[seam-dev] Fwd: JSF security issue

[Stuart Douglas]

It looks like this only affects apps that use encrypted client side state saving?  

Stuart

On 09/06/2010, at 9:03 PM, Shane Bryzak wrote:

> Is this something that requires our attention?
> 
> -------- Original Message --------
> Subject:	JSF security issue
> Date:	Wed, 09 Jun 2010 06:52:04 -0400
> From:	Chris Bredesen <cbredesen at redhat.com>
> To:	jboss-support-jsf at redhat.com
> 
> Y'all see this yet?
> 
> -------- Original Message --------
> Subject: FYI: JSF Known Issue
> Date: Tue, 8 Jun 2010 11:35:41 -0400
> From: Steve 'Ashcrow' Milner <smilner at redhat.com>
> To: Chris Bredesen <cbredesen at redhat.com>
> 
> http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/
> 
> "The researchers tested the attack in JavaServer Faces implemented
> into the Apache webserver, as well as Sun's Mojarra. They said many
> other implementations are also likely to be vulnerable."
> 
> -- 
> kthxbye!
> Steve 'Ashcrow' Milner
> Agent of Infosec
> RHCE: 
> https://www.redhat.com/training/certification/verify/?certno=805009277242449
> ITIL Foundation: c.721843
> IRC: ashcrow
> GnuPG ID: 28DFD4BE
> 
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT/MU/O d-- s:+> a- C+++$ UBL+++$ P++@ L+++$>++++ !E--> W+++$ !N-
> !o K--? !w-- !O- M- !V- PS PE+ Y+ PGP+++ t+ !5 !X R tv+ b+>++ DI+ !D-
> G e h !r>+++ y?
> ------END GEEK CODE BLOCK------
> 
> "In the heat of conversation I may have said certain things I believe
> to be untrue. The alleged lie that you might have heard me saying
> allegedly moments ago ... that's a parasite that lives in my neck."
>       -- Tad Ghostal
> 
> 
> <Attached Message Part>_______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20100609/f6023bcb/attachment.html