Author: mgrigorov
Date: Mon Sep 22 07:27:26 2014
New Revision: 1626678
URL: http://svn.apache.org/r1626678
Log:
Add announcement for CVE 2014-3526
Added:
wicket/common/site/trunk/_posts/2014-09-22-cve-2014-3526.md
- copied unchanged from r1626677,
wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md
wicket/common/site/trunk/_site/2014/09/22/
wicket/common/site/trunk/_site/2014/09/22/cve-2014-3526.html
Removed:
wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md
Modified:
wicket/common/site/trunk/_site/2014/09/15/wicket-1.5.12-released.html
wicket/common/site/trunk/_site/atom.xml
wicket/common/site/trunk/_site/index.html
Modified: wicket/common/site/trunk/_site/2014/09/15/wicket-1.5.12-released.html
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/2014/09/15/wicket-1.5.12-released.html?rev=1626678&r1=1626677&r2=1626678&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/2014/09/15/wicket-1.5.12-released.html
(original)
+++ wicket/common/site/trunk/_site/2014/09/15/wicket-1.5.12-released.html Mon
Sep 22 07:27:26 2014
@@ -95,7 +95,7 @@
<a
href="http://www.apache.org/dyn/closer.cgi/wicket/6.17.0";>Wicket 6.17</a>
</li>
<li>
- <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.12";>Wicket 1.5</a>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.11";>Wicket 1.5</a>
</li>
<li>
<a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23";>Wicket 1.4</a>
Added: wicket/common/site/trunk/_site/2014/09/22/cve-2014-3526.html
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/2014/09/22/cve-2014-3526.html?rev=1626678&view=auto
==============================================================================
--- wicket/common/site/trunk/_site/2014/09/22/cve-2014-3526.html (added)
+++ wicket/common/site/trunk/_site/2014/09/22/cve-2014-3526.html Mon Sep 22
07:27:26 2014
@@ -0,0 +1,225 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>Apache Wicket - CVE-2014-3526 - Apache Wicket Information
disclosure vulnerability</title>
+
+ <link rel="stylesheet" href="/css/screen.css" type="text/css"
media="screen" />
+
+ <!--[if lt ie 7]>
+ <link rel="stylesheet" href="/css/ie.css" type="text/css"
media="screen" />
+ <![endif]-->
+ <link rel="shortcut icon" href="/favicon.ico"
type="image/vnd.microsoft.icon" />
+ <link rel="alternate" type="application/atom+xml" href="/atom.xml" />
+ <meta http-equiv="content-type" content="text/html;charset=utf-8" />
+</head>
+<body>
+<div id="container">
+ <div id="content">
+ <div id="header"><a href="/"><h1 id="logo"><span>Apache
Wicket</span></h1></a></div>
+ <div id="navigation">
+ <h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
+ <ul>
+ <li>
+ <a href="/" title="Index">Home</a>
+ </li>
+ <li>
+ <a href="/meet/introduction.html"
title="Introduction">Introduction</a>
+ </li>
+ <li>
+ <a href="/meet/features.html"
title="Features">Features</a>
+ </li>
+ <li>
+ <a href="/meet/buzz.html" title="Buzz">Buzz</a>
+ </li>
+ <li>
+ <a href="/meet/vision.html" title="Vision">Vision</a>
+ </li>
+ <li>
+ <a href="/meet/blogs.html" title="Blogs">Blogs</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-GettingStarted"
id="Navigation-GettingStarted"></a>Get Started
+ </h5>
+ <ul>
+ <li>
+ <a href="/start/download.html" title="Download
Wicket">Download Wicket</a>
+ </li>
+ <li>
+ <a href="/start/quickstart.html" title="Getting started
via a Maven Archetype">Quickstart</a>
+ </li>
+ <li>
+ <a href="http://www.jweekend.com/dev/LegUp";
rel="nofollow">More archetypes</a>
+ </li>
+ <li>
+ <a href="/help" title="Get help">Get help</a>
+ </li>
+ <li>
+ <a href="/help/email.html" title="Wicket Mailing
Lists">Mailing Lists</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Documentation"
id="Navigation-Documentation"></a>Learn
+ </h5>
+ <ul>
+ <li>
+ <a href="/start/userguide.html" title="User Guide">User
Guide</a>
+ </li>
+ <li>
+ <a href="/learn/examples" title="Examples">Examples</a>
+ </li>
+ <li>
+ <a
href="http://www.wicket-library.com/wicket-examples/compref/";>Components</a>
+ </li>
+ <li>
+ <a href="/learn/projects/" title="Projects extending
basic Wicket">Projects</a>
+ </li>
+ <li>
+ <a
href="https://cwiki.apache.org/confluence/display/WICKET";>Wiki</a>
+ </li>
+ <li>
+ <a
href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library";>Reference
