diff --git a/ChangeLog b/ChangeLog index e36ca0521..fe37a8e67 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,9 +1,14 @@ +2019-08-02 George Adams + + Release changes + * configure.ac: (AC_INIT) bumped to 1.8.3 + 2019-06-26 Jiri Vanek All files, except signatures files, are now checked for signatures - CVE-2019-10181 * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isMetaInfFile) fixed bug, when anything in META-INF was not checked for signature. Now only signature files are skipped - * tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from + * tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from signature check 2019-06-26 Jiri Vanek @@ -17,7 +22,7 @@ 2019-06-26 Jiri Vanek Fixed bug when relative path (..) could leak up (even out of cache) - CVE-2019-10182 - * netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash + * netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash * netx/net/sourceforge/jnlp/util/FileUtils.java: added warning about different behavior on win/linux * tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java: added tests for hashing * tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java: added test for .. in path. Added test diff --git a/NEWS b/NEWS index e3739c8bd..3e83a6a1d 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,12 @@ GX - http://bugs.gentoo.org/show_bug.cgi?id=X CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release 1.8.3 (2019-08-02): +* Security updates + - CVE-2019-10182 - Fixed bug when relative path (..) could leak up (even out of cache) + - CVE-2019-10185 - Nested jar, if by relative path point up, is stored as hashed + - CVE-2019-10181 - All files, except signatures files, are now checked for signatures + New in release 1.8.2 (2019-07-15): * fix(JNLPFile): location/sourceLocation confusion * Fix hang in windows when javaws is launched outside the console @@ -20,7 +26,7 @@ New in release 1.8.2 (2019-07-15): New in release 1.8.1 (2019-05-21): * backport deadlock fix from #219 * handle jnlp filename with space for shortcuts (#180) -* use ico-file instead of png-file as itw-icon and use it as default icon +* use ico-file instead of png-file as itw-icon and use it as default icon New in release 1.8 (2019-03-12): * added support for javafx-desc and so allwong run of pure-javafx only applications diff --git a/configure.ac b/configure.ac index d6f79bc9d..158ac6e3e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([icedtea-web],[1.8.2],[distro-pkg-dev@openjdk.java.net], [icedtea-web], [http://icedtea.classpath.org/wiki/IcedTea-Web]) +AC_INIT([icedtea-web],[1.8.3],[distro-pkg-dev@openjdk.java.net], [icedtea-web], [http://icedtea.classpath.org/wiki/IcedTea-Web]) AM_INIT_AUTOMAKE([1.9 tar-pax foreign]) AC_CONFIG_FILES([Makefile netx.manifest]) AM_MAINTAINER_MODE([enable])