I can see the Wicket 1.5.16 but not 1.5.17 in " https://wicket.apache.org/start/wicket-1.5.x.html#download".
On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote: > CVE-2016-6793: Apache Wicket deserialization vulnerability > > Severity: Low > > Vendor: The Apache Software Foundation > > Versions Affected: Apache Wicket 6.x and 1.5.x > > Description: Depending on the ISerializer set in the Wicket application, > it's possible that a Wicket's object deserialized from an untrusted source > and utilized by the application to causes the code to enter in an > infinite loop. Specifically, Wicket's DiskFileItem class, serialized by > Kryo, allows an attacker to hack its serialized form to put a client on an > infinite loop if the client attempts to write on the > DeferredFileOutputStream attribute. > > Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17 > > Credit: This issue was discovered by Jacob Baines, Tenable Network > Security and > Pedro Santos > > References: https://wicket.apache.org/news >