guide</a>
+ </li>
+ <li>
+ <a href="/learn/books" title="Books">Books</a>
+ </li>
+ <li>
+ <a href="/learn/ides.html" title="IDEs">IDEs</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Releases"
id="Navigation-Releases"></a>Releases
+ </h5>
+ <ul>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/6.17.0";>Wicket 6.17</a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.11";>Wicket 1.5</a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23";>Wicket 1.4</a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7";>Wicket 1.3</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.2";
class="external-link" rel="nofollow">Wicket 1.2</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.1";
class="external-link" rel="nofollow">Wicket 1.1</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.0";
class="external-link" rel="nofollow">Wicket 1.0</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
+ </h5>
+ <ul>
+ <li>
+ <a
href="http://ci.apache.org/projects/wicket/apidocs/6.x/"; title="JavaDocs of
Apache Wicket 6.x">Wicket 6.x</a>
+ </li>
+ <li>
+ <a
href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/"; title="JavaDocs of
Apache Wicket 1.5.x">Wicket 1.5</a>
+ </li>
+ <li>
+ <a
href="http://ci.apache.org/projects/wicket/apidocs/1.4.x"; title="JavaDocs of
Apache Wicket 1.4.x">Wicket 1.4</a>
+ </li>
+ <li>
+ <a
href="http://ci.apache.org/projects/wicket/apidocs/1.3.x"; title="JavaDocs of
Apache Wicket 1.3.x">Wicket 1.3</a>
+ </li>
+ </ul>
+ <h5>Wicket 7.x</h5>
+ <ul>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M3";>Download M3</a>
+ </li>
+ <li>
+ <a
href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0";>Migration
guide</a>
+ </li>
+ <li>
+ <a
href="http://ci.apache.org/projects/wicket/apidocs/7.x/"; title="JavaDocs of
Apache Wicket 7.x">API Docs 7.x</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Developers"
id="Navigation-Developers"></a>Contribute
+ </h5>
+ <ul>
+ <li>
+ <a href="/contribute/write.html" title="Writing
documentation">Writing docs</a>
+ </li>
+ <li>
+ <a href="/contribute/build.html" title="Building from
SVN">Build Wicket</a>
+ </li>
+ <li>
+ <a href="/contribute/patch.html" title="Provide a
patch">Provide a patch</a>
+ </li>
+ <li>
+ <a href="/contribute/release.html" title="Release
Wicket">Release Wicket</a>
+ </li>
+ <li>
+ <a
href="https://fisheye6.atlassian.com/browse/wicket-git"; title="Git Overview"
class="external-link" rel="nofollow">Fisheye</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
+ </h5>
+ <ul>
+ <li>
+ <a href="http://www.apache.org/"; class="external-link"
rel="nofollow">Apache</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/";
class="external-link" rel="nofollow">License</a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/foundation/sponsorship.html"; class="external-link"
rel="nofollow">Sponsorship</a>
+ </li>
+ <li>
+ <a href="http://apache.org/foundation/thanks.html";
class="external-link" rel="nofollow">Thanks</a>
+ </li>
+ <li>
+ <a href="/apache/friends.html" title="Apache projects
using Wicket">Friends</a>
+ </li>
+ </ul>
+</div>
+
+ <div id="contentbody">
+ <h1>CVE-2014-3526 - Apache Wicket Information
disclosure vulnerability</h1>
+ <p>Severity: Important</p>
+
+<p>Vendor:
+The Apache Software Foundation</p>
+
+<p>Versions Affected:
+Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2</p>
+
+<p>Description:</p>
+
+<p>When rendering a web page Wicket checks the request url against the one at
the render time. It is possible the application to change the page parameters
(this includes both the query parameters and parameters encoded into the
request path). When the requested url differs with the one at the rendering
time Wicket stores the response (i.e. the page markup) at the server side and
issues an HTTP redirect to the new url. When the second request comes Wicket
just flushes the stored response from the first request into the http output
stream. This way the browser address bar shows the updated page parameters.
+When storing the page markup at the server side Wicket uses as an identifier a
pair of the current session id plus the new url. However, Wicket does not check
if user session is temporary (i.e. sessionId is null).
