[jira] [Commented] (MYFACES-4032) upgrade common-beanutils to 1.9.2 to resolve security vulnerability
[ https://issues.apache.org/jira/browse/MYFACES-4032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15153753#comment-15153753 ] Leonardo Uribe commented on MYFACES-4032: - MyFaces uses this library with commons-digester to read xml files like faces-config.xml, which is done at startup . In my understanding this is not a problem, because the issue mentioned in the CVE is related to the use of commons-beanutils to read a request values and then do some processing. The problem is more related to struts than to beanutils. Anyway I'll check that. > upgrade common-beanutils to 1.9.2 to resolve security vulnerability > --- > > Key: MYFACES-4032 > URL: https://issues.apache.org/jira/browse/MYFACES-4032 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.2.8, 2.2.9 >Reporter: Santosh P >Priority: Critical > > Hello, > We have been reported for security vulnerable library common-beanutils-1.8.3. > Myfaces-impl is dependent on this library and which is downloaded to > application WEB-INF/lib while packaging. > Clould you please upgrade to latest release 1.9.2 of common-beanutils and > make use of 'SuppressPropertiesBeanIntrospector'. > More details can be found here: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 > http://openwall.com/lists/oss-security/2014/06/15/10 > http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt > https://issues.apache.org/jira/browse/BEANUTILS-463 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (MYFACES-4032) upgrade common-beanutils to 1.9.2 to resolve security vulnerability
Santosh P created MYFACES-4032: -- Summary: upgrade common-beanutils to 1.9.2 to resolve security vulnerability Key: MYFACES-4032 URL: https://issues.apache.org/jira/browse/MYFACES-4032 Project: MyFaces Core Issue Type: Bug Affects Versions: 2.2.9, 2.2.8 Reporter: Santosh P Priority: Critical Hello, We have been reported for security vulnerable library common-beanutils-1.8.3. Myfaces-impl is dependent on this library and which is downloaded to application WEB-INF/lib while packaging. Clould you please upgrade to latest release 1.9.2 of common-beanutils and make use of 'SuppressPropertiesBeanIntrospector'. More details can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 http://openwall.com/lists/oss-security/2014/06/15/10 http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt https://issues.apache.org/jira/browse/BEANUTILS-463 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TOBAGO-1532) Adding CVE check of OWASP to the release process
[ https://issues.apache.org/jira/browse/TOBAGO-1532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15152396#comment-15152396 ] Mike Kienenberger commented on TOBAGO-1532: --- Only partially related, but have you looked at integrating find-sec-bugs into the build process? It's an external plugin for findbugs. http://find-sec-bugs.github.io/ OWASP TOP 10 and CWE coverage Extensive references are given for each bug patterns with references to OWASP Top 10 and CWE. > Adding CVE check of OWASP to the release process > > > Key: TOBAGO-1532 > URL: https://issues.apache.org/jira/browse/TOBAGO-1532 > Project: MyFaces Tobago > Issue Type: Improvement > Components: Build >Reporter: Udo Schnurpfeil >Assignee: Udo Schnurpfeil >Priority: Minor > > There is a tool from OWASP to check for known security problems in dependent > libraries. > See https://www.owasp.org/index.php/OWASP_Dependency_Check -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TOBAGO-1533) Java 8 can't build the JavaDoc, because it's more strict
[
https://issues.apache.org/jira/browse/TOBAGO-1533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15152302#comment-15152302
]
Hudson commented on TOBAGO-1533:
FAILURE: Integrated in tobago-3.0.x #240 (See
[https://builds.apache.org/job/tobago-3.0.x/240/])
Merged from trunk
unit test works now with Java 8 [from revision 1731050]
TOBAGO-1533: Java 8 can't build the JavaDoc, because it's more strict [from
revision 1731051] (lofwyr: [http://svn.apache.org/viewvc/?view=rev=1731058])
* tobago-3.0.x
* tobago-3.0.x/pom.xml
> Java 8 can't build the JavaDoc, because it's more strict
>
>
> Key: TOBAGO-1533
> URL: https://issues.apache.org/jira/browse/TOBAGO-1533
> Project: MyFaces Tobago
> Issue Type: Task
>Affects Versions: 3.0.0-alpha-2, 2.0.9
>Reporter: Udo Schnurpfeil
>Assignee: Udo Schnurpfeil
>
> For Tobago 2.0.x we should activate
> {code}
> -Xdoclint:none
> {code}
