but it is released. See here: https://mvnrepository.com/artifact/org.apache.wicket/wicket-core/1.5.17

kind regards


Am 03.01.17 um 21:25 schrieb durairaj t:
I can see the Wicket 1.5.16 but not 1.5.17 in "

On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:

CVE-2016-6793: Apache Wicket deserialization vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 6.x and 1.5.x

Description: Depending on the ISerializer set in the Wicket application,
it's possible that a Wicket's object deserialized from an untrusted source
and utilized by the application to causes the code to enter in an
infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
Kryo, allows an attacker to hack its serialized form to put a client on an
infinite loop if the client attempts to write on the
DeferredFileOutputStream attribute.

Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17

Credit: This issue was discovered by Jacob Baines, Tenable Network
Security and
Pedro Santos

References: https://wicket.apache.org/news

To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to