+This could lead to a security issue if two or more users with a temporary
session are redirected to the same url at the same time. Then user1 might see
the markup for user2 which has overridden the markup for user1 while user1 was
following the HTTP redirect. In this way user-sensitive informations can be
seen by other users.</p>
+
+<p>The application developers are recommended to upgrade to:
+- <a href="/2014/09/15/wicket-1.5.12-released.html">Apache Wicket 1.5.12</a>
+- <a href="/2014/08/24/wicket-6.17.0-released.html">Apache Wicket 6.17.0</a>
+- <a href="/2014/08/23/wicket-7.0.0-M3-released.html">Apache Wicket
7.0.0-M3</a></p>
+
+<p>Credit:
+This issue was reported by Andrea Del Bene and Martin Grigorov!</p>
+
+<p>Apache Wicket Team</p>
+
+ </div>
+ <div id="clearer"></div>
+ <div id="footer"><span>
+Copyright © 2014 — The Apache Software Foundation. Apache Wicket,
+Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
+are trademarks of The Apache Software Foundation. All other marks mentioned
+may be trademarks or registered trademarks of their respective owners.
+</span></div>
+
+ </div>
+</div>
+</body>
+</html>
Modified: wicket/common/site/trunk/_site/atom.xml
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/atom.xml?rev=1626678&r1=1626677&r2=1626678&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/atom.xml (original)
+++ wicket/common/site/trunk/_site/atom.xml Mon Sep 22 07:27:26 2014
@@ -4,7 +4,7 @@
<title>Apache Wicket</title>
<link href="http://wicket.apache.org/atom.xml"; rel="self"/>
<link href="http://wicket.apache.org/"/>
- <updated>2014-09-05T17:12:16+02:00</updated>
+ <updated>2014-09-22T09:26:18+02:00</updated>
<id>http://wicket.apache.org/</id>
<author>
<name>Apache Wicket</name>
@@ -13,6 +13,62 @@
<entry>
+ <title>CVE-2014-3526 - Apache Wicket Information disclosure
vulnerability</title>
+ <link href="http://wicket.apache.org/2014/09/22/cve-2014-3526.html"/>
+ <updated>2014-09-22T00:00:00+02:00</updated>
+ <id>http://wicket.apache.org/2014/09/22/cve-2014-3526</id>
+ <content type="html"><p>Severity: Important</p>
+
+<p>Vendor:
+The Apache Software Foundation</p>
+
+<p>Versions Affected:
+Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2</p>
+
+<p>Description:</p>
+
+<p>When rendering a web page Wicket checks the request url against the
one at the render time. It is possible the application to change the page
parameters (this includes both the query parameters and parameters encoded into
the request path). When the requested url differs with the one at the rendering
time Wicket stores the response (i.e. the page markup) at the server side and
issues an HTTP redirect to the new url. When the second request comes Wicket
just flushes the stored response from the first request into the http output
stream. This way the browser address bar shows the updated page parameters.
+When storing the page markup at the server side Wicket uses as an identifier a
pair of the current session id plus the new url. However, Wicket does not check
if user session is temporary (i.e. sessionId is null).
+This could lead to a security issue if two or more users with a temporary
session are redirected to the same url at the same time. Then user1 might see
the markup for user2 which has overridden the markup for user1 while user1 was
following the HTTP redirect. In this way user-sensitive informations can be
seen by other users.</p>
+
+<p>The application developers are recommended to upgrade to:
+- <a href="/2014/09/15/wicket-1.5.12-released.html">Apache
Wicket 1.5.12</a>
+- <a href="/2014/08/24/wicket-6.17.0-released.html">Apache
Wicket 6.17.0</a>
+- <a href="/2014/08/23/wicket-7.0.0-M3-released.html">Apache
Wicket 7.0.0-M3</a></p>
+
+<p>Credit:
+This issue was reported by Andrea Del Bene and Martin Grigorov!</p>
+
+<p>Apache Wicket Team</p>
+</content>
+ </entry>
+
+ <entry>
+ <title>Wicket 1.5.12 released</title>
+ <link
href="http://wicket.apache.org/2014/09/15/wicket-1.5.12-released.html"/>
+ <updated>2014-09-15T00:00:00+02:00</updated>
+ <id>http://wicket.apache.org/2014/09/15/wicket-1.5.12-released</id>
+ <content type="html"><p>This is the twelfth maintenance release of
the Wicket 1.5.x series. This release brings over 5 bug fixes and
improvements.</p>
+
+<ul>
+ <li><a
href="https://git-wip-us.apache.org/repos/asf/wicket/repo?p=wicket.git;a=shortlog;h=refs/tags/wicket-1.5.12">Git
tag</a></li>
+ <li><a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&amp;version=12326154">Changelog</a></li>
+ <li>To use in Maven:</li>
+</ul>
+
+<div class="highlight"><pre><code
class="language-xml" data-lang="xml"><span
class="nt">&lt;dependency&gt;</span>
+ <span
class="nt">&lt;groupId&gt;</span>org.apache.wicket<span
class="nt">&lt;/groupId&gt;</span>
+ <span
class="nt">&lt;artifactId&gt;</span>wicket-core<span
class="nt">&lt;/artifactId&gt;</span>
+ <span
class="nt">&lt;version&gt;</span>1.5.12<span
class="nt">&lt;/version&gt;</span>
+<span
class="nt">&lt;/dependency&gt;</span></code></pre></div>
+
+<ul>
+ <li>Download the <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.12">full
distribution</a> (including sources)</li>
+</ul>
+</content>
+ </entry>
+
+ <entry>
<title>Apache Wicket 6.17.0 released</title>
<link
href="http://wicket.apache.org/2014/08/24/wicket-6.17.0-released.html"/>
<updated>2014-08-24T00:00:00+02:00</updated>
@@ -703,54 +759,4 @@ migration guide found at</p>
</content>
</entry>
- <entry>
- <title>Wicket 1.5.11 released</title>
- <link
href="http://wicket.apache.org/2014/02/06/wicket-1.5.11-released.html"/>
- <updated>2014-02-06T00:00:00+01:00</updated>
- <id>http://wicket.apache.org/2014/02/06/wicket-1.5.11-released</id>
- <content type="html"><p>This is the eleventh maintenance release of
the Wicket 1.5.x series. This release brings over 34 bug fixes and
improvements.</p>
-
-<ul>
- <li><a
href="https://git-wip-us.apache.org/repos/asf/wicket/repo?p=wicket.git;a=shortlog;h=refs/tags/wicket-1.5.11">Git
tag</a></li>
- <li><a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&amp;version=12324069">Changelog</a></li>
- <li>To use in Maven:</li>
-</ul>
-
-<div class="highlight"><pre><code
class="language-xml" data-lang="xml"><span
class="nt">&lt;dependency&gt;</span>
- <span
class="nt">&lt;groupId&gt;</span>org.apache.wicket<span
class="nt">&lt;/groupId&gt;</span>
- <span
class="nt">&lt;artifactId&gt;</span>wicket-core<span
class="nt">&lt;/artifactId&gt;</span>
- <span
class="nt">&lt;version&gt;</span>1.5.11<span
class="nt">&lt;/version&gt;</span>
-<span
class="nt">&lt;/dependency&gt;</span></code></pre></div>
-
-<ul>
- <li>Download the <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.11">full
distribution</a> (including source)</li>
-</ul>
-</content>
- </entry>
-
- <entry>
- <title>Wicket 1.4.23 released</title>
- <link
href="http://wicket.apache.org/2014/02/06/wicket-1.4.23-released.html"/>
- <updated>2014-02-06T00:00:00+01:00</updated>
- <id>http://wicket.apache.org/2014/02/06/wicket-1.4.23-released</id>
- <content type="html"><p>This is twenty thirdth release of the Wicket
1.4.x series. This is a security bugfix release on the 1.4.x branch.
-Read <a
href="/2014/02/06/cve-2013-2055.html">CVE-2013-2055</a> for
more information.</p>
-
-<ul>
- <li><a
href="http://git-wip-us.apache.org/repos/asf/wicket/repo?p=wicket.git;a=shortlog;h=refs/tags/wicket-1.4.23">Git
tag</a></li>
- <li>To use in Maven:</li>
-</ul>
-
-<div class="highlight"><pre><code
class="language-xml" data-lang="xml"><span
class="nt">&lt;dependency&gt;</span>
- <span
class="nt">&lt;groupId&gt;</span>org.apache.wicket<span
class="nt">&lt;/groupId&gt;</span>
- <span
class="nt">&lt;artifactId&gt;</span>wicket<span
class="nt">&lt;/artifactId&gt;</span>
- <span
class="nt">&lt;version&gt;</span>1.4.23<span
class="nt">&lt;/version&gt;</span>
-<span
class="nt">&lt;/dependency&gt;</span></code></pre></div>
-
-<ul>
- <li>Download the <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">full
distribution</a> (including source)</li>
-</ul>
-</content>
- </entry>
-
</feed>
Modified: wicket/common/site/trunk/_site/index.html
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/index.html?rev=1626678&r1=1626677&r2=1626678&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/index.html (original)
+++ wicket/common/site/trunk/_site/index.html Mon Sep 22 07:27:26 2014
@@ -205,200 +205,67 @@ reusable components written with plain J
<p>Wicket is released under the <a
href="http://www.apache.org/licenses/LICENSE-2.0.html";>Apache License, Version
2.0</a>.</p>
-<h1 id="apache-wicket-6170-released20140824wicket-6170-releasedhtml"><a
href="/2014/08/24/wicket-6.17.0-released.html">Apache Wicket 6.17.0
released</a></h1>
-<p>The Apache Wicket PMC is proud to announce Apache Wicket 6.17.0!</p>
+<h1
id="cve-2014-3526---apache-wicket-information-disclosure-vulnerability20140922cve-2014-3526html"><a
href="/2014/09/22/cve-2014-3526.html">CVE-2014-3526 - Apache Wicket
Information disclosure vulnerability</a></h1>
+<p>Severity: Important</p>
-<p>This release marks the seventeenth minor release of Wicket 6. Starting
-with Wicket 6 we use semantic versioning for the future development of
-Wicket, and as such no API breaks are present in this release compared
-to 6.0.0.</p>
+<p>Vendor:
+The Apache Software Foundation</p>
-<h3 id="new-and-noteworthy">New and noteworthy</h3>
+<p>Versions Affected:
+Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2</p>
-<p>This release fixes 25 bugs and has 27 improvements some of which are:</p>
+<p>Description:</p>
-<ul>
- <li>Rename log4j.properties in the quickstart when creating a project for
WildFly</li>
- <li>Make is possible to position the choice label before/after/around the
choice</li>
- <li>StringResourceModel with custom locale </li>
- <li>Added an HeaderItem for meta data tags such as âmetaâ or canonical
link</li>
-</ul>
-
-<p>The full list of improvements and fixes can be found at the end of this
-announcement.</p>
-
-<h3 id="using-this-release">Using this release</h3>
-
-<p>With Apache Maven update your dependency to (and donât forget to
-update any other dependencies on Wicket projects to the same version):</p>
-
-<div class="highlight"><pre><code class="language-xml" data-lang="xml"><span
class="nt"><dependency></span>
- <span class="nt"><groupId></span>org.apache.wicket<span
class="nt"></groupId></span>
- <span class="nt"><artifactId></span>wicket-core<span
class="nt"></artifactId></span>
- <span class="nt"><version></span>6.17.0<span
class="nt"></version></span>
-<span class="nt"></dependency></span></code></pre></div>
-
-<p>Or download and build the distribution yourself, or use our
-convenience binary package</p>
-
-<ul>
- <li>Source: <a
href="http://www.apache.org/dyn/closer.cgi/wicket/6.17.0";>http://www.apache.org/dyn/closer.cgi/wicket/6.17.0</a></li>
- <li>Binary: <a
href="http://www.apache.org/dyn/closer.cgi/wicket/6.17.0/binaries";>http://www.apache.org/dyn/closer.cgi/wicket/6.17.0/binaries</a></li>
-</ul>
-
-<h3 id="upgrading-from-earlier-versions">Upgrading from earlier versions</h3>
-
-<p>If you upgrade from 6.y.z this release is a drop in replacement. If
-you come from a version prior to 6.0.0, please read our Wicket 6
-migration guide found at</p>
-
-<ul>
- <li><a
href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+6.0";>Migration
to Wicket 6.0</a></li>
-</ul>
-
-<p>Have fun!</p>
-
-<p>â The Wicket team</p>
-
-<h3 id="release-notes---wicket---version-6170">Release Notes - Wicket -
Version 6.17.0</h3>
-
-<h4 id="sub-task">Sub-task</h4>
-<pre><code>* [WICKET-5633] - Make JavaScriptFilteredIntoFooterHeaderResponse
non-final to be able to create custom filters
-</code></pre>
-
-<h4 id="bug">Bug</h4>
-<pre><code>* [WICKET-5371] - IllegalArgumentException: Argument 'page' may not
be null. - when sending event from asynchronous process
-* [WICKET-5539] - Allow preserving of the parsed PageParameters when
re-creating an expired page
-* [WICKET-5564] - AjaxRequestTarget.focusComponent() does not work when two
Ajax responses arrive next to each other
-* [WICKET-5603] - OnChangeAjaxBehavior attached to DropDownChoice produces two
Ajax requests in Chrome v35
-* [WICKET-5607] - Wicket Ajax fires calls scheduled by
AbstractAjaxTimerBehavior even after unload of the page
-* [WICKET-5609] - AutoCompleteTextField can only complete text that is visible
on screen browser screen
-* [WICKET-5615] - UploadProgressBar does not show up if no FileUploadField is
given
-* [WICKET-5616] - CLONE - ModalWindow is not visible in Safari when opened
from a link at the bottom of a large page
-* [WICKET-5619] - ConcurrentModificationException may occur when calling
EventBus.post()
-* [WICKET-5624] - Do not throw when WebSocket is not supported
-* [WICKET-5626] - ConcatBundleResource#reportError() doesn't print the
resource attributes
-* [WICKET-5630] - Fix last button translation germany of wizard to 'Letzter'
-* [WICKET-5631] - Allow submitting with POST method for PhantomJS
-* [WICKET-5636] - Update StatelessForm's and AbstractRepeater's javadoc that
FormComponents should be repeated only with RepeatingView
-* [WICKET-5637] - Fix the encoding of the Chinese translations for Wizard
component
-* [WICKET-5639] - ResourceResponse does not write headers when status code is
set
-* [WICKET-5643] - WebPageRenderer should bind a Session if redirect is
required and the session is temporary.
-* [WICKET-5647] - missing generic cast causes compile error on OS X / jdk 8
-* [WICKET-5655] - Problem with setting of IComponentInheritedModel and
FLAG_INHERITABLE_MODEL
-* [WICKET-5656] - PropertyResolver does not scan for NotNull in annotation tree
-* [WICKET-5657] - wicket-autocomplete may fail after preceeding Ajax request
-* [WICKET-5662] - @SpringBean(name="something", required=false) still throws
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named
'something' is defined
-* [WICKET-5670] - org.apache.wicket.protocol.ws.api.registry.IKey should be
Serializable (IClusterable)
-* [WICKET-5679] - RenderStrategy REDIRECT_TO_RENDER lets fail test with
BaseWicketTester#startComponentInPage
-* [WICKET-5680] - AjaxEditableLabel keeps raw input after cancel following a
validation failure
-</code></pre>
-
-<h4 id="improvement">Improvement</h4>
-<pre><code>* [WICKET-4344] - Implement onValidateModelObjects() and
beforeUpdateFormComponentModels() for nested forms
-* [WICKET-4660] - Make it possible to notify about Atmosphere internal events
-* [WICKET-5452] - Make Wicket-Atmosphere testable - AtmosphereTester
-* [WICKET-5602] - DynamicImageResource should set the mime type after reading
the image data
-* [WICKET-5605] - Store browser capabilities in local variables in
wicket-event-jquery.js
-* [WICKET-5611] - Add AjaxChannel.DEFAULT constant = "0" and type "Queue"
-* [WICKET-5627] - broadcastMessage(): hook to set more thread-local context
before rendering components
-* [WICKET-5628] - Introduce a marker interface for exception which are
recommended to be handler by the framework
-* [WICKET-5629] - Add an HeaderItem for meta data tags such as <meta> or
canonical <link>
-* [WICKET-5634] - Add IObjectCheckers that fails the serialization when the
Session or another Page are serialized
-* [WICKET-5635] - Provide a way to modify
ResourceReferenceRegistry.DefaultResourceReferenceFactory externally to be used
by wicket-bootstrap-less
-* [WICKET-5642] - CheckingOutputObjectStream should filter duplicates by
identity, not by equality
-* [WICKET-5645] - Markup String of IMarkupResourceStreamProvider throws NPE
for inherited markup
-* [WICKET-5646] - Allow subclasses of ComponentStringResourceLoader to stop at
specific components
-* [WICKET-5648] - CookieUtils - multivalue related methods are broken due to
the usage of ";" as a separator for the values
