::
wj
-------- 原始邮件 --------
发件人:Jonathan Moules <jonathanmoules@…3638…>
时间:2013-1-30 20:59
收件人:David Winslow <dwinslow@…1501…>
抄送:Geoserver-devel geoserver-devel@lists.sourceforge.net
主题:Re: [Geoserver-devel] Upgrading Wicket
For reference, there appear to be a number of open CVE issues with Apache Wicket < 1.4.21 (I’m guessing its the same thing):
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wicket
I don’t know which specific wicket version is being used, but if its less than 1.4.21, then GeoServer may be vulnerable to one or more of these.
On 29 January 2013 15:17, David Winslow <dwinslow@…1501…> wrote:
Hey guys,
It’s come up a couple of times recently that we’re on a quite old version of Wicket (1.4 when the latest is 6.5, although that’s not as bad as it might sound since the Wicket project went straight from 1.5 to 6.0.)
In particular, in the recent palette patch 1, it was mentioned that we might be fixing a bug that’s already resolved upstream. (I’m not sure whether this is the case.)
Just to remind everyone of the upgrade status, I started working on this a few months ago and got all of GeoServer to compile with Wicket 1.5, but was stalled out when I ran into some test failures and couldn’t determine what the tests should be doing. (These were in the new security module, meaning that ironically GeoServer’s security code is holding us back from updating to a modern version of the web framework we use.) In the interim since I’ve looked at it, we appear to have added new dependencies on Wicket APIs that have been deprecated or removed (for example, we have a custom RequestEncodingStrategy, when the New Way is to use request mappings 2.) So currently the ‘feature-wicket-upgrade’ branch I’ve been working on does not compile (I did just merge from master, but I haven’t addressed the incompatibilities that were added in the last couple of months.)
Anyway, it would be nice to figure out a way forward. Does anyone care about this besides me? How can we avoid getting more and more entwined with old APIs? Can we set a GeoServer version to target this upgrade for?
–
David Winslow
OpenGeo - http://opengeo.org/
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only – learn more at:
http://p.sf.net/sfu/learnnow-d2d
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel