Re: [VOTE] Release Apache Wicket 8.16.0

Matt Pavlovich Tue, 18 Jun 2024 07:01:13 -0700
Got it. Thank you!

> On Jun 17, 2024, at 9:54 PM, Maxim Solodovnik <solomax...@gmail.com> wrote:
> 
> Hello Mat,
> 
> the required change is here:
> https://github.com/apache/wicket/compare/rel/wicket-8.15.0...rel/wicket-8.16.0#diff-0257ba4a00901a14987a1f85de6b356f44f99f85661c9b4dc4a944ec35d48cffR90
> 
> On Tue, 18 Jun 2024 at 05:20, Matt Pavlovich <mattr...@gmail.com> wrote:
>> 
>> Hi @dev-
>> 
>> I understand that I’m late to the release change check-in, but wanted to 
>> verify all the fixes for the CVE are included in Wicket 8.16.0
>> 
>> I saw that this XML-releated change is included in 9.x and 10.x, but not in 
>> Wicket 8.16.0.
>> 
>> https://github.com/apache/wicket/commit/6db134c6a89f7cd374eede7d5cd467e128c781b9
>> 
>> Please confirm that the only change needed to address the XSLT-based RCE CVE 
>> are the fixes here:
>> 
>> https://github.com/apache/wicket/compare/rel/wicket-8.15.0...rel/wicket-8.16.0
>> 
>> Thanks,
>> Matt
>> 
>>> On Jun 17, 2024, at 2:00 AM, Andrea Del Bene <an.delb...@gmail.com> wrote:
>>> 
>>> this vote passes. Thank you!
>>> 
>>> On 6/14/24 10:43, Martin Grigorov wrote:
>>>> +1 to release
>>>> 
>>>> On Thu, Jun 13, 2024 at 12:13 AM Andrea Del Bene <an.delb...@gmail.com>
>>>> wrote:
>>>> 
>>>>> This is a vote to release Apache Wicket 8.16.0
>>>>> 
>>>>> Please download the source distributions found in our staging area
>>>>> linked below.
>>>>> 
>>>>> I have included the signatures for both the source archives. This vote
>>>>> lasts for 72 hours minimum.
>>>>> 
>>>>> [ ] Yes, release Apache Wicket 8.16.0
>>>>> [ ] No, don't release Apache Wicket 8.16.0, because ...
>>>>> 
>>>>> Distributions, changelog, keys and signatures can be found at:
>>>>> 
>>>>>     https://dist.apache.org/repos/dist/dev/wicket/8.16.0
>>>>> 
>>>>> Staging repository:
>>>>> 
>>>>> https://repository.apache.org/content/repositories/orgapachewicket-1205
>>>>> 
>>>>> The binaries are available in the above link, as are a staging
>>>>> repository for Maven. Typically the vote is on the source, but should
>>>>> you find a problem with one of the binaries, please let me know, I can
>>>>> re-roll them some way or the other.
>>>>> 
>>>>> Staging git repository data:
>>>>> 
>>>>>     Repository:  g...@github.com:bitstorm/wicket.git
>>>>>     Branch:      build/wicket-8.16.0
>>>>>     Release tag: rel/wicket-8.16.0
>>>>> 
>>>>> 
