Thank you for the update - truly appreciate it. -Mihir
On Mon, May 11, 2026, 11:47 AM Andrea Del Bene <[email protected]> wrote: > both 8.18.0 and 9.23.0 are under vote, so they should be ready later > on this week > > On Mon, May 11, 2026 at 5:35 PM Mihir Chhaya <[email protected]> > wrote: > > > > Good morning, > > > > Could you please suggest when the 8.17 security fix will be available for > > the recent vulnerability? > > > > Thank you, > > -Mihir > > > > On Fri, May 8, 2026, 6:44 AM Eric Hamel <[email protected]> > wrote: > > > > > Thank you for the new release. > > > > > > Should we expect a wicketstuff 10.9 soon ? > > > > > > > > > ——————- > > > Eric Hamel > > > Solutions Architect / Senior Project Manager > > > AlbanyITG > > > P. 518-698-4503 > > > > > > > On May 6, 2026, at 11:22 AM, Mihir Chhaya <[email protected]> > > > wrote: > > > > > > > > Thank you, Apache Wicket team for having the fixed version in 10.x > > > > available soon. > > > > > > > > Could you please share possible release schedule with fix for the > 8.x and > > > > 9.x branches? > > > > > > > > Thank you, > > > > -Mihir > > > > > > > >> On Tue, May 5, 2026, 4:42 AM Andrea Del Bene <[email protected]> > > > wrote: > > > >> > > > >> The Apache Wicket PMC is proud to announce Apache Wicket 10.9.0! > > > >> > > > >> Apache Wicket is an open source Java component oriented web > application > > > >> framework that powers thousands of web applications and web sites > for > > > >> governments, stores, universities, cities, banks, email providers, > and > > > >> more. You can find more about Apache Wicket at > > > https://wicket.apache.org > > > >> > > > >> This release marks another minor release of Wicket 10. We > > > >> use semantic versioning for the development of Wicket, and as such > no > > > >> API breaks are present in this release compared to 10.0.0. > > > >> > > > >> New and noteworthy > > > >> ------------------ > > > >> > > > >> This release fixes the following security issue: > > > >> > > > >> * CVE-2026-43646 crafted URLs can bypass PackageResourceGuard > > > >> * CVE-2026-42509 crafted strings can break out of the JavaScript > > > sequence > > > >> * CVE-2026-40010 possible session fixation using > > > AuthenticatedWebSession > > > >> * CVE-2026-43975 Possible malicious path traversal in > > > >> FolderUploadsFileManager > > > >> > > > >> > > > >> Using this release > > > >> ------------------ > > > >> > > > >> With Apache Maven update your dependency to (and don't forget to > > > >> update any other dependencies on Wicket projects to the same > version): > > > >> > > > >> <dependency> > > > >> <groupId>org.apache.wicket</groupId> > > > >> <artifactId>wicket-core</artifactId> > > > >> <version>10.9.0</version> > > > >> </dependency> > > > >> > > > >> Or download and build the distribution yourself, or use our > > > >> convenience binary package you can find here: > > > >> > > > >> * Download: > http://wicket.apache.org/start/wicket-10.x.html#manually > > > >> > > > >> Upgrading from earlier versions > > > >> ------------------------------- > > > >> > > > >> If you upgrade from 10.y.z this release is a drop in replacement. If > > > >> you come from a version prior to 10.0.0, please read our Wicket 10 > > > >> migration guide found at > > > >> > > > >> * http://s.apache.org/wicket10migrate > > > >> > > > >> Have fun! > > > >> > > > >> — The Wicket team > > > >> > > > >> > > > >> > ======================================================================== > > > >> > > > >> CHANGELOG for 10.9.0: > > > >> > > > >> ** Bug > > > >> > > > >> * [WICKET-7174] - DefaultSecureRandomSupplier does not work for > FIPS > > > >> > > > >> ** New Feature > > > >> > > > >> * [WICKET-7169] - Make partHeaderSizeMax in AbstractFileUpload > > > >> configurable > > > >> > > > >> ** Improvement > > > >> > > > >> * [WICKET-7172] - Support new CSP style, script directives > > > >> * [WICKET-7179] - add support for jQuery 4.0.0 > > > >> > > > >> > > > >> > > > >> > --------------------------------------------------------------------- > > > >> To unsubscribe, e-mail: [email protected] > > > >> For additional commands, e-mail: [email protected] > > > >> > > > >> > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > > > -- > Andrea Del Bene. > Apache Wicket committer. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