> For Tobago 3.0.x we should fix the problems.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TOBAGO-1532) Adding CVE check of OWASP to the release process
[ https://issues.apache.org/jira/browse/TOBAGO-1532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15152301#comment-15152301 ] Hudson commented on TOBAGO-1532: FAILURE: Integrated in tobago-3.0.x #240 (See [https://builds.apache.org/job/tobago-3.0.x/240/]) Merged from trunk TOBAGO-1532: Adding CVE check of OWASP to the release process [from revision 1731054] TOBAGO-1532: Adding CVE check of OWASP to the release process * define a (hard) score [from revision 1731057] (lofwyr: [http://svn.apache.org/viewvc/?view=rev=1731064]) * tobago-3.0.x * tobago-3.0.x/pom.xml > Adding CVE check of OWASP to the release process > > > Key: TOBAGO-1532 > URL: https://issues.apache.org/jira/browse/TOBAGO-1532 > Project: MyFaces Tobago > Issue Type: Improvement > Components: Build >Reporter: Udo Schnurpfeil >Assignee: Udo Schnurpfeil >Priority: Minor > > There is a tool from OWASP to check for known security problems in dependent > libraries. > See https://www.owasp.org/index.php/OWASP_Dependency_Check -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TOBAGO-1532) Adding CVE check of OWASP to the release process
[ https://issues.apache.org/jira/browse/TOBAGO-1532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15152300#comment-15152300 ] Hudson commented on TOBAGO-1532: SUCCESS: Integrated in Tobago 2.0.x #1428 (See [https://builds.apache.org/job/Tobago%202.0.x/1428/]) TOBAGO-1532: Adding CVE check of OWASP to the release process * define a (hard) score (lofwyr: [http://svn.apache.org/viewvc/?view=rev=1731057]) * tobago-trunk/pom.xml TOBAGO-1532: Adding CVE check of OWASP to the release process (lofwyr: [http://svn.apache.org/viewvc/?view=rev=1731054]) * tobago-trunk/pom.xml > Adding CVE check of OWASP to the release process > > > Key: TOBAGO-1532 > URL: https://issues.apache.org/jira/browse/TOBAGO-1532 > Project: MyFaces Tobago > Issue Type: Improvement > Components: Build >Reporter: Udo Schnurpfeil >Assignee: Udo Schnurpfeil >Priority: Minor > > There is a tool from OWASP to check for known security problems in dependent > libraries. > See https://www.owasp.org/index.php/OWASP_Dependency_Check -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TOBAGO-1533) Java 8 can't build the JavaDoc, because it's more strict
[
https://issues.apache.org/jira/browse/TOBAGO-1533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15152238#comment-15152238
]
Hudson commented on TOBAGO-1533:
UNSTABLE: Integrated in Tobago 2.0.x #1427 (See
[https://builds.apache.org/job/Tobago%202.0.x/1427/])
TOBAGO-1533: Java 8 can't build the JavaDoc, because it's more strict (lofwyr:
[http://svn.apache.org/viewvc/?view=rev=1731051])
* tobago-trunk/pom.xml
> Java 8 can't build the JavaDoc, because it's more strict
>
>
> Key: TOBAGO-1533
> URL: https://issues.apache.org/jira/browse/TOBAGO-1533
> Project: MyFaces Tobago
> Issue Type: Task
>Affects Versions: 3.0.0-alpha-2, 2.0.9
>Reporter: Udo Schnurpfeil
>Assignee: Udo Schnurpfeil
>
> For Tobago 2.0.x we should activate
> {code}
> -Xdoclint:none
> {code}
> For Tobago 3.0.x we should fix the problems.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TOBAGO-1533) Java 8 can't build the JavaDoc, because it's more strict
[
https://issues.apache.org/jira/browse/TOBAGO-1533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15152173#comment-15152173
]
Hudson commented on TOBAGO-1533:
FAILURE: Integrated in tobago-3.0.x #239 (See
[https://builds.apache.org/job/tobago-3.0.x/239/])
TOBAGO-1533: Java 8 can't build the JavaDoc, because it's more strict (lofwyr:
[http://svn.apache.org/viewvc/?view=rev=1731040])
*
tobago-3.0.x/tobago-core/src/main/java/org/apache/myfaces/tobago/ajax/AjaxUtils.java
* tobago-3.0.x/tobago-tool/tobago-theme-plugin/pom.xml
> Java 8 can't build the JavaDoc, because it's more strict
>
>
> Key: TOBAGO-1533
> URL: https://issues.apache.org/jira/browse/TOBAGO-1533
> Project: MyFaces Tobago
> Issue Type: Task
>Affects Versions: 3.0.0-alpha-2, 2.0.9
>Reporter: Udo Schnurpfeil
>Assignee: Udo Schnurpfeil
>
> For Tobago 2.0.x we should activate
> {code}
> -Xdoclint:none
> {code}
> For Tobago 3.0.x we should fix the problems.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (TOBAGO-1533) Java 8 can't build the JavaDoc, because it's more strict
Udo Schnurpfeil created TOBAGO-1533:
---
Summary: Java 8 can't build the JavaDoc, because it's more strict
Key: TOBAGO-1533
URL: https://issues.apache.org/jira/browse/TOBAGO-1533
Project: MyFaces Tobago
Issue Type: Task
