Hi Colm, and CC @Freeman Fang<mailto:[email protected]>, This is just for my own information as I'd have to plan with the team the right moves for the upcoming WildFly and JBoss EAP releases. We'd like to know whether you'd confirm that a release of Apache CXF 4.1.8 is planned soon, and if there's a date that we can pin in order to synchronize for the required component upgrades.
Thanks for your support, Fabio. ________________________________ From: Colm O hEigeartaigh <[email protected]> Sent: Wednesday, July 1, 2026 10:55 AM To: [email protected] <[email protected]> Cc: Fabio Burzigotti <[email protected]> Subject: [EXTERNAL] Re: [PR] [CXF-9227] Fix SecurityManager permission regressions introduced in 4… [cxf] Hi, I think we might try to get some new CXF releases out in a few weeks, after backporting the security fixes to 3.6.x. Colm. On Tue, Jun 30, 2026 at 3:50 PM Freeman Fang <[email protected]> wrote: > > Hi Fabio, > > We don't have a scheduled date to release 4.1.8 for now. We normally > release CXF every 3-4 months. Given we just released CXF 4.1.7 this month > in June, I don't think we will release 4.1.8 very soon. Could you please > test against the snapshot build and verify the fix is good for you. > > Thanks! Regards > Freeman > > On Tue, Jun 30, 2026 at 10:42 AM Fabio Burzigotti <[email protected]> wrote: > > > Hi Freeman, > > And thanks for this fix. > > Do you think we can have a 4.1.8 release that we can integrate into > > WildFly now that the issue is solved? > > > > Best Regards, > > Fabio. > > > > ------------------------------ > > *From:* ffang (via GitHub) <[email protected]> > > *Sent:* Friday, June 26, 2026 6:30 PM > > *To:* [email protected] <[email protected]> > > *Subject:* [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission > > regressions introduced in 4… [cxf] > > > > > > ffang opened a new pull request, #3256: > > URL: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e= > > > > ….1.7 > > > > ## Summary > > > > Fixes three SecurityManager permission regressions introduced in CXF > > 4.1.7 > > that break deployments running under a tight SecurityManager policy > > (reported > > by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks). > > > > ## Root Cause > > > > **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154) > > > > `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()` > > without > > `doPrivileged`, forcing all callers including user deployments to hold > > this > > permission. > > > > **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and > > `SocketPermission`** (introduced by #3157) > > > > Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all schema > > resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` → > > `URIResolver.tryFileSystem()` — a code path never previously reached in > > this > > context under a SecurityManager. This exposed two pre-existing gaps: > > - `SecurityActions.fileExists()` called `sm.checkPermission()` > > **outside** > > `doPrivileged`, walking the full call stack into user deployment code. > > - `URIResolver.createInputStream()` called `url.openConnection()` > > without > > `doPrivileged`, requiring callers to hold `SocketPermission`. > > > > ## Fix > > > > | File | Change | > > |------|--------| > > | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in > > `doPrivileged` | > > | `SecurityActions.java` | Move `sm.checkPermission()` inside the > > `doPrivileged` block so the stack walk stops at the CXF privilege boundary > > (confused-deputy guard preserved) | > > | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` | > > > > > > > > -- > > This is an automated message from the Apache Git Service. > > To respond to the message, please log on to GitHub and use the > > URL above to go to the specific comment. > > > > To unsubscribe, e-mail: [email protected] > > > > For queries about this service, please contact Infrastructure at: > > [email protected] > > > > Unless otherwise stated above: > > > > IBM Italia S.p.A. > > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > > Cap. Soc. euro 247.656.998.20 > > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > > Società con unico azionista > > Società soggetta all'attività di direzione e coordinamento di > > International Business Machines Corporation > > Unless otherwise stated above: IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) Cap. Soc. euro 247.656.998.20 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Società con unico azionista Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation
