I agree with Leonardo but I've created MYFACES-4020 and updated it for the next version.
Regards Dennis Am 23.11.2015 um 22:45 schrieb Leonardo Uribe: > Hi > > Ouch, I'm already running the TCK (artifacts already on nexus). > > I don't thing that one affects JSF, because the viewState is > encrypted/tampered by default. No need to do it right now, but > good to know that for further releases (or if we do a rollback > of the current one). > > regards, > > Leonardo Uribe > > 2015-11-23 16:37 GMT-05:00 Mike Kienenberger <[email protected] > <mailto:[email protected]>>: > > Before we do another release, let's upgrade our commons-collections > dependency to 3.2.2 as certain JSF configurations likely present > attack vectors. > > https://issues.apache.org/jira/browse/COLLECTIONS-580 > >
