CVE-2010-2087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2087): Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
1.2_15 is at RC2 - there is no official release yet. I can add 1.2.15_rc2 to the tree but I would like to wait for proper release of 1.2_15, security: your opinion on this?
(In reply to comment #1) > 1.2_15 is at RC2 - there is no official release yet. I can add 1.2.15_rc2 to > the tree but I would like to wait for proper release of 1.2_15, security: your > opinion on this? > No hurry, the package is not stable afaics.
(In reply to comment #2) > No hurry, the package is not stable afaics. Yes, let's wait for up to two weeks (19/06) and if there's no final 1.2_15 I'll go ahead with whatever _rc version there will be.
Finally dev-java/mojarra-1.2.15 is in the tree. Alex: what's the next step? Should I just remove 1.2.14 from the tree? There never was a stable version of mojarra.
(In reply to comment #4) > Finally dev-java/mojarra-1.2.15 is in the tree. Thanks. > Alex: what's the next step? > Should I just remove 1.2.14 from the tree? There never was a stable version of > mojarra. > Yes, please remove it.
