diff options
| author | Henri Sara <hesara@vaadin.com> | 2013-04-08 12:17:24 +0300 |
|---|---|---|
| committer | Henri Sara <hesara@vaadin.com> | 2013-04-08 12:17:24 +0300 |
| commit | 66383876fd85d7df4ae97ad9feb325d0d6f3aa39 (patch) | |
| tree | 71675e4ef12e33135d598a70e4af99eb530c3106 /WebContent | |
| parent | c0bf2608dd23051f11f2a031e08aebbfdf7b5472 (diff) | |
| download | vaadin-framework-66383876fd85d7df4ae97ad9feb325d0d6f3aa39.tar.gz vaadin-framework-66383876fd85d7df4ae97ad9feb325d0d6f3aa39.zip | |
Update release notes7.0.4
Change-Id: Iada521e83ddd03dbfab4cba276b313daf27a1173
Diffstat (limited to 'WebContent')
| -rw-r--r-- | WebContent/release-notes.html | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html index 0f49e819b0..03b3f352b9 100644 --- a/WebContent/release-notes.html +++ b/WebContent/release-notes.html @@ -38,6 +38,7 @@ <h2 id="tableofcontents">Release Notes for Vaadin Framework @version@</h2> <ul> <li><a href="#overview">Overview of Vaadin @version@ Release</a></li> + <li><a href="#security-fixes">Security fixes in Vaadin @version-minor@</a></li> <li><a href="#changelog">Complete change log for Vaadin @version@</a></li> <li><a href="#enhancements">Enhancements in Vaadin @version-minor@</a></li> <li><a href="#limitations">Limitations in @version-minor@</a></li> @@ -67,6 +68,35 @@ Notes for Vaadin @version-minor@.0</a>. </p> + <!-- ================================================================ --> + <h2 id="security-fixes">Security fixes in Vaadin Framework 7.0.4</h2> + + <p> + Vaadin 7.0.4 fixes a critical security issue discovered during an + internal review. All users of Vaadin portlets are strongly urged to + upgrade to Vaadin 7.0.4 or Vaadin 6.8.10 immediately. + </p> + <p> + Vaadin portlets (Portlet 2.0 - JSR-286) prior to Vaadin versions 6.8.10 + and 7.0.4 are vulnerable to an attack that allows a remote user who has + access to a portlet on the portal to read files in the portlet deployment + directory using specially crafted resource requests provided the attacker + knows the file name. + </p> + <p> + The vulnerability has been classified as critical as it potentially + allows unauthorized access to portlet object code and configuration + information. Files outside the portlet deployment directory are not + accessible using this vulnerability. Portlets that are not visible + to the remote user are not vulnerable to this attack. + Servlet deployments are not vulnerable to this attack. + </p> + <p> + All users of Vaadin portlets are strongly urged to upgrade Vaadin + in the portlets immediately. Where that is not possible, access to + affected portlets should be restricted to trusted users only. + </p> + <h3 id="changelog">ChangeLog</h3> <p> |