+1 upgrading v6 -> v7 -> v8 -> v9 is the way to go. FWIW our experience has been similar— upgrades take a day, or a couple days at most.
Thanks, Matt Pavlovich > On Aug 11, 2022, at 9:09 AM, Chris Colman > <chr...@stepaheadsoftware.com.INVALID> wrote: > > Hi Daniel, > > On 11/08/2022 7:45 pm, Daniel Stoch wrote: >> We have a plan to upgrade (at last ;)) > Yeehah! >> Wicket to a newer version (9.x), but >> it is not quite easy for a big application > Our app has 1034 Wicket UI classes - that's just pure Wicket UI classes - > don't ask about the number of classes in the business layer/domain model ;) >> and unfortunately we have to >> patch Wicket code by ourselves to fix issues described in WICKET-5588 >> (including JavaScript: if this code have many changes between 6.x and 9.x >> it can be quite hard to do it). >> It would be much easier to upgrade if this problem was fixed in the >> standard version of Wicket. > > I think jumping from 6 -> 9 directly might be a bit too adventurous - you > have to consider all framework changes across 7, 8 and 9. > > That's why we decided to migrate one step at a time: "single stepping" from > 6->7 (done) then 7->8 then 8->9. > > The good thing about 6->7->8 is that you can stick with Java 8 and so not > have to be concerned with in any issues that changing your Java version may > bring (assuming you're currently using 1.8) > >> >> -- >> Best regards, >> Daniel Stoch >> >> >> >> czw., 11 sie 2022 o 10:06 Martin Grigorov <mgrigo...@apache.org> napisał(a): >> >>> Hi, >>> >>> Wicket 6.x is no more supported. >>> Wicket 7.x is the current security maintaince branch. >>> >>> Your options are: >>> - patch locally >>> - upgrade to a newer version >>> >>> On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <daniel.st...@gmail.com> >>> wrote: >>> >>>> Hi, >>>> >>>> Is there any JIRA issue for this? I tried to find but none issue in >>> Wicket >>>> JIRA points directly to CVE-2020-11976. >>>> One possible candidate to me is WICKET-6792 :). Am I right? If yes, this >>> is >>>> already fixed also for Wicket 6.31.0, can you release this version? >>>> >>>> -- >>>> Best regards, >>>> Daniel Stoch >>>> >>>> >>>> pon., 10 sie 2020 o 18:23 <svenme...@apache.org> napisał(a): >>>> >>>>> Severity: Important >>>>> >>>>> Vendor: >>>>> The Apache Software Foundation >>>>> >>>>> Versions Affected: >>>>> Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5 >>>>> >>>>> Description: >>>>> >>>>> By crafting a special URL it is possible to make Wicket deliver >>>>> unprocessed HTML templates. >>>>> This would allow an attacker to see possibly sensitive information >>>>> inside a HTML template that is usually removed during rendering. >>>>> For example if there are credentials in the markup which are never >>>>> supposed to be visible to the client: >>>>> >>>>> <wicket:remove> >>>>> some secret >>>>> </wicket:remove> >>>>> >>>>> The application developers are recommended to upgrade to: >>>>> - Apache Wicket 7.17.0 >>>>> <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html> >>>>> - Apache Wicket 8.9.0 >>>>> <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html> >>>>> - Apache Wicket 9.0.0 >>>>> <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html> >>>>> >>>>> Credit: >>>>> The vulnerability has been found and reported by Mariusz Popławski from >>>>> Afine. >>>>> >>>>> Apache Wicket Team >>>>>