss.org/browse/JBSEAM-5102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marek Novotny updated JBSEAM-5102:
----------------------------------
Summary: Seam examples use unencrypted client-side view state (was: CLONE
- Seam examples use unencrypted client-side view state)
Affects: (was: Release Notes)
> Seam examples use unencrypted client-side view state
> ----------------------------------------------------
>
> Key: JBSEAM-5102
> URL: https://issues.jboss.org/browse/JBSEAM-5102
> Project: Seam 2
> Issue Type: Bug
> Components: Examples
> Affects Versions: 2.3.0.Final
> Reporter: David Jorm
> Assignee: Marek Novotny
> Fix For: 2.3.1.CR1
>
>
> Some seam examples use unencrypted client-side view state. For example, on
> EAP 5.1.1:
> jboss-eap-5.1/seam/examples/seambay/resources/WEB-INF/web.xml
> Contains:
> <context-param>
> <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
> <param-value>client</param-value>
> </context-param>
> But not a corresponding ClientStateSavingPassword value to enable encryption.
> This renders the example applications vulnerable to CVE-2010-2087:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2087
> Please either change the STATE_SAVING_METHOD to server or enable encryption:
> <env-entry>
> <env-entry-name>ClientStateSavingPassword</env-entry-name>
> <env-entry-type>java.lang.String</env-entry-type>
> <env-entry-value>INSERT_YOUR_PASSWORD</env-entry-value>
> </env-entry>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues
