Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 60936 invoked from network); 26 Aug 2008 20:43:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Aug 2008 20:43:39 -0000 Received: (qmail 50299 invoked by uid 500); 26 Aug 2008 20:43:33 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 50250 invoked by uid 500); 26 Aug 2008 20:43:33 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 50239 invoked by uid 99); 26 Aug 2008 20:43:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 13:43:33 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 20:42:44 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 436B4234C1B4 for ; Tue, 26 Aug 2008 13:42:44 -0700 (PDT) Message-ID: <1585083355.1219783364274.JavaMail.jira@brutus> Date: Tue, 26 Aug 2008 13:42:44 -0700 (PDT) From: "Donald Woods (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Updated: (GERONIMO-4266) Upgrade to DWR 2.0.5 for XSS security fix In-Reply-To: <1063676223.1219779164450.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/GERONIMO-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Donald Woods updated GERONIMO-4266: ----------------------------------- Affects Version/s: (was: 2.0.3) (was: 2.0.2) (was: 2.0.1) (was: 2.0) Fix Version/s: (was: 2.0.3) > Upgrade to DWR 2.0.5 for XSS security fix > ----------------------------------------- > > Key: GERONIMO-4266 > URL: https://issues.apache.org/jira/browse/GERONIMO-4266 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: dependencies > Affects Versions: 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2 > Reporter: Donald Woods > Assignee: Donald Woods > Fix For: 2.1.3, 2.2 > > > Need to upgrade to DWR 2.0.5 for the following fix - > ------------------------------------------------------------------------ > r2077 | joe | 2008-06-22 09:28:22 -0400 (Sun, 22 Jun 2008) | 7 lines > Fix for XSS issue in ExceptionHandler: > PartialResponse.fromOrdinal() throws a NumberFormatException trying to > parse the 'partialResponse' parameter. This exception is never caught, > prompting UrlProcessor to invoke DWR's default ExceptionHandler class, > which calls out.println(cause.getMessage()), thereby causing the XSS. > ------------------------------------------------------------------------ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.