Security vulnerability in GWT 2.4: what's this?

231 views
Skip to first unread message

l.denardo

unread,
Nov 12, 2012, 8:44:17 AM11/12/12
to google-we...@googlegroups.com
I read in the 2.5 release notes here: https://developers.google.com/web-toolkit/release-notes#Release_Notes_Current

"Security vulnerability from 2.4 to 2.5 Final

The GWT team recently learned that the Security vulnerability discovered in the 2.4 Beta and Release Candidate releases was only partially fixed in the 2.4 GA release. A more complete fix was added to the 2.5 GA release. If you have an app that's been built with GWT 2.4 or one of the 2.5 RCs, then you'll need to get the latest 2.5 release, recompile your app, and redeploy."

I can't find any recent announcement of a security vulnerability or related posts in the group. Is there some information around about what this issue is?

Having some applications in production with 2.4 we want to decide whether to wait for the Eclipse update or not.

Thank you all
Lorenzo

Thomas Broyer

unread,
Nov 12, 2012, 11:45:25 AM11/12/12
to google-we...@googlegroups.com


On Monday, November 12, 2012 2:44:17 PM UTC+1, l.denardo wrote:
I read in the 2.5 release notes here: https://developers.google.com/web-toolkit/release-notes#Release_Notes_Current

"Security vulnerability from 2.4 to 2.5 Final

The GWT team recently learned that the Security vulnerability discovered in the 2.4 Beta and Release Candidate releases was only partially fixed in the 2.4 GA release. A more complete fix was added to the 2.5 GA release. If you have an app that's been built with GWT 2.4 or one of the 2.5 RCs, then you'll need to get the latest 2.5 release, recompile your app, and redeploy."

I can't find any recent announcement of a security vulnerability or related posts in the group. Is there some information around about what this issue is?

It's always delicate to disclose the details of security issues when you know that some people (including high-traffic apps) still use the vulnerable version.
However a "git log --grep security" gives http://code.google.com/p/google-web-toolkit/source/detail?r=10458, and there indeed are other changes to these 2 files between 2.4 and 2.5.
Only people with the GWT DevMode plugin installed are at risk of XSSI here. An example of what was *fixed* in 2.4: 
 

Having some applications in production with 2.4 we want to decide whether to wait for the Eclipse update or not.

What does Eclipse has to do with GWT?!

l.denardo

unread,
Nov 12, 2012, 12:24:38 PM11/12/12
to google-we...@googlegroups.com
Thanks Thomas,
I meant Eclipse Plugin (we develop and compile using Eclipse and update GWT version with the plugin - managing update by hand lead to some trouble with out-of-date jars found in some builds).

The real problem is not the plugin availability (just updated) but the couple of days to go through compiling and deploying all apps, so we wanted to know which ones to recompile first *and* if the vulnerability depended on some features of GWT not used in our applications - so we can skip the upgrade for them.

I appreciate the caution of the team, still believe that knowing exactly what is vulnerable helps everyone schedule a faster update if it's really needed.

Thanks for your collaboration.
Regards
Lorenzo
Reply all
Reply to author
Forward
0 new messages