Thank you, Pedro for this. Question (for Apache Wicket Team): Could you please share the timeline for the 8.17 security fix release?
Thank you once again, -Mihir On Mon, Jan 27, 2025 at 10:45 AM Pedro Santos <pedros...@gmail.com> wrote: > Hi, I applied the fix to the wicket-8.x branch and updated the tickets: > > https://issues.apache.org/jira/browse/WICKET-7024 > https://issues.apache.org/jira/browse/WICKET-7137 > > Should be available in the next 8.x version. > > Pedro Santos > > > On Fri, Jan 24, 2025 at 2:07 PM Mihir Chhaya <mihir.chh...@gmail.com> > wrote: > > > Same here - we have multiple projects developed with Wicket 7 and 8 and > it > > would be long before all the projects could be migrated to JDK 11+ and > > Apache Wicket 9.x. > > It would be truly helpful if the Wicket Team could help with a security > > fix. > > > > Thank you, > > -Mihir. > > > > On Fri, Jan 24, 2025 at 11:43 AM Jonathan Babie > <jba...@osc.ny.gov.invalid > > > > > wrote: > > > > > Hello, > > > > > > I was just looking to see if there are plans to address this in Wicket > > 8.x > > > since it's still in security fixes only status. Any information would > be > > > greatly appreciated and thank you again. > > > > > > Thank you, > > > > > > Jonathan Babie > > > > > > Information Technology Specialist IV > > > > > > Java Applications Unit | CIO | OSC > > > > > > Work: (838) 910-4274 > > > > > > Personal: (518) 331-8758 > > > > > > ________________________________ > > > From: Pedro Santos <pe...@apache.org> > > > Sent: Thursday, January 23, 2025 10:21 AM > > > To: us...@wicket.apache.org <us...@wicket.apache.org>; > > > dev@wicket.apache.org <dev@wicket.apache.org> > > > Subject: CVE-2024-53299: Apache Wicket: An attacker can intentionally > > > trigger a memory leak > > > > > > Severity: critical > > > > > > Affected versions: > > > > > > - Apache Wicket 7.0.0 through 7.18.* > > > - Apache Wicket 8.0.0-M1 through 8.16.* > > > - Apache Wicket 9.0.0-M1 through 9.18.* > > > - Apache Wicket 10.0.0-M1 through 10.2.* > > > > > > Description: > > > > > > The request handling in the core in Apache Wicket 7.0.0 on any platform > > > allows an attacker to create a DOS via multiple requests to server > > > resources. > > > Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which > > fixes > > > this issue. > > > > > > Credit: (finder) > > > > > > References: > > > > > > https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5 > > > https://wicket.apache.org/ > > > https://www.cve.org/CVERecord?id=CVE-2024-53299 > > > Notice: This communication, including any attachments, is intended > solely > > > for the use of the individual or entity to which it is addressed. This > > > communication may contain information that is protected from disclosure > > > under State and/or Federal law. Please notify the sender immediately if > > you > > > have received this communication in error and delete this email from > your > > > system. If you are not the intended recipient, you are requested not to > > > disclose, copy, distribute or take any action in reliance on the > contents > > > of this information. > > > > > >
