Hi,
but it is released. See here:
https://mvnrepository.com/artifact/org.apache.wicket/wicket-core/1.5.17
kind regards
Tobias
Am 03.01.17 um 21:25 schrieb durairaj t:
I can see the Wicket 1.5.16 but not 1.5.17 in "
https://wicket.apache.org/start/wicket-1.5.x.html#download";.
On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:
CVE-2016-6793: Apache Wicket deserialization vulnerability
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected: Apache Wicket 6.x and 1.5.x
Description: Depending on the ISerializer set in the Wicket application,
it's possible that a Wicket's object deserialized from an untrusted source
and utilized by the application to causes the code to enter in an
infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
Kryo, allows an attacker to hack its serialized form to put a client on an
infinite loop if the client attempts to write on the
DeferredFileOutputStream attribute.
Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
Credit: This issue was discovered by Jacob Baines, Tenable Network
Security and
Pedro Santos
References: https://wicket.apache.org/news
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
