Vaadin 6.7.0.rc1 is available

Vaadin 6.7.0.rc1 contains critical security fixes and you are recommended to upgrade immediately

Vaadin 6.7.0 fixes several security issues discovered by Wouter Coekaerts ( and an internal review. Immediate upgrade to a version containing the fixes is strongly recommended for all users. The issues are:

#7670 Directory traversal vulnerability through AbstractApplicationServlet.serveStaticResourcesInVAADIN() (critical)

#7669 CSRF/XSS vulnerability through separator injection (important)

#7671 Contributory XSS: Possibility to inject HTML/javascript in system error messages (important)

#7672 Contributory XSS: possibility for injection in certain components (moderate)

If you are currently on the 6.6 branch, please update to 6.6.7, which incorporates the security fixes listed above.

Vaadin 6.7.0.rc1 is the first Release Candidate for the next minor release of Vaadin framework.

This release contains several new features and enhancements. For a detailed list, see the
list of closed issues
in Vaadin Trac for a detailed change log. For other release information, see the
Release Notes

Get the installation package from the download site at
. If you are using the Vaadin Plugin for Eclipse, upgrade the Vaadin version from the project preferences. If using Maven, the repositories will replicate in a few hours.

As always, when upgrading from an earlier version, you should recompile any custom widget sets and refresh your project in Eclipse. See the
General Upgrade Notes
for more details on upgrading.