Markus Kilås created NETBEANS-240:
-------------------------------------
Summary: Potential system compromise: nb-javac library unsigned
Key: NETBEANS-240
URL: https://issues.apache.org/jira/browse/NETBEANS-240
Project: NetBeans
Issue Type: Bug
Reporter: Markus Kilås
Priority: Critical
During startup of NetBeans the user is prompted to choose a javac library.
However, the recommended one, nbjavac, is fetched over an insecure connection
(both plugin metadata and the actually binaries are fetched over HTTP from
bits.netbeans.org and lahoda.info) and the binaries are unsigned.
The plugin system does the right thing and warns the user about the unsigned
plugins. However, if the user anyway ignores the warnings the system could
easily be compromised. The risk of choosing the insecure alternative is also
larger due to that the user gets very mixed messages as the insecure option is
first "Highly recommended" and then there is a warning that it is "potentially
insecure".
Binary being fetched from lahoda.info on HTTP port 80:
{noformat}
GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_151
Host: lahoda.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 17626
Date: Mon, 01 Jan 2018 17:49:45 GMT
Server: lighttpd/1.4.42
PK..
........K................META-INF/....PK..
...
{noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
