Hi All,
Security Vulnerability have been detected in gwt-dev.jar &
gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool
<https://jeremylong.github.io/DependencyCheck/>.
Below are the details -
Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available
version -9.2.27+ )
1.2 Vulnerable version of commons-collections(current version - 3.2.1)
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current
version - 4.3.1)
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0,
available version - 3.4.0)
1.5 Vulnerable version of htmlunit ( current version - 2.19 , available
version- 2.37)
Gwt-servlet.jar -
1.1 Vulnerable version of Google Protobuf(current version - 2.5.0,
available version - 3.4.0)
Given above vulnerabilities -
1. Are those security issues addressed in latest 2.9.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose & can be
flagged as false positive, still are there any attack surfaces exists?
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/64c4c6b7-e73d-455a-87bc-ad838861a843o%40googlegroups.com.
