both 8.18.0 and 9.23.0 are under vote, so they should be ready later on this week
On Mon, May 11, 2026 at 5:35 PM Mihir Chhaya <[email protected]> wrote: > > Good morning, > > Could you please suggest when the 8.17 security fix will be available for > the recent vulnerability? > > Thank you, > -Mihir > > On Fri, May 8, 2026, 6:44 AM Eric Hamel <[email protected]> wrote: > > > Thank you for the new release. > > > > Should we expect a wicketstuff 10.9 soon ? > > > > > > ——————- > > Eric Hamel > > Solutions Architect / Senior Project Manager > > AlbanyITG > > P. 518-698-4503 > > > > > On May 6, 2026, at 11:22 AM, Mihir Chhaya <[email protected]> > > wrote: > > > > > > Thank you, Apache Wicket team for having the fixed version in 10.x > > > available soon. > > > > > > Could you please share possible release schedule with fix for the 8.x and > > > 9.x branches? > > > > > > Thank you, > > > -Mihir > > > > > >> On Tue, May 5, 2026, 4:42 AM Andrea Del Bene <[email protected]> > > wrote: > > >> > > >> The Apache Wicket PMC is proud to announce Apache Wicket 10.9.0! > > >> > > >> Apache Wicket is an open source Java component oriented web application > > >> framework that powers thousands of web applications and web sites for > > >> governments, stores, universities, cities, banks, email providers, and > > >> more. You can find more about Apache Wicket at > > https://wicket.apache.org > > >> > > >> This release marks another minor release of Wicket 10. We > > >> use semantic versioning for the development of Wicket, and as such no > > >> API breaks are present in this release compared to 10.0.0. > > >> > > >> New and noteworthy > > >> ------------------ > > >> > > >> This release fixes the following security issue: > > >> > > >> * CVE-2026-43646 crafted URLs can bypass PackageResourceGuard > > >> * CVE-2026-42509 crafted strings can break out of the JavaScript > > sequence > > >> * CVE-2026-40010 possible session fixation using > > AuthenticatedWebSession > > >> * CVE-2026-43975 Possible malicious path traversal in > > >> FolderUploadsFileManager > > >> > > >> > > >> Using this release > > >> ------------------ > > >> > > >> With Apache Maven update your dependency to (and don't forget to > > >> update any other dependencies on Wicket projects to the same version): > > >> > > >> <dependency> > > >> <groupId>org.apache.wicket</groupId> > > >> <artifactId>wicket-core</artifactId> > > >> <version>10.9.0</version> > > >> </dependency> > > >> > > >> Or download and build the distribution yourself, or use our > > >> convenience binary package you can find here: > > >> > > >> * Download: http://wicket.apache.org/start/wicket-10.x.html#manually > > >> > > >> Upgrading from earlier versions > > >> ------------------------------- > > >> > > >> If you upgrade from 10.y.z this release is a drop in replacement. If > > >> you come from a version prior to 10.0.0, please read our Wicket 10 > > >> migration guide found at > > >> > > >> * http://s.apache.org/wicket10migrate > > >> > > >> Have fun! > > >> > > >> — The Wicket team > > >> > > >> > > >> ======================================================================== > > >> > > >> CHANGELOG for 10.9.0: > > >> > > >> ** Bug > > >> > > >> * [WICKET-7174] - DefaultSecureRandomSupplier does not work for FIPS > > >> > > >> ** New Feature > > >> > > >> * [WICKET-7169] - Make partHeaderSizeMax in AbstractFileUpload > > >> configurable > > >> > > >> ** Improvement > > >> > > >> * [WICKET-7172] - Support new CSP style, script directives > > >> * [WICKET-7179] - add support for jQuery 4.0.0 > > >> > > >> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [email protected] > > >> For additional commands, e-mail: [email protected] > > >> > > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > -- Andrea Del Bene. Apache Wicket committer. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
