Good morning, Could you please suggest when the 8.17 security fix will be available for the recent vulnerability?
Thank you, -Mihir On Fri, May 8, 2026, 6:44 AM Eric Hamel <[email protected]> wrote: > Thank you for the new release. > > Should we expect a wicketstuff 10.9 soon ? > > > ——————- > Eric Hamel > Solutions Architect / Senior Project Manager > AlbanyITG > P. 518-698-4503 > > > On May 6, 2026, at 11:22 AM, Mihir Chhaya <[email protected]> > wrote: > > > > Thank you, Apache Wicket team for having the fixed version in 10.x > > available soon. > > > > Could you please share possible release schedule with fix for the 8.x and > > 9.x branches? > > > > Thank you, > > -Mihir > > > >> On Tue, May 5, 2026, 4:42 AM Andrea Del Bene <[email protected]> > wrote: > >> > >> The Apache Wicket PMC is proud to announce Apache Wicket 10.9.0! > >> > >> Apache Wicket is an open source Java component oriented web application > >> framework that powers thousands of web applications and web sites for > >> governments, stores, universities, cities, banks, email providers, and > >> more. You can find more about Apache Wicket at > https://wicket.apache.org > >> > >> This release marks another minor release of Wicket 10. We > >> use semantic versioning for the development of Wicket, and as such no > >> API breaks are present in this release compared to 10.0.0. > >> > >> New and noteworthy > >> ------------------ > >> > >> This release fixes the following security issue: > >> > >> * CVE-2026-43646 crafted URLs can bypass PackageResourceGuard > >> * CVE-2026-42509 crafted strings can break out of the JavaScript > sequence > >> * CVE-2026-40010 possible session fixation using > AuthenticatedWebSession > >> * CVE-2026-43975 Possible malicious path traversal in > >> FolderUploadsFileManager > >> > >> > >> Using this release > >> ------------------ > >> > >> With Apache Maven update your dependency to (and don't forget to > >> update any other dependencies on Wicket projects to the same version): > >> > >> <dependency> > >> <groupId>org.apache.wicket</groupId> > >> <artifactId>wicket-core</artifactId> > >> <version>10.9.0</version> > >> </dependency> > >> > >> Or download and build the distribution yourself, or use our > >> convenience binary package you can find here: > >> > >> * Download: http://wicket.apache.org/start/wicket-10.x.html#manually > >> > >> Upgrading from earlier versions > >> ------------------------------- > >> > >> If you upgrade from 10.y.z this release is a drop in replacement. If > >> you come from a version prior to 10.0.0, please read our Wicket 10 > >> migration guide found at > >> > >> * http://s.apache.org/wicket10migrate > >> > >> Have fun! > >> > >> — The Wicket team > >> > >> > >> ======================================================================== > >> > >> CHANGELOG for 10.9.0: > >> > >> ** Bug > >> > >> * [WICKET-7174] - DefaultSecureRandomSupplier does not work for FIPS > >> > >> ** New Feature > >> > >> * [WICKET-7169] - Make partHeaderSizeMax in AbstractFileUpload > >> configurable > >> > >> ** Improvement > >> > >> * [WICKET-7172] - Support new CSP style, script directives > >> * [WICKET-7179] - add support for jQuery 4.0.0 > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
