[jira] [Assigned] (NETBEANS-240) Potential system compromise: nb-javac library unsigned

Wed, 04 Apr 2018 02:33:14 -0700 

     [ 
https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Moacyr Prado reassigned NETBEANS-240:
-------------------------------------

    Assignee: Moacyr Prado

> Potential system compromise: nb-javac library unsigned
> ------------------------------------------------------
>
>                 Key: NETBEANS-240
>                 URL: https://issues.apache.org/jira/browse/NETBEANS-240
>             Project: NetBeans
>          Issue Type: Bug
>            Reporter: Markus KilÄs
>            Assignee: Moacyr Prado
>            Priority: Critical
>
> During startup of NetBeans the user is prompted to choose a javac library. 
> However, the recommended one, nbjavac, is fetched over an insecure connection 
> (both plugin metadata and the actually binaries are fetched over HTTP from 
> bits.netbeans.org and lahoda.info) and the binaries are unsigned.
> The plugin system does the right thing and warns the user about the unsigned 
> plugins. However, if the user anyway ignores the warnings the system could 
> easily be compromised. The risk of choosing the insecure alternative is also 
> larger due to that the user gets very mixed messages as the insecure option 
> is first "Highly recommended" and then there is a warning that it is 
> "potentially insecure".
> Binary being fetched from lahoda.info on HTTP port 80:
> {noformat}
> GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1
> Cache-Control: no-cache
> Pragma: no-cache
> User-Agent: Java/1.8.0_151
> Host: lahoda.info
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> HTTP/1.1 200 OK
> Content-Type: application/octet-stream
> Accept-Ranges: bytes
> Content-Length: 17626
> Date: Mon, 01 Jan 2018 17:49:45 GMT
> Server: lighttpd/1.4.42
> PK..
> ........K................META-INF/....PK..
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Reply via email to