getCodeBase broken locally in 7 update 25
Phillip Thomas
Phillip.G.Thomas at Census.GOV
Wed Jun 26 16:40:28 UTC 2013
Sandeep Konchady <sandeep.konchady at ...> writes:
>
> Hi Mickey,
> The issue you are seeing is intended behavior. This was caused because of
a vulnerability that was fixed in 7u25 in which which a getCodeBase call
against all local applet/jnlp apps will return null.
>
>
> Thanks,
> Sandeep
>
>
> On Jun 19, 2013, at 3:18 PM, "Mickey Segal"
<java3 at segal.org> wrote:
>
> The local getCodeBase problem is not present in Java 8 build 94, the most
recent version.
>
>
> From: Mickey Segal [mailto:java3 <at> segal.org] Sent: Wednesday, June 19,
2013 3:56 PMTo: Java Security
(security-dev at openjdk.java.net)Subject: RE:
getCodeBase broken locally in 7 update 25
>
>
> The same getCodeBase problem seems to be occurring on the MacOS version too.
>
> From: Mickey Segal [mailto:java3 at segal.org]
> I upgraded a Windows 7 computer to Java version 1.7.0_25 from 1.7.0_21. A
getCodeBase call in a signed applet now returns null. In previous versions
of Java, getCodeBase returned a URL that referred to the current directory
(tested from Java 1.1 to 1.7.0_21 over the years).
>
> Was this done purposely for security reasons, or is it just a bug?
>
> I will also test on Macintosh and report back on macosx-port-dev if it is
a problem there too.
>
>
>
>
>
Howdy,
Is there any more information on this change, such as what security this
actually provides?
Thanks In Advance,
Phillip Thomas
More information about the security-dev
mailing list