Re: Security vulnerability in GWT 2.4: what's this?

On Monday, November 12, 2012 2:44:17 PM UTC+1, l.denardo wrote:

I read in the 2.5 release notes here: https://developers.google.com/web-toolkit/release-notes#Release_Notes_Current

"Security vulnerability from 2.4 to 2.5 Final

The GWT team recently learned that the Security vulnerability discovered in the 2.4 Beta and Release Candidate releases was only partially fixed in the 2.4 GA release. A more complete fix was added to the 2.5 GA release. If you have an app that's been built with GWT 2.4 or one of the 2.5 RCs, then you'll need to get the latest 2.5 release, recompile your app, and redeploy."

I can't find any recent announcement of a security vulnerability or related posts in the group. Is there some information around about what this issue is?

It's always delicate to disclose the details of security issues when you know that some people (including high-traffic apps) still use the vulnerable version.

However a "git log --grep security" gives http://code.google.com/p/google-web-toolkit/source/detail?r=10458, and there indeed are other changes to these 2 files between 2.4 and 2.5.

Only people with the GWT DevMode plugin installed are at risk of XSSI here. An example of what was *fixed* in 2.4: 

 

Having some applications in production with 2.4 we want to decide whether to wait for the Eclipse update or not.

What does Eclipse has to do with GWT?!

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/HKaydOP_uE0J.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.