>>>>> ========================================================================
>>>>> 
>>>>>     The signatures for the source release artefacts:
>>>>> 
>>>>> 
>>>>> Signature for apache-wicket-8.16.0.zip:
>>>>> 
>>>>>     -----BEGIN PGP SIGNATURE-----
>>>>> 
>>>>> iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAmZqB+QACgkQh48B+qjT
>>>>> VuGz+xAAqu5r2R39HGtVLFDQ+t26pP/0DNGZv95sJvPbAjZjlnmPvw2zrbM+p69/
>>>>> G2JC1BYn9kSae2FVPALS6bcZ+c55Lg8atoA8o7RFOsbvQmRaXCXnU+ISu02xKlvg
>>>>> +6EL4a2aXka4jF4nDSWIBfU9jm9Nk3CTMwYKTVd0r7LdVEcANB/LCSq74j08/PVM
>>>>> CCh9vF0/FqLjC6GfD6uu6kL13r24aVk9RmvLXq5uZIOs/nnsfEx5jZtH818kdqre
>>>>> fvuuT3wbTUJye9DDpuKTESAzMo+aXTKP9M1+pZOmiKnTDiN2aFi02vCo7YrmWpKO
>>>>> +03LiQt5WZorDUamuBZwetzWajA1lyc+SGWwgnTCTEOkvZ6hMq3zRvo1awb+w0GL
>>>>> hKGspHRWrlXuwueaIT7/ZDyE26UzIR+oo7l5C0iXPZkAz9ejG6lyoQz4B0sifJlC
>>>>> ob3j5goApWIXBZMX/FyU1pHivLEbY7Uf8PNcq0g/NYtNuSk+/3yENH1cW+79gWEW
>>>>> XvaxYfrhTjyIxhnv3cPz3erwSZTHA3r1xURrOYlrlsv8Aqd+Jj+USUhRPP60mc/W
>>>>> S9bM3o05eFsZVY1rtJVfGl+nYuFEri1T8RgWNeolAdh37S5wdJy+iHn0jUnsPMQK
>>>>> d27lFJ5neYqYC4F826vwBKDIg8FWUyrX1CDKfXidkJV/IAA03NE=
>>>>> =Wi7u
>>>>> -----END PGP SIGNATURE-----
>>>>> 
>>>>> Signature for apache-wicket-8.16.0.tar.gz:
>>>>> 
>>>>>     -----BEGIN PGP SIGNATURE-----
>>>>> 
>>>>> iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAmZqB+QACgkQh48B+qjT
>>>>> VuEdjA/+P1szVHdIcom1H1hBTFBSaVaEM8aGf2S4dGplaFiHF3tySsvXzWnbFApU
>>>>> 7ycylRMheTz6BXRTpo1XGC57WNiqKCE5R9EFZkPqQiQMoFVb6lmEtTQqV+l8Tbxb
>>>>> L2D1HEN3FhZ/KfPGKm6q46bjMfvfC+hb2mFbcsA8EftnkyKkZ0QfSYfXOCFSaEmF
>>>>> mEruwXLeQAx2VRTzXgJzhQanjmNiqb1o7x0lCF26m7J6fgXMk+dl7wMg1/Lzl+tV
>>>>> 8It+eD598zs19hoytO5lKLDVbLPeSVAfxYEChH5BTpR2MTjY2YDBtngo8U5HtHTs
>>>>> Sd0ICr/oOAWbu86GKCyMNk+uYNdcQCEZtdA4/qQUTq4O0UsFS5UcAUWT4Z0uoq3S
>>>>> 6c4Aa6S2faPw4ThhaCWSO56PMN3xKBAmERA8gmADv41PHh4N3BDuTANB3bwSrN/3
>>>>> b1I39Hxol+OXyuKMnivMeG9OdjoalSlSMhZkA4Tu0dokiZpDVslKltQcnApZdOyd
>>>>> 6BQuF7j8sQugiZLjtRPzyvIMo3oILNz1bVLOvltYEKI/AB4+C9ShBIX+EO1KlThO
>>>>> 0P2PjZXgPKNPKS51EsFGZa33tMEDCiuITEDGFeH0XveEnG0BLbBkE/Yx5lJfULdr
>>>>> hZzNoF2E7tbktMsC0fSIoSQ6rCwrgeF0FTqZrkQuuKzMFJ1fdck=
>>>>> =4MXn
>>>>> -----END PGP SIGNATURE-----
>>>>> 
>>>>> ========================================================================
>>>>> 
>>>>>     CHANGELOG for 8.16.0:
>>>>> 
>>>>> ** Bug
>>>>> 
>>>>>     * [WICKET-7056] - HttpSessionStore#getAttribute called on
>>>>> invalidated session
>>>>> 
>>>>> 
>> 
> 
> 
> -- 
> Best regards,
> Maxim
Re: [VOTE] Release Apache Wicket 8.16.0

Reply via email to
