/hg/release/icedtea-web-1.1: 4 new changesets
dbhole at icedtea.classpath.org
dbhole at icedtea.classpath.org
Tue Nov 8 08:02:01 PST 2011
changeset 8d2e4ca03cd5 in /hg/release/icedtea-web-1.1
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.1?cmd=changeset;node=8d2e4ca03cd5
author: Deepak Bhole <dbhole at redhat.com>
date: Fri Oct 28 14:29:21 2011 -0400
RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains
and suffix domain SOP bypass
changeset 77cbf8633a7c in /hg/release/icedtea-web-1.1
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.1?cmd=changeset;node=77cbf8633a7c
author: Deepak Bhole <dbhole at redhat.com>
date: Fri Oct 28 14:46:18 2011 -0400
Prepare to release 1.1.4
changeset e1040ab7de28 in /hg/release/icedtea-web-1.1
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.1?cmd=changeset;node=e1040ab7de28
author: Deepak Bhole <dbhole at redhat.com>
date: Tue Nov 08 10:59:16 2011 -0500
Added tag icedtea-web-1.1.4 for changeset 77cbf8633a7c
changeset 452aa7fc0e7f in /hg/release/icedtea-web-1.1
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.1?cmd=changeset;node=452aa7fc0e7f
author: Deepak Bhole <dbhole at redhat.com>
date: Fri Oct 28 17:28:53 2011 -0400
Prepare for 1.1.5
diffstat:
.hgtags | 1 +
ChangeLog | 17 +++
NEWS | 6 +-
configure.ac | 2 +-
netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java | 70 +-------------
5 files changed, 25 insertions(+), 71 deletions(-)
diffs (137 lines):
diff -r f968cbeaac0b -r 452aa7fc0e7f .hgtags
--- a/.hgtags Fri Oct 28 14:31:42 2011 -0400
+++ b/.hgtags Fri Oct 28 17:28:53 2011 -0400
@@ -3,3 +3,4 @@
44535ca475930d6f6a307b852ccb3f3aa97f0887 icedtea-web-1.1.1
4443143761dbd3294bfd0d9096121ca55c035d1b icedtea-web-1.1.2
3352c0b0d9bb990ec4dd89baadc2ef11bc8eed28 icedtea-web-1.1.3
+77cbf8633a7c63046eb70fbe89d594a8c7b116af icedtea-web-1.1.4
diff -r f968cbeaac0b -r 452aa7fc0e7f ChangeLog
--- a/ChangeLog Fri Oct 28 14:31:42 2011 -0400
+++ b/ChangeLog Fri Oct 28 17:28:53 2011 -0400
@@ -1,3 +1,20 @@
+2011-09-28 Deepak Bhole <dbhole at redhat.com>
+
+ * NEWS: Prepare for 1.1.5
+ * configure.ac: Same
+
+2011-10-28 Deepak Bhole <dbhole at redhat.com>
+
+ * NEWS: Prepare to release 1.1.4
+ * configure.ac: Same
+
+2011-10-28 Deepak Bhole <dbhole at redhat.com>
+ RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and
+ suffix domain SOP bypass
+ * NEWS: Updated
+ * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
+ (checkPermission): Remove special case for SocketPermission.
+
2011-10-27 Deepak Bhole <dbhole at redhat.com>
PR778: Jar download and server certificate verification deadlock
diff -r f968cbeaac0b -r 452aa7fc0e7f NEWS
--- a/NEWS Fri Oct 28 14:31:42 2011 -0400
+++ b/NEWS Fri Oct 28 17:28:53 2011 -0400
@@ -8,7 +8,11 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.1.4 (2011-XX-XX):
+New in release 1.1.5 (2011-XX-XX):
+
+New in release 1.1.4 (2011-11-08):
+* Security updates:
+ - RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass
* Common
- PR778: Jar download and server certificate verification deadlock
diff -r f968cbeaac0b -r 452aa7fc0e7f configure.ac
--- a/configure.ac Fri Oct 28 14:31:42 2011 -0400
+++ b/configure.ac Fri Oct 28 17:28:53 2011 -0400
@@ -1,4 +1,4 @@
-AC_INIT([icedtea-web],[1.1.4pre],[distro-pkg-dev at openjdk.java.net], [icedtea-web], [http://icedtea.classpath.org/wiki/IcedTea-Web])
+AC_INIT([icedtea-web],[1.1.5pre],[distro-pkg-dev at openjdk.java.net], [icedtea-web], [http://icedtea.classpath.org/wiki/IcedTea-Web])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile netx.manifest])
diff -r f968cbeaac0b -r 452aa7fc0e7f netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 28 14:31:42 2011 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 28 17:28:53 2011 -0400
@@ -281,75 +281,7 @@
// }
// }
- try {
- super.checkPermission(perm);
- } catch (SecurityException se) {
-
- //This section is a special case for dealing with SocketPermissions.
- if (JNLPRuntime.isDebug())
- System.err.println("Requesting permission: " + perm.toString());
-
- //Change this SocketPermission's action to connect and accept
- //(and resolve). This is to avoid asking for connect permission
- //on every address resolve.
- Permission tmpPerm = null;
- if (perm instanceof SocketPermission) {
- tmpPerm = new SocketPermission(perm.getName(),
- SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION);
-
- // before proceeding, check if we are trying to connect to same origin
- ApplicationInstance app = getApplication();
- JNLPFile file = app.getJNLPFile();
-
- String srcHost = file.getSourceLocation().getAuthority();
- String destHost = name;
-
- // host = abc.xyz.com or abc.xyz.com:<port>
- if (destHost.indexOf(':') >= 0)
- destHost = destHost.substring(0, destHost.indexOf(':'));
-
- // host = abc.xyz.com
- String[] hostComponents = destHost.split("\\.");
-
- int length = hostComponents.length;
- if (length >= 2) {
-
- // address is in xxx.xxx.xxx format
- destHost = hostComponents[length - 2] + "." + hostComponents[length - 1];
-
- // host = xyz.com i.e. origin
- boolean isDestHostName = false;
-
- // make sure that it is not an ip address
- try {
- Integer.parseInt(hostComponents[length - 1]);
- } catch (NumberFormatException e) {
- isDestHostName = true;
- }
-
- if (isDestHostName) {
- // okay, destination is hostname. Now figure out if it is a subset of origin
- if (srcHost.endsWith(destHost)) {
- addPermission(tmpPerm);
- return;
- }
- }
- }
- } else {
- tmpPerm = perm;
- }
-
- if (tmpPerm != null) {
- //askPermission will only prompt the user on SocketPermission
- //meaning we're denying all other SecurityExceptions that may arise.
- if (askPermission(tmpPerm)) {
- addPermission(tmpPerm);
- //return quietly.
- } else {
- throw se;
- }
- }
- }
+ super.checkPermission(perm);
} catch (SecurityException ex) {
if (JNLPRuntime.isDebug()) {
System.out.println("Denying permission: " + perm);
More information about the distro-pkg-dev
mailing list