/hg/release/icedtea6-1.9: 3 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Tue Nov 8 08:02:31 PST 2011
changeset f5478dd60f9e in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=f5478dd60f9e
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Nov 08 01:05:03 2011 +0000
RH742515, CVE-2011-3377: IcedTea-Web: second-level domain and suffix
domain SOP bypass
2011-10-28 Deepak Bhole <dbhole at redhat.com>
RH742515, CVE-2011-3377: IcedTea-Web: second-level domain
and suffix domain SOP bypass
* NEWS: Updated.
* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
(checkPermission): Remove special case for SocketPermission.
changeset fc3dc6228784 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=fc3dc6228784
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Nov 08 01:07:53 2011 +0000
Prepare for 1.9.11 release.
2011-11-08 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Add 1.9.11 release date.
* configure.ac: Bump to 1.9.11 proper.
changeset 594021574961 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=594021574961
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Nov 08 01:08:21 2011 +0000
Added tag icedtea6-1.9.11 for changeset fc3dc6228784
diffstat:
.hgtags | 1 +
ChangeLog | 13 ++
NEWS | 5 +-
configure.ac | 2 +-
netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java | 68 +-------------
5 files changed, 21 insertions(+), 68 deletions(-)
diffs (148 lines):
diff -r 30ddc2f3dbe4 -r 594021574961 .hgtags
--- a/.hgtags Fri Oct 21 15:04:36 2011 +0100
+++ b/.hgtags Tue Nov 08 01:08:21 2011 +0000
@@ -30,3 +30,4 @@
25b9909a5432b811f85b121305a6ba7f01c7aace icedtea6-1.9.8
5eedbbda2c822758fd693f7b1ad9a73caca53471 icedtea6-1.9.9
7451a7b2b43e5c529c53a28361693cd51fc41a18 icedtea6-1.9.10
+fc3dc6228784993d02959aac8796f2accdedb857 icedtea6-1.9.11
diff -r 30ddc2f3dbe4 -r 594021574961 ChangeLog
--- a/ChangeLog Fri Oct 21 15:04:36 2011 +0100
+++ b/ChangeLog Tue Nov 08 01:08:21 2011 +0000
@@ -1,3 +1,16 @@
+2011-11-08 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Add 1.9.11 release date.
+ * configure.ac: Bump to 1.9.11 proper.
+
+2011-10-28 Deepak Bhole <dbhole at redhat.com>
+
+ RH742515, CVE-2011-3377: IcedTea-Web: second-level domain and
+ suffix domain SOP bypass
+ * NEWS: Updated.
+ * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
+ (checkPermission): Remove special case for SocketPermission.
+
2011-10-21 Andrew John Hughes <ahughes at redhat.com>
* patches/security/20111018/7083012.patch:
diff -r 30ddc2f3dbe4 -r 594021574961 NEWS
--- a/NEWS Fri Oct 21 15:04:36 2011 +0100
+++ b/NEWS Tue Nov 08 01:08:21 2011 +0000
@@ -8,7 +8,10 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.9.11 (20XX-XX-XX):
+New in release 1.9.11 (2011-11-08):
+
+* Security fixes
+ - RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass
New in release 1.9.10 (2011-10-18):
diff -r 30ddc2f3dbe4 -r 594021574961 configure.ac
--- a/configure.ac Fri Oct 21 15:04:36 2011 +0100
+++ b/configure.ac Tue Nov 08 01:08:21 2011 +0000
@@ -1,4 +1,4 @@
-AC_INIT([icedtea6],[1.9.11pre],[distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6],[1.9.11],[distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r 30ddc2f3dbe4 -r 594021574961 netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 21 15:04:36 2011 +0100
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Tue Nov 08 01:08:21 2011 +0000
@@ -250,60 +250,10 @@
super.checkPermission(perm);
} catch (SecurityException se) {
- //This section is a special case for dealing with SocketPermissions.
if (JNLPRuntime.isDebug())
System.err.println("Requesting permission: " + perm.toString());
- //Change this SocketPermission's action to connect and accept
- //(and resolve). This is to avoid asking for connect permission
- //on every address resolve.
- Permission tmpPerm = null;
- if (perm instanceof SocketPermission) {
- tmpPerm = new SocketPermission(perm.getName(),
- SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION);
-
- // before proceeding, check if we are trying to connect to same origin
- ApplicationInstance app = getApplication();
- JNLPFile file = app.getJNLPFile();
-
- String srcHost = file.getSourceLocation().getAuthority();
- String destHost = name;
-
- // host = abc.xyz.com or abc.xyz.com:<port>
- if (destHost.indexOf(':') >= 0)
- destHost = destHost.substring(0, destHost.indexOf(':'));
-
- // host = abc.xyz.com
- String[] hostComponents = destHost.split("\\.");
-
- int length = hostComponents.length;
- if (length >= 2) {
-
- // address is in xxx.xxx.xxx format
- destHost = hostComponents[length -2] + "." + hostComponents[length -1];
-
- // host = xyz.com i.e. origin
- boolean isDestHostName = false;
-
- // make sure that it is not an ip address
- try {
- Integer.parseInt(hostComponents[length -1]);
- } catch (NumberFormatException e) {
- isDestHostName = true;
- }
-
- if (isDestHostName) {
- // okay, destination is hostname. Now figure out if it is a subset of origin
- if (srcHost.endsWith(destHost)) {
- addPermission(tmpPerm);
- return;
- }
- }
- }
-
- } else if (perm instanceof SecurityPermission) {
- tmpPerm = perm;
-
+ if (perm instanceof SecurityPermission) {
// JCE's initialization requires putProviderProperty permission
if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) {
if (inTrustedCallChain("com.sun.crypto.provider.SunJCE", "run")) {
@@ -312,29 +262,15 @@
}
} else if (perm instanceof RuntimePermission) {
- tmpPerm = perm;
-
// KeyGenerator's init method requires internal spec access
if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) {
if (inTrustedCallChain("javax.crypto.KeyGenerator", "init")) {
return;
}
}
-
- } else {
- tmpPerm = perm;
}
- if (tmpPerm != null) {
- //askPermission will only prompt the user on SocketPermission
- //meaning we're denying all other SecurityExceptions that may arise.
- if (askPermission(tmpPerm)) {
- addPermission(tmpPerm);
- //return quietly.
- } else {
- throw se;
- }
- }
+ throw se;
}
}
catch (SecurityException ex) {
More information about the distro-pkg-dev
mailing list