[1.10, 1.11, 2.1 & 2.2 APPROVAL] jar uf support broken with 7143606 security fix
gnu.andrew at redhat.com
Mon Oct 15 16:28:23 PDT 2012
----- Original Message -----
> On 10/15/2012 09:36 AM, Andrew Hughes wrote:
> > Even better, they are already in 6 too:
> > http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/2366192c7fcb
> > http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/0e34d4326386
> > So we just need these changesets in 1.10 & 1.11.
> If the original jar had locked down permissions, will the 'updated'
> now have more relaxed permissions? But I suppose this is how the jar
> command has always behaved.
It's already in 2.3.
The updated jar has the permissions the original jar had. They don't
suddenly change behind the user's back.
> We don't know how much testing has been done on this, do we? Looking
> the test case, it wont even compile: it uses PosixFilePermission
> in 1.7) and try-with-resources.
I'll look into this. The changesets are from 6 so this is Oracle's screw-up.
> PGP Key: 66484681 (http://pgp.mit.edu/)
> Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the distro-pkg-dev