Hi, First thing: I still don't know which JIRA issue fixes CVE-2020-11976 vulnerability, is it WICKET-6792 or not? I can see 6.31.0 version in JIRA with this issue fixed, so because of that I have asked about releasing this version of Wicket. I thought that Wicket 6.x still receives security fixes, if not we can patch it ourselves (but we need to know what was fixed) or perform an upgrade (see below).
We have a plan to upgrade (at last ;)) Wicket to a newer version (9.x), but it is not quite easy for a big application and unfortunately we have to patch Wicket code by ourselves to fix issues described in WICKET-5588 (including JavaScript: if this code have many changes between 6.x and 9.x it can be quite hard to do it). It would be much easier to upgrade if this problem was fixed in the standard version of Wicket. -- Best regards, Daniel Stoch czw., 11 sie 2022 o 10:06 Martin Grigorov <mgrigo...@apache.org> napisał(a): > Hi, > > Wicket 6.x is no more supported. > Wicket 7.x is the current security maintaince branch. > > Your options are: > - patch locally > - upgrade to a newer version > > On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <daniel.st...@gmail.com> > wrote: > > > Hi, > > > > Is there any JIRA issue for this? I tried to find but none issue in > Wicket > > JIRA points directly to CVE-2020-11976. > > One possible candidate to me is WICKET-6792 :). Am I right? If yes, this > is > > already fixed also for Wicket 6.31.0, can you release this version? > > > > -- > > Best regards, > > Daniel Stoch > > > > > > pon., 10 sie 2020 o 18:23 <svenme...@apache.org> napisał(a): > > > > > Severity: Important > > > > > > Vendor: > > > The Apache Software Foundation > > > > > > Versions Affected: > > > Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5 > > > > > > Description: > > > > > > By crafting a special URL it is possible to make Wicket deliver > > > unprocessed HTML templates. > > > This would allow an attacker to see possibly sensitive information > > > inside a HTML template that is usually removed during rendering. > > > For example if there are credentials in the markup which are never > > > supposed to be visible to the client: > > > > > > <wicket:remove> > > > some secret > > > </wicket:remove> > > > > > > The application developers are recommended to upgrade to: > > > - Apache Wicket 7.17.0 > > > <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html> > > > - Apache Wicket 8.9.0 > > > <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html> > > > - Apache Wicket 9.0.0 > > > <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html> > > > > > > Credit: > > > The vulnerability has been found and reported by Mariusz Popławski from > > > Afine. > > > > > > Apache Wicket Team > > > > > >
