Another release notes update

svn changeset:21410/svn branch:6.6

diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html
index 967f5b0972a1cca24973b6df6649e666162892c9..224dc7b9ab475e3cf74643ded26bb2623b5e9ab6 100644 (file)
--- a/WebContent/release-notes.html
+++ b/WebContent/release-notes.html
@@ -41,6 +41,35 @@
 
 <p>Vaadin @version@ is a maintenance release for Vaadin Framework 6.6. It contains several important fixes.</p>
 
+<h3>Security fixes in Vaadin Framework 6.6.7</h3>
+
+<p>
+Vaadin 6.6.7 fixes several security issues discovered by Wouter Coekaerts (<a href="http://wouter.coekaerts.be/">http://wouter.coekaerts.be/</a>) and an internal review.
+Immediate upgrade to a version containing the fixes is strongly recommended for all users. The issues are:
+</p>
+
+<ul>
+  <li><a href="http://dev.vaadin.com/ticket/7670">#7670 Directory traversal vulnerability through AbstractApplicationServlet.serveStaticResourcesInVAADIN() (critical)</a></li>
+  <li><a href="http://dev.vaadin.com/ticket/7669">#7669 CSRF/XSS vulnerability through separator injection (important)</a></li>
+  <li><a href="http://dev.vaadin.com/ticket/7671">#7671 Contributory XSS: Possibility to inject HTML/javascript in system error messages (important)</a></li>
+  <li><a href="http://dev.vaadin.com/ticket/7672">#7672 Contributory XSS: possibility for injection in certain components (moderate)</a></li>
+</ul>
+
+<p>
+The most serious of these issues is the directory traversal attack that can allow read access to the class files of an application as well as some configuration information. 
+</p> 
+
+<p>
+If unable to immediately upgrade Vaadin to a version containing the fixes, the directory traversal vulnerability can be mitigated by not mapping the context path
+"/VAADIN" to a Vaadin servlet in web.xml but instead deploying such static resources (themes and widgetsets) directly on the server and serving them as files. 
+</p>
+
+<p>
+The other vulnerabilities typically require user actions (pasting text crafted by the attacker into the application or following a link crafted by the attacker)
+for a successful attack, but may be exploitable more directly in certain applications. They can allow the attacker to control the user session for the application
+in the browser.
+</p>
+
 <!-- ====================================================================== -->
 <!-- For minor releases, this should be after the enhancement highlights, for maintenance releases in the beginning. -->
 <h3>Change Log, Future Releases, and Upgrading</h3>
@@ -57,14 +86,6 @@ widget sets and refresh your project in Eclipse. If you are upgrading from
 package). See <a href="#upgrading">General Upgrade Instructions</a> for more details on upgrading.</p>
 <!-- ====================================================================== -->
 
-<h3>Security fixes in Vaadin Framework 6.6.7</h3>
-<ul>
-    <li><a href="http://dev.vaadin.com/ticket/7669">#7669</a> CSRF/XSS vulnerability through separator injection</li>
-    <li><a href="http://dev.vaadin.com/ticket/7670">#7670</a> Directory traversal vulnerability</li>
-    <li><a href="http://dev.vaadin.com/ticket/7671">#7671</a> Contributory XSS: Possibility to inject HTML/JavaScript in system error messages</li>
-    <li><a href="http://dev.vaadin.com/ticket/7672">#7672</a> Contributory XSS: possibility for injection in certain components</li>
-</ul>
-
 <h3>Enhancements in Vaadin Framework 6.6</h3>
 
 <p>General enhancements:</p>