Thank you! On Tue, Jan 3, 2017 at 4:11 PM, Tobias Soloschenko < tobiassolosche...@googlemail.com> wrote:
> Hi, > > but it is released. See here: https://mvnrepository.com/arti > fact/org.apache.wicket/wicket-core/1.5.17 > > kind regards > > Tobias > > Am 03.01.17 um 21:25 schrieb durairaj t: > >> I can see the Wicket 1.5.16 but not 1.5.17 in " >> https://wicket.apache.org/start/wicket-1.5.x.html#download";. >> >> >> >> On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote: >> >> CVE-2016-6793: Apache Wicket deserialization vulnerability >>> >>> Severity: Low >>> >>> Vendor: The Apache Software Foundation >>> >>> Versions Affected: Apache Wicket 6.x and 1.5.x >>> >>> Description: Depending on the ISerializer set in the Wicket application, >>> it's possible that a Wicket's object deserialized from an untrusted >>> source >>> and utilized by the application to causes the code to enter in an >>> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by >>> Kryo, allows an attacker to hack its serialized form to put a client on >>> an >>> infinite loop if the client attempts to write on the >>> DeferredFileOutputStream attribute. >>> >>> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17 >>> >>> Credit: This issue was discovered by Jacob Baines, Tenable Network >>> Security and >>> Pedro Santos >>> >>> References: https://wicket.apache.org/news >>> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
