Seeking Guidance: GWT Version with Resolved XSS Vulnerabilities - Which One to Use?
114 views
Skip to first unread message
flosanlop17
Dec 21, 2023, 11:52:49 AM12/21/23
to GWT Users
I am currently working on some security incidents reported in an application that uses GWT, in its version 2.5.0 according to the report for this version there are security vulnerabilities related to XSS, I was reading a little the real notes of the versions above this one for example 2.5.1 indicates that this vulnerability was fixed, But on investigation it seems that this is not the case, according to the attached references this novelty still persists.
Continue reading the actual notes of later versions, but it's not clear if any security patches were worked on in new versions.
Reading the forum, I notice that in version 2.8.1 a vulnerability related to XSS was also identified again.
My question is which version then I could use that currently has these vulnerabilities fixed.
Continue reading the actual notes of later versions, but it's not clear if any security patches were worked on in new versions.
Reading the forum, I notice that in version 2.8.1 a vulnerability related to XSS was also identified again.
My question is which version then I could use that currently has these vulnerabilities fixed.
Frank Hossfeld
Dec 22, 2023, 8:15:29 AM12/22/23
to GWT Users
you should never deploy your tests into production.
flosanlop17
Dec 26, 2023, 8:47:27 AM12/26/23
to GWT Users
Hi Frank, I'm sorry, but I don't understand your answer, could you explain a little better, thank you!
Colin Alworth
Dec 28, 2023, 11:03:17 AM12/28/23
to GWT Users
I think what Frank is saying is that those linked issues all related to the GWTTestCase tooling, which is only used for unit tests, and no reasonably-configured application will be serving GWTTestCase contents to users (and will usually only be available locally for 10s of seconds, on a randomly numbered http port). Regardless, this was fixed in the 2.5.1 release.
I don't understand what you mean that your attached references indicate that the issue persists - the first message notes that it was resolved in 2.5.1-rc1 - have you confirmed that there is still an issue in some way?
The gwt mailing list email (your third link) enumerates a few plausible-looking issues identified through automated tooling, and explains why these are not real issues. At the time of writing, GWT 2.8.1 was the latest release, so at least 2.8.1 will resolve all of the mentioned issues.
It typically has been the policy of the GWT Project to not backport fixes, but maintain backwards compatibility whenever possible (even sometimes beyond what may seem reasonable, like continuing to support IE11 past its end-of-life date, etc). For this reason, we always advise to update to the latest GWT release, to ensure the best compatibility with other tools you are using - newer Java releases, browser updates, etc.
flosanlop17
Dec 28, 2023, 4:18:56 PM12/28/23
to GWT Users
Ok I understand, I will follow your recommendations and validate it with the equipment, thank you very much for your help.
Reply all
Reply to author
Forward
0 new messages