Result (Was: [VOTE] Release of MyFaces Trinidad 2.1.2 / 2.0.2 / 1.2.15)

2016-09-29 Thread Mike Kienenberger
Due to a security vulnerability, we were forced to vote on the release of Trinidad 2.12, 2.0.2, and 1.2.15 on the private@ list. Now that the vulnerability and releases to fix it have been made public, here is a summary of those votes. The vote started on 2016-09-21 and closed on 2016-09-26. The

Re: [ANNOUNCE] MyFaces Core v2.2.11 Release

2016-09-29 Thread Mike Kienenberger
+1 on this. While the "for web applications" limitation isn't technically correct, it is true in practice. On Fri, Sep 23, 2016 at 5:27 AM, Dennis Kieselhorst wrote: > Mike Kienenberger wrote >> We should probably add a description with less buzz words to describe >> JavaServer

Re: CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

2016-09-29 Thread Mike Kienenberger
Clarification: The first line in this CVE [1] was a copy error during message composition and is not part of the CVE. This line can make it sound as if CVE-2016-5019 is only an information disclosure vulnerability rather than a deserialization attack vector. I apologize for the confusion. On

[jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

2016-09-29 Thread Mike Kienenberger (JIRA)
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15533282#comment-15533282 ] Mike Kienenberger commented on TRINIDAD-2542: - The "information disclosure vulnerability"

[jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

2016-09-29 Thread Brian Martin (JIRA)
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15533270#comment-15533270 ] Brian Martin commented on TRINIDAD-2542: Generally, deserialization attacks lead to remote code

[jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

2016-09-29 Thread Mike Kienenberger (JIRA)
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15533170#comment-15533170 ] Mike Kienenberger commented on TRINIDAD-2542: - All users of Apache Trinidad should upgrade

[jira] [Resolved] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

2016-09-29 Thread Mike Kienenberger (JIRA)
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Kienenberger resolved TRINIDAD-2542. - Resolution: Fixed Assignee: Leonardo Uribe Fix Version/s:

CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

2016-09-29 Thread Mike Kienenberger
CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Trinidad from 1.0.0 to 1.0.13 Trinidad from 1.2.1 to 1.2.14 Trinidad from 2.0.0 to 2.0.1 Trinidad from 2.1.0 to 2.1.1 Description:

[ANNOUNCE][CVE-2016-5019] Apache MyFaces Trinidad 1.2.15 released

2016-09-29 Thread Mike Kienenberger
The Apache MyFaces team is pleased to announce the release of Apache MyFaces Trinidad 1.2.15. MyFaces Trinidad is a feature-rich renderkit for JavaServer(tm) Faces that provides an extendibles framework and extensive skinning support. This version is designed to be used with the JSF 1.2

[ANNOUNCE][CVE-2016-5019] Apache MyFaces Trinidad 2.0.2 released

2016-09-29 Thread Mike Kienenberger
The Apache MyFaces team is pleased to announce the release of Apache MyFaces Trinidad 2.0.2. MyFaces Trinidad is a feature-rich renderkit for JavaServer(tm) Faces that provides an extendibles framework and extensive skinning support. This version is designed to be used with the JSF 2.0

[ANNOUNCE][CVE-2016-5019] Apache MyFaces Trinidad 2.1.2 released

2016-09-29 Thread Mike Kienenberger
The Apache MyFaces team is pleased to announce the release of Apache MyFaces Trinidad 2.1.2. . MyFaces Trinidad is a feature-rich renderkit for JavaServer(tm) Faces that provides an extendibles framework and extensive skinning support. This version is designed to be used with the JSF 2.1

[jira] [Created] (TRINIDAD-2542) placeholder

2016-09-29 Thread Mike Kienenberger (JIRA)
Mike Kienenberger created TRINIDAD-2542: --- Summary: placeholder Key: TRINIDAD-2542 URL: https://issues.apache.org/jira/browse/TRINIDAD-2542 Project: MyFaces Trinidad Issue Type: Bug

[jira] [Commented] (TOBAGO-1368) The standard theme will use Bootstrap

2016-09-29 Thread Hudson (JIRA)
[ https://issues.apache.org/jira/browse/TOBAGO-1368?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15532392#comment-15532392 ] Hudson commented on TOBAGO-1368: SUCCESS: Integrated in Jenkins build Tobago 3.0.x #556 (See

[jira] [Created] (EXTVAL-162) DefaultValidatorId will not be set

2016-09-29 Thread Markus Dreher (JIRA)
Markus Dreher created EXTVAL-162: Summary: DefaultValidatorId will not be set Key: EXTVAL-162 URL: https://issues.apache.org/jira/browse/EXTVAL-162 Project: MyFaces Extensions Validator