Hi, Please use users@ or dev@. There is nothing to announce@
On Wed, May 26, 2021 at 5:36 PM Mihir Chhaya <mihir.chh...@gmail.com> wrote: > Thank you for sharing this information. > > Questions: > 1. Will there be any upgrades from Wicket-CDI, Wicket-bootstrap etc. > libraries related to this Vulnerability? > wicket-cdi is part of Apache Wicket releases, so there is nothing more to do. wicket-bootstrap could be used with any version of Wicket, as long it is binary compatible, i.e. same major version. > 2. If yes, then should I wait for those libraries or go ahead and put the > core Apache Wicket libraries first and then upgrade other libraries when > available? > Just update wicket-core to a version with the fix. > > Thank you, > -Mihir. > > On Tue, May 25, 2021 at 3:51 AM Emond Papegaaij <emond.papega...@gmail.com > > > wrote: > > > Description: > > > > A DNS proxy and possible amplification attack vulnerability in > > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary > > DNS lookups from the server when the X-Forwarded-For header is not > > properly sanitized. This DNS lookup can be engineered to overload an > > internal DNS server or to slow down request processing of the Apache > > Wicket application causing a possible denial of service on either the > > internal infrastructure or the web application itself. > > > > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and > > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; > > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket > > 6.x version 6.2.0 and later versions. > > > > Mitigation: > > > > Sanitize the X-Forwarded-For header by running an Apache Wicket > > application behind a reverse HTTP proxy. This proxy should put the > > client IP address in the X-Forwarded-For header and not pass through > > the contents of the header as received by the client. > > > > The application developers are recommended to upgrade to: > > - Apache Wicket 7.18.0 > > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html> > > - Apache Wicket 8.12.0 > > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html> > > - Apache Wicket 9.0.0 > > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html> > > > > Credit: > > > > Apache Wicket would like to thank Jonathan Juursema from > > Topicus.Healthcare for reporting this issue. > > > > Apache Wicket Team > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: announce-unsubscr...@wicket.apache.org > > For additional commands, e-mail: announce-h...@wicket.apache.org > > > > >