-* [WICKET-5650] - Make is possible to position the choice label
before/after/around the choice
-* [WICKET-5651] - Add TagTester#getChild(String tagName) method
-* [WICKET-5652] - Improve Javadoc of Ajax behaviors concerning their onXyz()
methods
-* [WICKET-5653] - Add a setter for IViolationTranslator to
BeanValidationConfiguration
-* [WICKET-5654] - DefaultViolationTranslator should maybe use getMessage()
-* [WICKET-5658] - AjaxFormComponentUpdatingBehavior should not clear the
rawInput when updateModel is false
-* [WICKET-5659] - Add a setting to MultiFileUploadField to not close the file
uploads' streams
-* [WICKET-5660] - Throw more specific exception when a component cannot be
found by ListenerInterfaceRequestHandler
-* [WICKET-5667] - Preserve the NotSerializableException if an error occur
while using the IObjectCheckers
-* [WICKET-5668] - StringResourceModel with custom locale
-* [WICKET-5671] - Rename log4j.properties in the quickstart when creating a
project for WildFly
-* [WICKET-5673] - Improve BookmarkableMapper and BasicResourceReferenceMapper
to not match when the last segment is empty
-* [WICKET-5674] - Use jquery.atmosphere.js as a Webjar
-</code></pre>
-
-<h4 id="task">Task</h4>
-<pre><code>* [WICKET-5604] - Add a page to the site that lists other Apache
projects that use Wicket
-* [WICKET-5632] - Use frontend-maven-plugin to run the JavaScript tests
-* [WICKET-5665] - WicketTester#assertComponentOnAjaxResponse() cannot test
invisible components
-</code></pre>
-
-<h1 id="apache-wicket-700-m3-released20140823wicket-700-m3-releasedhtml"><a
href="/2014/08/23/wicket-7.0.0-M3-released.html">Apache Wicket 7.0.0-M3
released</a></h1>
-<p>We have released the third of a series of milestone releases for Apache
-Wicket 7. We aim to finalise Wicket 7 over the coming months and
-request your help in testing the new major version.</p>
-
-<h3 id="caveats">Caveats</h3>
-
-<p>It is still a development version so expect minor API breaks to happen over
-the course of the coming milestone releases.</p>
-
-<h3 id="semantic-versioning">Semantic versioning</h3>
-
-<p>As we adopted semver Wicket 7 will be the first release since 6.0 where
-we are able to refactor the API. We will continue to use semver when we
-have made Wicket 7 final and maintain api compatibility between minor
-versions of Wicket 7.</p>
+<p>When rendering a web page Wicket checks the request url against the one at
the render time. It is possible the application to change the page parameters
(this includes both the query parameters and parameters encoded into the
request path). When the requested url differs with the one at the rendering
time Wicket stores the response (i.e. the page markup) at the server side and
issues an HTTP redirect to the new url. When the second request comes Wicket
just flushes the stored response from the first request into the http output
stream. This way the browser address bar shows the updated page parameters.
+When storing the page markup at the server side Wicket uses as an identifier a
pair of the current session id plus the new url. However, Wicket does not check
if user session is temporary (i.e. sessionId is null).
+This could lead to a security issue if two or more users with a temporary
session are redirected to the same url at the same time. Then user1 might see
the markup for user2 which has overridden the markup for user1 while user1 was
following the HTTP redirect. In this way user-sensitive informations can be
seen by other users.</p>
-<h3 id="requirements">Requirements</h3>
+<p>The application developers are recommended to upgrade to:
+- <a href="/2014/09/15/wicket-1.5.12-released.html">Apache Wicket 1.5.12</a>
+- <a href="/2014/08/24/wicket-6.17.0-released.html">Apache Wicket 6.17.0</a>
+- <a href="/2014/08/23/wicket-7.0.0-M3-released.html">Apache Wicket
7.0.0-M3</a></p>
-<p>Wicket 7 requires the following:</p>
+<p>Credit:
+This issue was reported by Andrea Del Bene and Martin Grigorov!</p>
-<ul>
- <li>Java 7</li>
- <li>Servlet 3 compatible container</li>
-</ul>
-
-<p>You canât mix wicket libraries from prior Wicket versions with Wicket
7.</p>
+<p>Apache Wicket Team</p>
-<h3 id="migration-guide">Migration guide</h3>
-
-<p>As usual we have a migration guide available online for people
