Updated release notes for 6.6.7

author Jonatan Kronqvist <jonatan.kronqvist@itmill.com>

Wed, 28 Sep 2011 10:42:22 +0000 (10:42 +0000)

committer Jonatan Kronqvist <jonatan.kronqvist@itmill.com>

Wed, 28 Sep 2011 10:42:22 +0000 (10:42 +0000)
author Jonatan Kronqvist <jonatan.kronqvist@itmill.com>
Wed, 28 Sep 2011 10:42:22 +0000 (10:42 +0000)
committer Jonatan Kronqvist <jonatan.kronqvist@itmill.com>
Wed, 28 Sep 2011 10:42:22 +0000 (10:42 +0000)
diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html

index 9f11093091a5368eb95dea6b012763237a7663c1..a65b8459fbadd37cf72b8a6b4b9655d38978fd10 100644 (file)
--- a/WebContent/release-notes.html
+++ b/WebContent/release-notes.html
@@ -57,6 +57,14 @@ widget sets and refresh your project in Eclipse. If you are upgrading from
  package). See <a href="#upgrading">General Upgrade Instructions</a> for more details on upgrading.</p>
  <!-- ====================================================================== -->
  
+<h3>Security fixes in Vaadin Framework 6.6.7</h3>
+<ul>
+    <li><a href="http://dev.vaadin.com/ticket/7669">#7669</a> CSRF/XSS vulnerability through separator injection</li>
+    <li><a href="http://dev.vaadin.com/ticket/7670">#7670</a> Directory traversal vulnerability</li>
+    <li><a href="http://dev.vaadin.com/ticket/7671">#7671</a> Contributory XSS: Possibility to inject HTML/JavaScript in system error messages</li>
+    <li><a href="http://dev.vaadin.com/ticket/7672">#7672</a> Contributory XSS: possibility for injection in certain components</li>
+</ul>
+
  <h3>Enhancements in Vaadin Framework 6.6</h3>
  
  <p>General enhancements:</p>
@@ -100,6 +108,25 @@ package). See <a href="#upgrading">General Upgrade Instructions</a> for more det
    <li>Server communication methods in <b>ApplicationConnection</b> can now be overridden (<a href="http://dev.vaadin.com/ticket/6885">#6885</a>)</li>
  </ul>
  
+<h3>Fixes in Vaadin @version@</h3>
+    <p>
+    #7669   CSRF/XSS vulnerability through separator injection
+    #7670   Directory traversal vulnerability through AbstractApplicationServlet.serveStaticResourcesInVAADIN()
+    #7671   Contributory XSS: Possibility to inject HTML/javascript in system error messages
+    #7541   Table.setColumnCollapsed("id",true) will cleared PropertyDataSource for any fields in table item properties
+    #7672   Contributory XSS: possibility for injection in certain components
+    #3125   Portlet size is not updated when window is resized
+    #6420   Solution for menu too long.
+    #7560   ComboBox: Writing the name of a new item and clicking on drop down menu works inconsistently.
+    #7653   Update screenshots for Safari 5.1
+    #7654   Update screenshots for Safari 5.1
+    </p>
+        <p>
+            The <a
+                href="http://dev.vaadin.com/query?status=closed&type=defect&milestone=Vaadin+6.7.0.rc1&or&status=closed&type=defect&milestone=Vaadin+6.7.0.beta1&group=status&col=id&col=summary&col=owner&col=type&col=priority&col=component&col=version&order=priority">full
+                details of the defects</a> can be found at dev.vaadin.com.
+        </p>
+
  <h3>Backward-Incompatible Changes in Vaadin Framework 6.6</h3>
  
  <ul>
author	Jonatan Kronqvist <jonatan.kronqvist@itmill.com>
	Wed, 28 Sep 2011 10:42:22 +0000 (10:42 +0000)
committer	Jonatan Kronqvist <jonatan.kronqvist@itmill.com>
	Wed, 28 Sep 2011 10:42:22 +0000 (10:42 +0000)