From 00b26d46bb205049a336832b5703be5cb2572edb Mon Sep 17 00:00:00 2001 From: Henri Sara Date: Fri, 30 Sep 2011 12:18:23 +0000 Subject: Manual merge of release notes from 6.6 svn changeset:21472/svn branch:6.7 --- WebContent/release-notes.html | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'WebContent') diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html index 6bf511c2da..222e8473b0 100644 --- a/WebContent/release-notes.html +++ b/WebContent/release-notes.html @@ -94,6 +94,26 @@
  • #7672 Contributory XSS: possibility for injection in certain components
  • +

    + These issue were discovered by Wouter Coekaerts (http://wouter.coekaerts.be/) and an internal review. + Immediate upgrade to a version containing the fixes (6.6.7 or later or 6.7.0 or later) is strongly recommended for all users. +

    + +

    + The most serious of these issues is the directory traversal attack that can allow read access to the class files of an application as well as some configuration information. +

    + +

    + If unable to immediately upgrade Vaadin to a version containing the fixes, the directory traversal vulnerability can be mitigated by not mapping the context path + "/VAADIN" to a Vaadin servlet in web.xml but instead deploying such static resources (themes and widgetsets) directly on the server and serving them as files. +

    + +

    + The other vulnerabilities typically require user actions (pasting text crafted by the attacker into the application or following a link crafted by the attacker) + for a successful attack, but may be exploitable more directly in certain applications. They can allow the attacker to control the user session for the application + in the browser. +

    +

    Enhancements in Vaadin @version@

    SQLContainer -- cgit v1.2.3