-migrating their applications to Wicket 7. We will continue to update
-the guide as development progresses. If you find something that is not
-in the guide, please update the guide, or let us know so we can update
-the guide.</p>
+<h1 id="wicket-1512-released20140915wicket-1512-releasedhtml"><a
href="/2014/09/15/wicket-1.5.12-released.html">Wicket 1.5.12 released</a></h1>
+<p>This is the twelfth maintenance release of the Wicket 1.5.x series. This
release brings over 5 bug fixes and improvements.</p>
<ul>
- <li><a href="http://s.apache.org/wicket7migrate";>Migration to Wicket
7.0</a></li>
+ <li><a
href="https://git-wip-us.apache.org/repos/asf/wicket/repo?p=wicket.git;a=shortlog;h=refs/tags/wicket-1.5.12";>Git
tag</a></li>
+ <li><a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12326154";>Changelog</a></li>
+ <li>To use in Maven:</li>
</ul>
-<h3 id="using-this-release">Using this release</h3>
-
-<p>This is pre-release software: use at your own peril!</p>
-
-<p>With Apache Maven update your dependency to (and donât forget to
-update any other dependencies on Wicket projects to the same version):</p>
-
<div class="highlight"><pre><code class="language-xml" data-lang="xml"><span
class="nt"><dependency></span>
<span class="nt"><groupId></span>org.apache.wicket<span
class="nt"></groupId></span>
<span class="nt"><artifactId></span>wicket-core<span
class="nt"></artifactId></span>
- <span class="nt"><version></span>7.0.0-M3<span
class="nt"></version></span>
+ <span class="nt"><version></span>1.5.12<span
class="nt"></version></span>
<span class="nt"></dependency></span></code></pre></div>
-<p>Or download and build the distribution yourself, or use our
-convenience binary package</p>
-
<ul>
- <li>Source: <a
href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M3";>http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M3</a></li>
- <li>Binary: <a
href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M3/binaries";>http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M3/binaries</a></li>
+ <li>Download the <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.12";>full distribution</a>
(including sources)</li>
</ul>
-<p>Have fun and let us know what you think!</p>
-
<h1>Older news items</h1>
<ul>
<li>
+ <a href="/2014/08/24/wicket-6.17.0-released.html">Apache Wicket 6.17.0
released</a> - <span>24 Aug 2014</span><br />
+ The Apache Wicket PMC is proud to announce Apache Wicket 6.17.0! This
release marks the seventeenth minor release of Wicket 6. Starting with Wicket
6...
+ <a href="/2014/08/24/wicket-6.17.0-released.html">more</a></li>
+
+
+<li>
+ <a href="/2014/08/23/wicket-7.0.0-M3-released.html">Apache Wicket
7.0.0-M3 released</a> - <span>23 Aug 2014</span><br />
+ We have released the third of a series of milestone releases for
Apache Wicket 7. We aim to finalise Wicket 7 over the coming months...
+ <a href="/2014/08/23/wicket-7.0.0-M3-released.html">more</a></li>
+
+
+<li>
<a href="/2014/06/21/wicket-6.16.0-released.html">Apache Wicket 6.16.0
released</a> - <span>21 Jun 2014</span><br />
The Apache Wicket PMC is proud to announce Apache Wicket 6.16.0! This
release marks the sixteenth minor release of Wicket 6. Starting with Wicket 6...
<a href="/2014/06/21/wicket-6.16.0-released.html">more</a></li>
@@ -445,18 +312,6 @@ convenience binary package</p>
This is twenty thirdth release of the Wicket 1.4.x series. This is a
security bugfix release on the 1.4.x branch. Read CVE-2013-2055 for more
information....
<a href="/2014/02/06/wicket-1.4.23-released.html">more</a></li>
-
-<li>
- <a href="/2014/02/06/cve-2013-2055.html">CVE-2013-2055 - Apache Wicket
Information disclosure vulnerability</a> - <span>06 Feb 2014</span><br />
- Severity: Important Vendor: The Apache Software Foundation Versions
Affected: Apache Wicket 1.4.22, 1.5.10 and 6.7.0 Description: It is possible to
make Wicket deliver the HTML...
- <a href="/2014/02/06/cve-2013-2055.html">more</a></li>
-
-
-<li>
- <a href="/2014/01/05/wicket-6.13.0-released.html">Apache Wicket 6.13.0
released</a> - <span>05 Jan 2014</span><br />
- The Apache Wicket PMC is proud to announce Apache Wicket 6.13.0! This
release marks the thirteenth minor release of Wicket 6. Starting with Wicket
6...
- <a href="/2014/01/05/wicket-6.13.0-released.html">more</a></li>
-
</ul>
<p># Books about Wicket</p>
