Hi Daniel,
In regard to migrating from 6.x to 7.x if this helps...
We migrated a MASSIVE Website creation app/CMS plus a generic web app
development platform, all built on Wicket 6, to Wicket 7 in a
surprisingly quick time.
For a long time (years) we had feared the Wicket 6->7 migration so kept
putting it off as we expected it might take weeks but in the end it only
took a couple of days!
We were pleasantly surprised. Java being a statically typed language
really helps you find most of the issues via compilation but there are a
few issues you will need to look out for as detailed in the migration
notes - but we didn't find these a major burden to locate and resolve.
Wicket 7 even fixed an issue in our app that we had been trying to fix
in 6.x that we thought was a problem in our code but might have well
been a 6.x glitch because it started working fine once we ported to
Wicket 7.x!
Hope that helps :)
Regards,
Chris
On 11/08/2022 6:05 pm, Martin Grigorov wrote:
Hi,
Wicket 6.x is no more supported.
Wicket 7.x is the current security maintaince branch.
Your options are:
- patch locally
- upgrade to a newer version
On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch<daniel.st...@gmail.com> wrote:
Hi,
Is there any JIRA issue for this? I tried to find but none issue in Wicket
JIRA points directly to CVE-2020-11976.
One possible candidate to me is WICKET-6792 :). Am I right? If yes, this is
already fixed also for Wicket 6.31.0, can you release this version?
--
Best regards,
Daniel Stoch
pon., 10 sie 2020 o 18:23<svenme...@apache.org> napisał(a):
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
Description:
By crafting a special URL it is possible to make Wicket deliver
unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information
inside a HTML template that is usually removed during rendering.
For example if there are credentials in the markup which are never
supposed to be visible to the client:
<wicket:remove>
some secret
</wicket:remove>
The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
Credit:
The vulnerability has been found and reported by Mariusz Popławski from
Afine.
Apache Wicket Team