[ 
https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16325548#comment-16325548
 ] 

Markus Kilås edited comment on NETBEANS-240 at 1/14/18 12:38 PM:
-----------------------------------------------------------------

Oh, okay yes that could be a bigger topic.
But wouldn't that then be the same issue also for the other modules? For 
instance in the plugin portal I see that there are updates (i.e. for "IDE 
Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed 
directly without any warning. They seems to be signed by Oracle certificates.
I would assume the same process could be use to also sign the nb-javac library 
and we wouldn't have this issue, no?


was (Author: netmackan):
Oh, okay yes that could be a bigger topic.
But wouldn't that then be the same issue also for the other modules? For 
instance in the plugin portal I see that there are updates (i.e. for "IDE 
Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed 
directly without any warning. They seems to be signed certificates.
I would assume the same process could be use to also sign the nb-javac library 
and we wouldn't have this issue, no?

> Potential system compromise: nb-javac library unsigned
> ------------------------------------------------------
>
>                 Key: NETBEANS-240
>                 URL: https://issues.apache.org/jira/browse/NETBEANS-240
>             Project: NetBeans
>          Issue Type: Bug
>            Reporter: Markus Kilås
>            Priority: Critical
>
> During startup of NetBeans the user is prompted to choose a javac library. 
> However, the recommended one, nbjavac, is fetched over an insecure connection 
> (both plugin metadata and the actually binaries are fetched over HTTP from 
> bits.netbeans.org and lahoda.info) and the binaries are unsigned.
> The plugin system does the right thing and warns the user about the unsigned 
> plugins. However, if the user anyway ignores the warnings the system could 
> easily be compromised. The risk of choosing the insecure alternative is also 
> larger due to that the user gets very mixed messages as the insecure option 
> is first "Highly recommended" and then there is a warning that it is 
> "potentially insecure".
> Binary being fetched from lahoda.info on HTTP port 80:
> {noformat}
> GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1
> Cache-Control: no-cache
> Pragma: no-cache
> User-Agent: Java/1.8.0_151
> Host: lahoda.info
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> HTTP/1.1 200 OK
> Content-Type: application/octet-stream
> Accept-Ranges: bytes
> Content-Length: 17626
> Date: Mon, 01 Jan 2018 17:49:45 GMT
> Server: lighttpd/1.4.42
> PK..
> ........K................META-INF/....PK..
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Reply via email to