URGENT: Mining-script in Primfaces-Page? Where does it come from??
SO can someone affected deploy an app with 6.1 PF and verify that app on the same infrastructure is not affected? That will help determine if it was fixed by that 5.3 patch for the EL injection bug?
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
Excellent tak3shi thanks for reporting back. Keep us in the loop.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
Please @Melloware, read https://github.com/primefaces/primeface ... -184753216. PF should have done this... It's a security fix and you cannot expect everyone to always upgrade to the latest versions... Bad, bad, bad publicity coming out now unfortunately which could have simply been prevented
@kukeltje I agree with you. If something is a major security flaw like this one a Community version should have been put out for people to mitigate the risk.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
This hack affected our site as well. Same scripts and duckdns for deepMiner.js. Same error logs with StreamedContentHandler, looking like issue #1152 from Git Issues. Redeploying our WAR removed the changed files.
We are using PF 5.3 of some kind (app was built and running before I arrived, trying to see what point release we have). Looking to upgrade to a safer version. Is there a 5.3.x version that is patched, or does this require going to 6.1? I don't see any licenses in our company's documentation, so I think we are just using the community versions from Maven.
We are using PF 5.3 of some kind (app was built and running before I arrived, trying to see what point release we have). Looking to upgrade to a safer version. Is there a 5.3.x version that is patched, or does this require going to 6.1? I don't see any licenses in our company's documentation, so I think we are just using the community versions from Maven.
This issue affected us as well. Same deepMiner.js and script, same java exception at StreamedContentHandler (pointing to GItHub Issue #1152). Redeploying our WAR file overwrote the affected files, so that's a plus.
Looking to upgrade from version 5.3 to version 6.1, will see how hard that upgrade path is with our web app).
Wanted to confirm another instance of this, and that our analysis points to the same as this thread.
Looking to upgrade from version 5.3 to version 6.1, will see how hard that upgrade path is with our web app).
Wanted to confirm another instance of this, and that our analysis points to the same as this thread.
Guys,
I don't work for PrimeFaces so I am not trying to sell anything. But if you need immediate relief with little regression testing you can sign up to Elite for 99$ a year you can download version 5.3.17 which is patched with this fix.
https://www.primefaces.org/support/
Just wanted to give you an option that will get you out the jam today!
I don't work for PrimeFaces so I am not trying to sell anything. But if you need immediate relief with little regression testing you can sign up to Elite for 99$ a year you can download version 5.3.17 which is patched with this fix.
https://www.primefaces.org/support/
Just wanted to give you an option that will get you out the jam today!
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
-
- Information
-
Who is online
Users browsing this forum: No registered users and 4 guests