The Apache MyFaces team is pleased to announce the release of Apache MyFaces Trinidad 2.1.2. . MyFaces Trinidad is a feature-rich renderkit for JavaServer(tm) Faces that provides an extendibles framework and extensive skinning support. This version is designed to be used with the JSF 2.1 specification.
CVE-2016-5019: Trinidad’s CoreResponseStateManager both reads and writes view state strings using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad bypasses the view state security features provided by the JSF implementations - ie. the view state is not encrypted and is not MAC’ed. Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view state strings, which makes Trinidad-based applications vulnerable to deserialization attacks. Apache MyFaces Trinidad is available in both binary and source distributions, and there are examples available as well: * http://myfaces.apache.org/trinidad/download.html Apache MyFaces Trinidad is available in the central Maven repository under Group ID "org.apache.myfaces.trinidad" Release Notes - MyFaces Trinidad - Version 2.1.2 Bug [TRINIDAD-2542] - CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability [TRINIDAD-2228] - java.lang.UnsupportedOperationException [TRINIDAD-2282] - In validateLength, a default hintRange message is displayed instead of hintMaximum even when minimum value is not set [TRINIDAD-2436] - We should update Table's selection state during invoke application phase [TRINIDAD-2445] - Prevent exceptions from propagating out of the ServletFilter [TRINIDAD-2541] - Check UTF-8 encoding in example files Improvement [TRINIDAD-2239] - Improve the ancestor based change filtering mechanism by introducing a formal ComponentChangeFilter [TRINIDAD-2441] - URLUtil to escape a URL and remove invalid characters [TRINIDAD-2540] - Align Trinidad 2.1.x so it can be editable using Netbeans 8 regards, Mike Kienenberger