Affects Versions: 2.0.9, 3.0.0-alpha-2
Reporter: Udo Schnurpfeil
Assignee: Udo Schnurpfeil
For Tobago 2.0.x we should activate
{code}
-Xdoclint:none
{code}
For Tobago 3.0.x we should fix the problems.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TOBAGO-1524) Use standard ajax mechanism
[ https://issues.apache.org/jira/browse/TOBAGO-1524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15152091#comment-15152091 ] Hudson commented on TOBAGO-1524: FAILURE: Integrated in tobago-3.0.x #238 (See [https://builds.apache.org/job/tobago-3.0.x/238/]) TOBAGO-1524: Use standard ajax mechanism * Temporarily undo the new AJAX stuff for because it's not working yet (lofwyr: [http://svn.apache.org/viewvc/?view=rev=1731027]) * tobago-3.0.x/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago-suggest.js > Use standard ajax mechanism > --- > > Key: TOBAGO-1524 > URL: https://issues.apache.org/jira/browse/TOBAGO-1524 > Project: MyFaces Tobago > Issue Type: Improvement > Components: Core >Affects Versions: 3.0.0-alpha-2 >Reporter: Dennis Kieselhorst >Assignee: Udo Schnurpfeil >Priority: Critical > Fix For: 3.0.0-beta-1 > > Attachments: ajax_30.patch > > > Tobago supports Ajax from the very beginning. With JSF 2.0 Ajax became part > of the standard (f:ajax). We should move over to the standard javascript to > enhance the robustness. Currently we have several open issues related to Ajax > requests. > Here are some aspects: > * Tobago supports CSP (Content Securty Policy): So, we don't render > JavaScript directly into the HTML > * Using jsf.js for partial reloading > * Using ClientBehaviour for > Todo: > * implement reload facet with behavior > * fix sheet-master-detail.xhtml: The action will not be called, currently > * same issue wtih the paging command links of sheet -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (TOBAGO-1532) Adding CVE check of OWASP to the release process
Udo Schnurpfeil created TOBAGO-1532: --- Summary: Adding CVE check of OWASP to the release process Key: TOBAGO-1532 URL: https://issues.apache.org/jira/browse/TOBAGO-1532 Project: MyFaces Tobago Issue Type: Improvement Components: Build Reporter: Udo Schnurpfeil Assignee: Udo Schnurpfeil Priority: Minor There is a tool from OWASP to check for known security problems in dependent libraries. See https://www.owasp.org/index.php/OWASP_Dependency_Check -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MYFACES-4028) Custom Taglib with composite components and JSTL
[
https://issues.apache.org/jira/browse/MYFACES-4028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15151965#comment-15151965
]
Christian Beikov commented on MYFACES-4028:
---
Well the id attribute is not the same as an id attribute of a normal component
since "test:row" is a custom tag in a taglib.
The id attribute is just used for a div, which is evaluated at view render time.
The problem is when doing #{not empty id} which causes the "id" and by that the
"cc.clientId" to be accessed and cached.
It would be nice if the JSTL tags had some kind of blacklist of properties that
may not be used along with them. That way an exception could be thrown because
using "clientId" during view build time is always illegal.
> Custom Taglib with composite components and JSTL
>
>
> Key: MYFACES-4028
> URL: https://issues.apache.org/jira/browse/MYFACES-4028
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.1.17, 2.2.9
>Reporter: Christian Beikov
>Assignee: Leonardo Uribe
> Attachments: issue.zip
>
>
> I tested this on Wildfly 10.0.0.CR5 with both, MyFaces 2.1.17 and 2.2.9 but I
> suppose this issue is not specific to my environment.
> The example project can be found on Github:
> https://github.com/beikov/myfaces-composite-jstl-issue
> I think the essential problem is, that a composite component passes an EL
> expression to a custom tag which then uses the expression in a JSTL Tag.
> I don't know if it's just illegal to do something like this, or if there is
> an actual bug, but if it is the former, I'd expect an exception.
> Depending on whether the property
> "org.apache.myfaces.REFRESH_TRANSIENT_BUILD_ON_PSS_PRESERVE_STATE" is enabled
> the behavior is different.
> When enabled, the converter that is attached to the composite component will
> be considered for state saving which in this case leads to a converter
> without state when restoring and finally leading to a converter exception on
> postback.
> When disabled, the first postback request just seems to do nothing, but then,
> it seemingly works as expected.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
