From ${URL} : t was found that Mojarra JSF2 would not properly escape user-supplied content in certain circumstances. The contents of outputText tags and raw EL expressions that immediately follow <script> or <style> elements were not escaped. If a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the user's browser. Upstream bug: https://java.net/jira/browse/JAVASERVERFACES-3150 Upstream patch commit: https://java.net/projects/mojarra/sources/svn/revision/12793 External References: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/bc-p/6370209 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit fb21e83 (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Thu Sep 3 15:52:55 2015 +0000 dev-java/mojarra: Version bump. Fixes security bug 501280. Package-Manager: portage-2.2.18 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> create mode 100644 dev-java/mojarra/files/mojarra-2.2.12-Util.java.patch create mode 100644 dev-java/mojarra/mojarra-2.2.12.ebuild
* commit 67e2d53 | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Thu Sep 3 15:11:23 2015 +0000 | | www-servers/resin: Bump dev-java/mojarra SLOT to 2.2. Fixes security bug 501280. | | Package-Manager: portage-2.2.18 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | create mode 100644 www-servers/resin/resin-4.0.44-r2.ebuild
This package has never been stabilised. monsieurp@epsilon ~/gentoo/dev-java/mojarra $ grep KEYWORDS *.ebuild mojarra-1.2.15-r2.ebuild:KEYWORDS="amd64 x86" mojarra-2.2.12.ebuild:KEYWORDS="~amd64 ~x86" mojarra-2.2.9.ebuild:KEYWORDS="~amd64 ~x86" commit 06a6731 (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Thu Sep 3 15:57:56 2015 +0000 dev-java/mojarra: Remove vulnerable versions. Fixes bug 501280. Package-Manager: portage-2.2.18 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> delete mode 100644 dev-java/mojarra/files/mojarra-2.2.9-Util.java.patch delete mode 100644 dev-java/mojarra/mojarra-1.2.15-r2.ebuild delete mode 100644 dev-java/mojarra/mojarra-2.2.9.ebuild Arch teams, Please stabilise: dev-java/mojarra-2.2.12.ebuild Target arches: amd64 x86 Thank you.
My mistake: mojarra-1.2.15-r2 was stable but the only rdep was resin and I have just bumped it. resin being in ~arch, I shouldn't be breaking the tree.
GLSA Vote: No
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Clean up done already.
GLSA vote: no.