On Monday, November 12, 2012 2:44:17 PM UTC+1, l.denardo wrote: > > I read in the 2.5 release notes here: > https://developers.google.com/web-toolkit/release-notes#Release_Notes_Current > > "Security vulnerability from 2.4 to 2.5 Final > > The GWT team recently learned that the Security vulnerability discovered > in the 2.4 Beta and Release Candidate releases was only partially fixed in > the 2.4 GA release. A more complete fix was added to the 2.5 GA release. If > you have an app that's been built with GWT 2.4 or one of the 2.5 RCs, then > you'll need to get the latest 2.5 release, recompile your app, and > redeploy." > > I can't find any recent announcement of a security vulnerability or > related posts in the group. Is there some information around about what > this issue is? > It's always delicate to disclose the details of security issues when you know that some people (including high-traffic apps) still use the vulnerable version. However a "git log --grep security" gives http://code.google.com/p/google-web-toolkit/source/detail?r=10458, and there indeed are other changes to these 2 files between 2.4 and 2.5. Only people with the GWT DevMode plugin installed are at risk of XSSI here. An example of what was *fixed* in 2.4:
> Having some applications in production with 2.4 we want to decide whether > to wait for the Eclipse update or not. > What does Eclipse has to do with GWT?! -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/HKaydOP_uE0J. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
