diff options
| author | Henri Sara <hesara@vaadin.com> | 2013-04-16 10:22:52 +0300 |
|---|---|---|
| committer | Henri Sara <hesara@vaadin.com> | 2013-04-16 10:28:58 +0300 |
| commit | c7ff7d5dda23f434eb8e056c808c63efefc0d904 (patch) | |
| tree | cc14fd42e70ae37a337e875531ba2e7841d98c1e /WebContent | |
| parent | a4911981752e599918ba1f23ace5883aa5e7f4c2 (diff) | |
| parent | 66383876fd85d7df4ae97ad9feb325d0d6f3aa39 (diff) | |
| download | vaadin-framework-c7ff7d5dda23f434eb8e056c808c63efefc0d904.tar.gz vaadin-framework-c7ff7d5dda23f434eb8e056c808c63efefc0d904.zip | |
Merge release notes from '7.0.4' into 7.0
7.0.4
Change-Id: If47b657f0f941af11b02d0915e689f0568730077
Diffstat (limited to 'WebContent')
| -rw-r--r-- | WebContent/release-notes.html | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html index 0f49e819b0..03b3f352b9 100644 --- a/WebContent/release-notes.html +++ b/WebContent/release-notes.html @@ -38,6 +38,7 @@ <h2 id="tableofcontents">Release Notes for Vaadin Framework @version@</h2> <ul> <li><a href="#overview">Overview of Vaadin @version@ Release</a></li> + <li><a href="#security-fixes">Security fixes in Vaadin @version-minor@</a></li> <li><a href="#changelog">Complete change log for Vaadin @version@</a></li> <li><a href="#enhancements">Enhancements in Vaadin @version-minor@</a></li> <li><a href="#limitations">Limitations in @version-minor@</a></li> @@ -67,6 +68,35 @@ Notes for Vaadin @version-minor@.0</a>. </p> + <!-- ================================================================ --> + <h2 id="security-fixes">Security fixes in Vaadin Framework 7.0.4</h2> + + <p> + Vaadin 7.0.4 fixes a critical security issue discovered during an + internal review. All users of Vaadin portlets are strongly urged to + upgrade to Vaadin 7.0.4 or Vaadin 6.8.10 immediately. + </p> + <p> + Vaadin portlets (Portlet 2.0 - JSR-286) prior to Vaadin versions 6.8.10 + and 7.0.4 are vulnerable to an attack that allows a remote user who has + access to a portlet on the portal to read files in the portlet deployment + directory using specially crafted resource requests provided the attacker + knows the file name. + </p> + <p> + The vulnerability has been classified as critical as it potentially + allows unauthorized access to portlet object code and configuration + information. Files outside the portlet deployment directory are not + accessible using this vulnerability. Portlets that are not visible + to the remote user are not vulnerable to this attack. + Servlet deployments are not vulnerable to this attack. + </p> + <p> + All users of Vaadin portlets are strongly urged to upgrade Vaadin + in the portlets immediately. Where that is not possible, access to + affected portlets should be restricted to trusted users only. + </p> + <h3 id="changelog">ChangeLog</h3> <p> |