You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Sven Meier <sv...@meiers.net> on 2013/03/05 10:13:45 UTC
[CVE-2012-5636] Apache Wicket XSS vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.4.x, 1.5.x and 1.6.x
Description:
https://wicket.apache.org/2013/03/03/cve-2012-5636.html
It is possible for JavaScript statements to break out of a <script> tag
in the rendered response.
This might pose a security threat if the written JavaScript contains
user provided data.
This vulnerability is fixed in
- Apache Wicket 6.4.0
https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html
- Apache Wicket 1.5.10
https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html
- Apache Wicket 1.4.22
Credit:
This issue was reported by Michael Riedel.
Apache Wicket Team
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: [CVE-2012-5636] Apache Wicket XSS vulnerability
Posted by Gereon Steffens <ge...@finanzen100.de>.
Thanks!
Gereon
Am 06.03.13 10:32 schrieb "Sven Meier" unter <sv...@meiers.net>:
>I've updated wicket.apache.org to list 1.4.22 now.
>
>Sven
>
>On 03/06/2013 10:06 AM, Martin Grigorov wrote:
>> Hi,
>>
>> It is already available :
>> http://central.maven.org/maven2/org/apache/wicket/wicket/1.4.22/
>>
>>
>> On Wed, Mar 6, 2013 at 10:39 AM, Gereon Steffens <
>> gereon.steffens@finanzen100.de> wrote:
>>
>>> Is there an ETA for the 1.4.22 release? I still have one site on 1.4
>>>that
>>> I haven't gotten around to migrate yet...
>>>
>>> Thanks,
>>>
>>> Gereon
>>>
>>> Am 05.03.13 10:14 schrieb "Sven Meier" unter <sv...@meiers.net>:
>>>
>>>> Severity: Important
>>>>
>>>> Vendor:
>>>> The Apache Software Foundation
>>>>
>>>> Versions Affected:
>>>> Apache Wicket 1.4.x, 1.5.x and 1.6.x
>>>>
>>>> Description:
>>>> https://wicket.apache.org/2013/03/03/cve-2012-5636.html
>>>> It is possible for JavaScript statements to break out of a <script>
>>>>tag
>>>> in the rendered response.
>>>> This might pose a security threat if the written JavaScript contains
>>>> user provided data.
>>>>
>>>> This vulnerability is fixed in
>>>> - Apache Wicket 6.4.0
>>>> https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html
>>>> - Apache Wicket 1.5.10
>>>> https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html
>>>> - Apache Wicket 1.4.22
>>>>
>>>> Credit:
>>>> This issue was reported by Michael Riedel.
>>>>
>>>> Apache Wicket Team
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: [CVE-2012-5636] Apache Wicket XSS vulnerability
Posted by Sven Meier <sv...@meiers.net>.
I've updated wicket.apache.org to list 1.4.22 now.
Sven
On 03/06/2013 10:06 AM, Martin Grigorov wrote:
> Hi,
>
> It is already available :
> http://central.maven.org/maven2/org/apache/wicket/wicket/1.4.22/
>
>
> On Wed, Mar 6, 2013 at 10:39 AM, Gereon Steffens <
> gereon.steffens@finanzen100.de> wrote:
>
>> Is there an ETA for the 1.4.22 release? I still have one site on 1.4 that
>> I haven't gotten around to migrate yet...
>>
>> Thanks,
>>
>> Gereon
>>
>> Am 05.03.13 10:14 schrieb "Sven Meier" unter <sv...@meiers.net>:
>>
>>> Severity: Important
>>>
>>> Vendor:
>>> The Apache Software Foundation
>>>
>>> Versions Affected:
>>> Apache Wicket 1.4.x, 1.5.x and 1.6.x
>>>
>>> Description:
>>> https://wicket.apache.org/2013/03/03/cve-2012-5636.html
>>> It is possible for JavaScript statements to break out of a <script> tag
>>> in the rendered response.
>>> This might pose a security threat if the written JavaScript contains
>>> user provided data.
>>>
>>> This vulnerability is fixed in
>>> - Apache Wicket 6.4.0
>>> https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html
>>> - Apache Wicket 1.5.10
>>> https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html
>>> - Apache Wicket 1.4.22
>>>
>>> Credit:
>>> This issue was reported by Michael Riedel.
>>>
>>> Apache Wicket Team
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: [CVE-2012-5636] Apache Wicket XSS vulnerability
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
It is already available :
http://central.maven.org/maven2/org/apache/wicket/wicket/1.4.22/
On Wed, Mar 6, 2013 at 10:39 AM, Gereon Steffens <
gereon.steffens@finanzen100.de> wrote:
> Is there an ETA for the 1.4.22 release? I still have one site on 1.4 that
> I haven't gotten around to migrate yet...
>
> Thanks,
>
> Gereon
>
> Am 05.03.13 10:14 schrieb "Sven Meier" unter <sv...@meiers.net>:
>
> >Severity: Important
> >
> >Vendor:
> >The Apache Software Foundation
> >
> >Versions Affected:
> >Apache Wicket 1.4.x, 1.5.x and 1.6.x
> >
> >Description:
> >https://wicket.apache.org/2013/03/03/cve-2012-5636.html
> >It is possible for JavaScript statements to break out of a <script> tag
> >in the rendered response.
> >This might pose a security threat if the written JavaScript contains
> >user provided data.
> >
> >This vulnerability is fixed in
> >- Apache Wicket 6.4.0
> > https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html
> >- Apache Wicket 1.5.10
> > https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html
> >- Apache Wicket 1.4.22
> >
> >Credit:
> >This issue was reported by Michael Riedel.
> >
> >Apache Wicket Team
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >For additional commands, e-mail: users-help@wicket.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com <http://jweekend.com/>
Re: [CVE-2012-5636] Apache Wicket XSS vulnerability
Posted by Gereon Steffens <ge...@finanzen100.de>.
Is there an ETA for the 1.4.22 release? I still have one site on 1.4 that
I haven't gotten around to migrate yet...
Thanks,
Gereon
Am 05.03.13 10:14 schrieb "Sven Meier" unter <sv...@meiers.net>:
>Severity: Important
>
>Vendor:
>The Apache Software Foundation
>
>Versions Affected:
>Apache Wicket 1.4.x, 1.5.x and 1.6.x
>
>Description:
>https://wicket.apache.org/2013/03/03/cve-2012-5636.html
>It is possible for JavaScript statements to break out of a <script> tag
>in the rendered response.
>This might pose a security threat if the written JavaScript contains
>user provided data.
>
>This vulnerability is fixed in
>- Apache Wicket 6.4.0
> https://wicket.apache.org/2012/12/14/wicket-6.4.0-released.html
>- Apache Wicket 1.5.10
> https://wicket.apache.org/2013/02/26/wicket-1.5.10-released.html
>- Apache Wicket 1.4.22
>
>Credit:
>This issue was reported by Michael Riedel.
>
>Apache Wicket Team
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org