Hi Daniel,
On 11/08/2022 7:45 pm, Daniel Stoch wrote:
We have a plan to upgrade (at last ;))
Yeehah!
Wicket to a newer version (9.x), but
it is not quite easy for a big application
Our app has 1034 Wicket UI classes - that's just pure Wicket UI classes
- don't ask about the number of classes in the business layer/domain
model ;)
and unfortunately we have to
patch Wicket code by ourselves to fix issues described in WICKET-5588
(including JavaScript: if this code have many changes between 6.x and 9.x
it can be quite hard to do it).
It would be much easier to upgrade if this problem was fixed in the
standard version of Wicket.
I think jumping from 6 -> 9 directly might be a bit too adventurous -
you have to consider all framework changes across 7, 8 and 9.
That's why we decided to migrate one step at a time: "single stepping"
from 6->7 (done) then 7->8 then 8->9.
The good thing about 6->7->8 is that you can stick with Java 8 and so
not have to be concerned with in any issues that changing your Java
version may bring (assuming you're currently using 1.8)
--
Best regards,
Daniel Stoch
czw., 11 sie 2022 o 10:06 Martin Grigorov <mgrigo...@apache.org> napisał(a):
Hi,
Wicket 6.x is no more supported.
Wicket 7.x is the current security maintaince branch.
Your options are:
- patch locally
- upgrade to a newer version
On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <daniel.st...@gmail.com>
wrote:
Hi,
Is there any JIRA issue for this? I tried to find but none issue in
Wicket
JIRA points directly to CVE-2020-11976.
One possible candidate to me is WICKET-6792 :). Am I right? If yes, this
is
already fixed also for Wicket 6.31.0, can you release this version?
--
Best regards,
Daniel Stoch
pon., 10 sie 2020 o 18:23 <svenme...@apache.org> napisał(a):
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
Description:
By crafting a special URL it is possible to make Wicket deliver
unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information
inside a HTML template that is usually removed during rendering.
For example if there are credentials in the markup which are never
supposed to be visible to the client:
<wicket:remove>
some secret
</wicket:remove>
The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
Credit:
The vulnerability has been found and reported by Mariusz Popławski from
Afine.
Apache Wicket Team
