Hello Mat, the required change is here: https://github.com/apache/wicket/compare/rel/wicket-8.15.0...rel/wicket-8.16.0#diff-0257ba4a00901a14987a1f85de6b356f44f99f85661c9b4dc4a944ec35d48cffR90
On Tue, 18 Jun 2024 at 05:20, Matt Pavlovich <mattr...@gmail.com> wrote: > > Hi @dev- > > I understand that I’m late to the release change check-in, but wanted to > verify all the fixes for the CVE are included in Wicket 8.16.0 > > I saw that this XML-releated change is included in 9.x and 10.x, but not in > Wicket 8.16.0. > > https://github.com/apache/wicket/commit/6db134c6a89f7cd374eede7d5cd467e128c781b9 > > Please confirm that the only change needed to address the XSLT-based RCE CVE > are the fixes here: > > https://github.com/apache/wicket/compare/rel/wicket-8.15.0...rel/wicket-8.16.0 > > Thanks, > Matt > > > On Jun 17, 2024, at 2:00 AM, Andrea Del Bene <an.delb...@gmail.com> wrote: > > > > this vote passes. Thank you! > > > > On 6/14/24 10:43, Martin Grigorov wrote: > >> +1 to release > >> > >> On Thu, Jun 13, 2024 at 12:13 AM Andrea Del Bene <an.delb...@gmail.com> > >> wrote: > >> > >>> This is a vote to release Apache Wicket 8.16.0 > >>> > >>> Please download the source distributions found in our staging area > >>> linked below. > >>> > >>> I have included the signatures for both the source archives. This vote > >>> lasts for 72 hours minimum. > >>> > >>> [ ] Yes, release Apache Wicket 8.16.0 > >>> [ ] No, don't release Apache Wicket 8.16.0, because ... > >>> > >>> Distributions, changelog, keys and signatures can be found at: > >>> > >>> https://dist.apache.org/repos/dist/dev/wicket/8.16.0 > >>> > >>> Staging repository: > >>> > >>> https://repository.apache.org/content/repositories/orgapachewicket-1205 > >>> > >>> The binaries are available in the above link, as are a staging > >>> repository for Maven. Typically the vote is on the source, but should > >>> you find a problem with one of the binaries, please let me know, I can > >>> re-roll them some way or the other. > >>> > >>> Staging git repository data: > >>> > >>> Repository: g...@github.com:bitstorm/wicket.git > >>> Branch: build/wicket-8.16.0 > >>> Release tag: rel/wicket-8.16.0 > >>> > >>> > >>> ======================================================================== > >>> > >>> The signatures for the source release artefacts: > >>> > >>> > >>> Signature for apache-wicket-8.16.0.zip: > >>> > >>> -----BEGIN PGP SIGNATURE----- > >>> > >>> iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAmZqB+QACgkQh48B+qjT > >>> VuGz+xAAqu5r2R39HGtVLFDQ+t26pP/0DNGZv95sJvPbAjZjlnmPvw2zrbM+p69/ > >>> G2JC1BYn9kSae2FVPALS6bcZ+c55Lg8atoA8o7RFOsbvQmRaXCXnU+ISu02xKlvg > >>> +6EL4a2aXka4jF4nDSWIBfU9jm9Nk3CTMwYKTVd0r7LdVEcANB/LCSq74j08/PVM > >>> CCh9vF0/FqLjC6GfD6uu6kL13r24aVk9RmvLXq5uZIOs/nnsfEx5jZtH818kdqre > >>> fvuuT3wbTUJye9DDpuKTESAzMo+aXTKP9M1+pZOmiKnTDiN2aFi02vCo7YrmWpKO > >>> +03LiQt5WZorDUamuBZwetzWajA1lyc+SGWwgnTCTEOkvZ6hMq3zRvo1awb+w0GL > >>> hKGspHRWrlXuwueaIT7/ZDyE26UzIR+oo7l5C0iXPZkAz9ejG6lyoQz4B0sifJlC > >>> ob3j5goApWIXBZMX/FyU1pHivLEbY7Uf8PNcq0g/NYtNuSk+/3yENH1cW+79gWEW > >>> XvaxYfrhTjyIxhnv3cPz3erwSZTHA3r1xURrOYlrlsv8Aqd+Jj+USUhRPP60mc/W > >>> S9bM3o05eFsZVY1rtJVfGl+nYuFEri1T8RgWNeolAdh37S5wdJy+iHn0jUnsPMQK > >>> d27lFJ5neYqYC4F826vwBKDIg8FWUyrX1CDKfXidkJV/IAA03NE= > >>> =Wi7u > >>> -----END PGP SIGNATURE----- > >>> > >>> Signature for apache-wicket-8.16.0.tar.gz: > >>> > >>> -----BEGIN PGP SIGNATURE----- > >>> > >>> iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAmZqB+QACgkQh48B+qjT > >>> VuEdjA/+P1szVHdIcom1H1hBTFBSaVaEM8aGf2S4dGplaFiHF3tySsvXzWnbFApU > >>> 7ycylRMheTz6BXRTpo1XGC57WNiqKCE5R9EFZkPqQiQMoFVb6lmEtTQqV+l8Tbxb > >>> L2D1HEN3FhZ/KfPGKm6q46bjMfvfC+hb2mFbcsA8EftnkyKkZ0QfSYfXOCFSaEmF > >>> mEruwXLeQAx2VRTzXgJzhQanjmNiqb1o7x0lCF26m7J6fgXMk+dl7wMg1/Lzl+tV > >>> 8It+eD598zs19hoytO5lKLDVbLPeSVAfxYEChH5BTpR2MTjY2YDBtngo8U5HtHTs > >>> Sd0ICr/oOAWbu86GKCyMNk+uYNdcQCEZtdA4/qQUTq4O0UsFS5UcAUWT4Z0uoq3S > >>> 6c4Aa6S2faPw4ThhaCWSO56PMN3xKBAmERA8gmADv41PHh4N3BDuTANB3bwSrN/3 > >>> b1I39Hxol+OXyuKMnivMeG9OdjoalSlSMhZkA4Tu0dokiZpDVslKltQcnApZdOyd > >>> 6BQuF7j8sQugiZLjtRPzyvIMo3oILNz1bVLOvltYEKI/AB4+C9ShBIX+EO1KlThO > >>> 0P2PjZXgPKNPKS51EsFGZa33tMEDCiuITEDGFeH0XveEnG0BLbBkE/Yx5lJfULdr > >>> hZzNoF2E7tbktMsC0fSIoSQ6rCwrgeF0FTqZrkQuuKzMFJ1fdck= > >>> =4MXn > >>> -----END PGP SIGNATURE----- > >>> > >>> ======================================================================== > >>> > >>> CHANGELOG for 8.16.0: > >>> > >>> ** Bug > >>> > >>> * [WICKET-7056] - HttpSessionStore#getAttribute called on > >>> invalidated session > >>> > >>> > -- Best regards, Maxim
