Security Vulnerabilities with GWT

Hi All, Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool . Below are the details - Gwt-dev.jar - 1.1 Vulnerable version of jetty library(current version--

Re: Security Vulnerabilities with GWT

1. No, these dependencies were not updated as part of the 2.9.0 release 2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 3.x release is going to be structured in a different enough of a way that none of these will be present. 3. At a quick glance, it appears to be an

Re: Security Vulnerabilities with GWT

The gwt-servlet issue is only on c++ versions of protobuf, so we believe there is no exploit here at all. The other issues are all specific to gwt-dev, and neither gwt-dev.jar nor gwt-user.jar should ever be deployed as part of a running server application, so none of those should be

Re: Security Vulnerabilities with GWT

Is there a documented or demonstrated case of break-in using any of the vulnerabilities listed in your post, in an application developed with GWT framework? Do these vulnerabilities matter if a GWT application doesn't use GWT's RPC? On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar

Re: Security Vulnerabilities with GWT

On Monday, June 29, 2020 at 3:36:11 PM UTC+2, Colin Alworth wrote: > > 1. No, these dependencies were not updated as part of the 2.9.0 release > 2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the > 3.x release is going to be structured in a different enough of a way

Re: Security Vulnerabilities with GWT

On Monday, June 29, 2020 at 12:57:41 PM UTC+2, Priya Kolekar wrote: > > > Hi All, > > Security Vulnerability have been detected in gwt-dev.jar & > gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker > tool . > > Below are the

Re: [gwt-contrib] Required JDK version to build GWT?

wrt running tests: See https://gwt-review.googlesource.com/c/gwt/+/13861 for the pattern used in JRE earlier; and the CI was updated to run in both 7 and 8 at the same time. PS: Compiler tests ("jjs.test.Java8Test") was different because we really needed to run the compiler tests with new syntax

Re: [gwt-contrib] Required JDK version to build GWT?

I agree with this statement: "it seems like the clearest win is to move all the way to Java11, though continue to target java 8 releases, and test on all JREs up until current." On Mon, Jun 29, 2020 at 10:21 PM 'Goktug Gokdogan' via GWT Contributors <

Re: [gwt-contrib] Required JDK version to build GWT?

Right - the excludes via ant are certainly an option ("use ant filters"), my main hope is to avoid adding another stanza of xml for the emulation for each release. Cutting out Java7 and adding a "java 11 or higher" to lump all the java 9, 10, 11 tests in would at least be a net equal in XML

[gwt-contrib] Required JDK version to build GWT?

As of somewhere in the time leading up to the GWT 2.9.0 release, it is no longer possible to build GWT with Java7, and similarly the decision was made to no longer officially support running on Java7 (jsinterop-annotations use of "TYPE_USE", newer jetty version too I believe). There is still

Re: [gwt-contrib] Re: Resolving cycle dependency between gwt-safehtml & gwt-safecss

> > Personally I would go with 'org.gwtproject.gwt-safecss' as groupid. It >> will make it much easier for gwt users to work with the module. >> >> What do you think? >> > > Do you really mean org.gwtproject.gwt-safecss as groupId‽ I.e. > org.gwtproject.gwt-safecss:gwt-safecss coordinates‽ >

Re: [gwt-contrib] Re: Resolving cycle dependency between gwt-safehtml & gwt-safecss

On Monday, June 29, 2020 at 8:43:25 AM UTC+2 frank.h...@googlemail.com wrote: > Thanks everybody for input. > > As @Colin already mentioned I was talking about option 4 of Thomas list. I > have moved gwt-safecss as separate modules into gwt-safehtml. (Need to add > a note at the existing

Re: [gwt-contrib] Re: Resolving cycle dependency between gwt-safehtml & gwt-safecss

Thanks everybody for input. As @Colin already mentioned I was talking about option 4 of Thomas list. I have moved gwt-safecss as separate modules into gwt-safehtml. (Need to add a note at the existing GitHub repo of gwt-safecss that the modules have moved after the PR is merged). I made a PR: