Hi, I applied the fix to the wicket-8.x branch and updated the tickets: https://issues.apache.org/jira/browse/WICKET-7024 https://issues.apache.org/jira/browse/WICKET-7137
Should be available in the next 8.x version. Pedro Santos On Fri, Jan 24, 2025 at 2:07 PM Mihir Chhaya <mihir.chh...@gmail.com> wrote: > Same here - we have multiple projects developed with Wicket 7 and 8 and it > would be long before all the projects could be migrated to JDK 11+ and > Apache Wicket 9.x. > It would be truly helpful if the Wicket Team could help with a security > fix. > > Thank you, > -Mihir. > > On Fri, Jan 24, 2025 at 11:43 AM Jonathan Babie <jba...@osc.ny.gov.invalid > > > wrote: > > > Hello, > > > > I was just looking to see if there are plans to address this in Wicket > 8.x > > since it's still in security fixes only status. Any information would be > > greatly appreciated and thank you again. > > > > Thank you, > > > > Jonathan Babie > > > > Information Technology Specialist IV > > > > Java Applications Unit | CIO | OSC > > > > Work: (838) 910-4274 > > > > Personal: (518) 331-8758 > > > > ________________________________ > > From: Pedro Santos <pe...@apache.org> > > Sent: Thursday, January 23, 2025 10:21 AM > > To: us...@wicket.apache.org <us...@wicket.apache.org>; > > dev@wicket.apache.org <dev@wicket.apache.org> > > Subject: CVE-2024-53299: Apache Wicket: An attacker can intentionally > > trigger a memory leak > > > > Severity: critical > > > > Affected versions: > > > > - Apache Wicket 7.0.0 through 7.18.* > > - Apache Wicket 8.0.0-M1 through 8.16.* > > - Apache Wicket 9.0.0-M1 through 9.18.* > > - Apache Wicket 10.0.0-M1 through 10.2.* > > > > Description: > > > > The request handling in the core in Apache Wicket 7.0.0 on any platform > > allows an attacker to create a DOS via multiple requests to server > > resources. > > Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which > fixes > > this issue. > > > > Credit: (finder) > > > > References: > > > > https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5 > > https://wicket.apache.org/ > > https://www.cve.org/CVERecord?id=CVE-2024-53299 > > Notice: This communication, including any attachments, is intended solely > > for the use of the individual or entity to which it is addressed. This > > communication may contain information that is protected from disclosure > > under State and/or Federal law. Please notify the sender immediately if > you > > have received this communication in error and delete this email from your > > system. If you are not the intended recipient, you are requested not to > > disclose, copy, distribute or take any action in reliance on the contents > > of this information. > > >
