Thanks Thomas, I meant Eclipse Plugin (we develop and compile using Eclipse and update GWT version with the plugin - managing update by hand lead to some trouble with out-of-date jars found in some builds).
The real problem is not the plugin availability (just updated) but the couple of days to go through compiling and deploying all apps, so we wanted to know which ones to recompile first *and* if the vulnerability depended on some features of GWT not used in our applications - so we can skip the upgrade for them. I appreciate the caution of the team, still believe that knowing exactly what is vulnerable helps everyone schedule a faster update if it's really needed. Thanks for your collaboration. Regards Lorenzo On Monday, November 12, 2012 5:45:25 PM UTC+1, Thomas Broyer wrote: > > > > On Monday, November 12, 2012 2:44:17 PM UTC+1, l.denardo wrote: >> >> I read in the 2.5 release notes here: >> https://developers.google.com/web-toolkit/release-notes#Release_Notes_Current >> >> "Security vulnerability from 2.4 to 2.5 Final >> >> The GWT team recently learned that the Security vulnerability discovered >> in the 2.4 Beta and Release Candidate releases was only partially fixed in >> the 2.4 GA release. A more complete fix was added to the 2.5 GA release. If >> you have an app that's been built with GWT 2.4 or one of the 2.5 RCs, then >> you'll need to get the latest 2.5 release, recompile your app, and >> redeploy." >> >> I can't find any recent announcement of a security vulnerability or >> related posts in the group. Is there some information around about what >> this issue is? >> > It's always delicate to disclose the details of security issues when you > know that some people (including high-traffic apps) still use the > vulnerable version. > However a "git log --grep security" gives > http://code.google.com/p/google-web-toolkit/source/detail?r=10458, and > there indeed are other changes to these 2 files between 2.4 and 2.5. > Only people with the GWT DevMode plugin installed are at risk of XSSI > here. An example of what was *fixed* in 2.4: > > >> Having some applications in production with 2.4 we want to decide whether >> to wait for the Eclipse update or not. >> > What does Eclipse has to do with GWT?! > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/5V6cFEfkKMgJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.