It's under release vote. It should get done in few days. On Wed, Jan 29, 2025 at 4:29 PM Mihir Chhaya <mihir.chh...@gmail.com> wrote:
> Thank you, Pedro for this. > > Question (for Apache Wicket Team): Could you please share the timeline for > the 8.17 security fix release? > > Thank you once again, > -Mihir > > On Mon, Jan 27, 2025 at 10:45 AM Pedro Santos <pedros...@gmail.com> wrote: > > > Hi, I applied the fix to the wicket-8.x branch and updated the tickets: > > > > https://issues.apache.org/jira/browse/WICKET-7024 > > https://issues.apache.org/jira/browse/WICKET-7137 > > > > Should be available in the next 8.x version. > > > > Pedro Santos > > > > > > On Fri, Jan 24, 2025 at 2:07 PM Mihir Chhaya <mihir.chh...@gmail.com> > > wrote: > > > > > Same here - we have multiple projects developed with Wicket 7 and 8 and > > it > > > would be long before all the projects could be migrated to JDK 11+ and > > > Apache Wicket 9.x. > > > It would be truly helpful if the Wicket Team could help with a security > > > fix. > > > > > > Thank you, > > > -Mihir. > > > > > > On Fri, Jan 24, 2025 at 11:43 AM Jonathan Babie > > <jba...@osc.ny.gov.invalid > > > > > > > wrote: > > > > > > > Hello, > > > > > > > > I was just looking to see if there are plans to address this in > Wicket > > > 8.x > > > > since it's still in security fixes only status. Any information would > > be > > > > greatly appreciated and thank you again. > > > > > > > > Thank you, > > > > > > > > Jonathan Babie > > > > > > > > Information Technology Specialist IV > > > > > > > > Java Applications Unit | CIO | OSC > > > > > > > > Work: (838) 910-4274 > > > > > > > > Personal: (518) 331-8758 > > > > > > > > ________________________________ > > > > From: Pedro Santos <pe...@apache.org> > > > > Sent: Thursday, January 23, 2025 10:21 AM > > > > To: users@wicket.apache.org <users@wicket.apache.org>; > > > > d...@wicket.apache.org <d...@wicket.apache.org> > > > > Subject: CVE-2024-53299: Apache Wicket: An attacker can intentionally > > > > trigger a memory leak > > > > > > > > Severity: critical > > > > > > > > Affected versions: > > > > > > > > - Apache Wicket 7.0.0 through 7.18.* > > > > - Apache Wicket 8.0.0-M1 through 8.16.* > > > > - Apache Wicket 9.0.0-M1 through 9.18.* > > > > - Apache Wicket 10.0.0-M1 through 10.2.* > > > > > > > > Description: > > > > > > > > The request handling in the core in Apache Wicket 7.0.0 on any > platform > > > > allows an attacker to create a DOS via multiple requests to server > > > > resources. > > > > Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which > > > fixes > > > > this issue. > > > > > > > > Credit: (finder) > > > > > > > > References: > > > > > > > > https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5 > > > > https://wicket.apache.org/ > > > > https://www.cve.org/CVERecord?id=CVE-2024-53299 > > > > Notice: This communication, including any attachments, is intended > > solely > > > > for the use of the individual or entity to which it is addressed. > This > > > > communication may contain information that is protected from > disclosure > > > > under State and/or Federal law. Please notify the sender immediately > if > > > you > > > > have received this communication in error and delete this email from > > your > > > > system. If you are not the intended recipient, you are requested not > to > > > > disclose, copy, distribute or take any action in reliance on the > > contents > > > > of this information. > > > > > > > > > > -- Andrea Del Bene. Apache Wicket committer.
