Bug 24428

Summary: CVE-2010-2057: Encrypted View State does not include Message Authentication Code (MAC)
Product: Sisyphus Reporter: Vladimir Lettiev <crux>
Component: myfacesAssignee: viy <viy>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: blocker    
Priority: P3 CC: damir, mithraen, viy
Version: unstableKeywords: security
Hardware: all   
OS: Linux   
URL: https://issues.apache.org/jira/browse/MYFACES-2749

Description Vladimir Lettiev 2010-10-26 19:44:23 MSD 
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
Comment 1 viy 2015-10-28 01:07:31 MSK 
пакет удален из репозитория