Hi Colm,
  that's fantastic news!
Having this in a few weeks would be in a good timing for the next JBoss EAP 
release, too.

I'll be looking for updates, but thank you indeed for now.

Best Regards,
Fabio. 

________________________________________
From: Colm O hEigeartaigh <[email protected]>
Sent: Wednesday, July 1, 2026 10:55 AM
To: [email protected] <[email protected]>
Cc: Fabio Burzigotti <[email protected]>
Subject: [EXTERNAL] Re: [PR] [CXF-9227] Fix SecurityManager permission 
regressions introduced in 4… [cxf]
 
Hi,

I think we might try to get some new CXF releases out in a few weeks,
after backporting the security fixes to 3.6.x.

Colm.

On Tue, Jun 30, 2026 at 3:50 PM Freeman Fang <[email protected]> wrote:
>
> Hi Fabio,
>
> We don't have a scheduled date to release 4.1.8 for now. We normally
> release CXF every 3-4 months. Given we just released CXF 4.1.7 this month
> in June, I don't think we will release 4.1.8 very soon. Could you please
> test against the snapshot build and verify the fix is good for you.
>
> Thanks! Regards
> Freeman
>
> On Tue, Jun 30, 2026 at 10:42 AM Fabio Burzigotti <[email protected]> wrote:
>
> > Hi Freeman,
> >  And thanks for this fix.
> > Do you think we can have a 4.1.8 release that we can integrate into
> > WildFly now that the issue is solved?
> >
> > Best Regards,
> > Fabio.
> >
> > ------------------------------
> > *From:* ffang (via GitHub) <[email protected]>
> > *Sent:* Friday, June 26, 2026 6:30 PM
> > *To:* [email protected] <[email protected]>
> > *Subject:* [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission
> > regressions introduced in 4… [cxf]
> >
> >
> > ffang opened a new pull request, #3256:
> > URL:
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e=
> >
> >    ….1.7
> >
> >    ## Summary
> >
> >    Fixes three SecurityManager permission regressions introduced in CXF
> > 4.1.7
> >    that break deployments running under a tight SecurityManager policy
> > (reported
> >    by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks).
> >
> >    ## Root Cause
> >
> >    **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154)
> >
> >    `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()`
> > without
> >    `doPrivileged`, forcing all callers including user deployments to hold
> > this
> >    permission.
> >
> >    **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and
> >    `SocketPermission`** (introduced by #3157)
> >
> >    Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all schema
> >    resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` →
> >    `URIResolver.tryFileSystem()` — a code path never previously reached in
> > this
> >    context under a SecurityManager. This exposed two pre-existing gaps:
> >    - `SecurityActions.fileExists()` called `sm.checkPermission()`
> > **outside**
> >      `doPrivileged`, walking the full call stack into user deployment code.
> >    - `URIResolver.createInputStream()` called `url.openConnection()`
> > without
> >      `doPrivileged`, requiring callers to hold `SocketPermission`.
> >
> >    ## Fix
> >
> >    | File | Change |
> >    |------|--------|
> >    | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in
> > `doPrivileged` |
> >    | `SecurityActions.java` | Move `sm.checkPermission()` inside the
> > `doPrivileged` block so the stack walk stops at the CXF privilege boundary
> > (confused-deputy guard preserved) |
> >    | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` |
> >
> >
> >
> > --
> > This is an automated message from the Apache Git Service.
> > To respond to the message, please log on to GitHub and use the
> > URL above to go to the specific comment.
> >
> > To unsubscribe, e-mail: [email protected]
> >
> > For queries about this service, please contact Infrastructure at:
> > [email protected]
> >
> > Unless otherwise stated above:
> >
> > IBM Italia S.p.A.
> > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI)
> > Cap. Soc. euro 247.656.998.20
> > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153
> > Società con unico azionista
> > Società soggetta all'attività di direzione e coordinamento di
> > International Business Machines Corporation
> >

Unless otherwise stated above:

IBM Italia S.p.A.
Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI)
Cap. Soc. euro 247.656.998.20
C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153
Società con unico azionista
Società soggetta all'attività di direzione e coordinamento di International 
Business Machines Corporation

Reply via email to