Bug ID: 7109885 security baseline for 7u2 or above is not set correctly

7109885 : security baseline for 7u2 or above is not set correctly

Details

Type:	Bug	Submit Date:	2011-11-09
Status:	Closed	Updated Date:	2013-01-08
Project Name:	JDK	Resolved Date:	2012-01-13
Component:	deploy	OS:	windows
Sub-Component:	deployment_toolkit	CPU:	x86
Priority:	P2
Resolution:	Fixed
Affected Versions:	7
Fixed Versions:	7u4

Related Reports

Backport:	JDK-2217134 - security baseline for 7u2 or above is not set correctly
Relates:	JDK-7110400 - Include the security baselines in the promotion emails

Sub Tasks

Description

security baseline for 7u2 or above is not set correctly

currently - the security baseline for 7u2 is set at 7u2.

it should be 7u1 instead.

Comments

EVALUATION see MR
2011-12-20
EVALUATION problem is specific only to apps requesting JRE 7u1 specifically. and for machines that has 7u1 + FX 2.0.2, there will not be ssv dialog shown either when running apps. not a showstopper for jre 7u2.
2011-11-10
EVALUATION fix for 7u2
2011-11-09
EVALUATION problem is in SecurityBaseline.java it's missing getBaselineVersion170() now. (and simply return CURRENT_VERSION - which is the bug) private static String getBaselineVersion(String requestedVersion) { if (requestedVersion.startsWith("1.3.1")) { return getBaselineVersion131(); } else if (requestedVersion.startsWith("1.4.2")) { return getBaselineVersion142(); } else if (requestedVersion.startsWith("1.5")) { return getBaselineVersion150(); } else if (requestedVersion.startsWith("1.6")) { return getBaselineVersion160(); } else { return CURRENT_VERSION; } }
2011-11-09
EVALUATION problem: in the jdk7 code, the code for getting security baseline for 7 family is missing. so it defaults to use the current running version as baseline for 7 family. so when you run an applet with 7u2, and if the applet requests 7u1, we will shown ssv dialog, even if 7u1 should be a valid security baseline. this is because 7u2 code thinks the security baseline is 7u2, and 7u1 is insecure. fix: implement security baseline for 7 family. testcase: install 7u2, install 7u1, run this jnlp applet that requests 7u1 and make sure no ssv dialog is shown. http://javaweb.us.oracle.com/~ngthomas/applet/HelloWorldDrag.html
2011-11-09
SUGGESTED FIX http://sa.us.oracle.com/projects/deployment_data/7u2/7109885.0
2011-11-09

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together