diff options
author | Henri Sara <henri.sara@itmill.com> | 2011-09-30 12:18:23 +0000 |
---|---|---|
committer | Henri Sara <henri.sara@itmill.com> | 2011-09-30 12:18:23 +0000 |
commit | 00b26d46bb205049a336832b5703be5cb2572edb (patch) | |
tree | 3f594768b3a5cb87c2c8fbcce3ab3ddf654987a9 /WebContent | |
parent | 1b6cd9db1b5fd42b9023d3a733ff0a38df272c8d (diff) | |
download | vaadin-framework-00b26d46bb205049a336832b5703be5cb2572edb.tar.gz vaadin-framework-00b26d46bb205049a336832b5703be5cb2572edb.zip |
Manual merge of release notes from 6.6
svn changeset:21472/svn branch:6.7
Diffstat (limited to 'WebContent')
-rw-r--r-- | WebContent/release-notes.html | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html index 6bf511c2da..222e8473b0 100644 --- a/WebContent/release-notes.html +++ b/WebContent/release-notes.html @@ -94,6 +94,26 @@ <li><a href="http://dev.vaadin.com/ticket/7672">#7672</a> Contributory XSS: possibility for injection in certain components</li> </ul> + <p> + These issue were discovered by Wouter Coekaerts (<a href="http://wouter.coekaerts.be/">http://wouter.coekaerts.be/</a>) and an internal review. + Immediate upgrade to a version containing the fixes (6.6.7 or later or 6.7.0 or later) is strongly recommended for all users. + </p> + + <p> + The most serious of these issues is the directory traversal attack that can allow read access to the class files of an application as well as some configuration information. + </p> + + <p> + If unable to immediately upgrade Vaadin to a version containing the fixes, the directory traversal vulnerability can be mitigated by not mapping the context path + "/VAADIN" to a Vaadin servlet in web.xml but instead deploying such static resources (themes and widgetsets) directly on the server and serving them as files. + </p> + + <p> + The other vulnerabilities typically require user actions (pasting text crafted by the attacker into the application or following a link crafted by the attacker) + for a successful attack, but may be exploitable more directly in certain applications. They can allow the attacker to control the user session for the application + in the browser. + </p> + <h2 id="enhancements">Enhancements in Vaadin @version@</h2> <p> <b>SQLContainer</b> |