According to SUN it has been reported that: "the Java Secure Socket Extension (JSSE) may incorrectly validate the digital certificate of a web site. This may result in untrustworthy web sites being authenticated for SSL transactions. The Java Plug-in and Java Web Start may incorrectly validate the digital certificates of signed JAR files. This may result in untrustworthy code being executed as trusted code." From the JSSE changelog: "If an SSLContext was initialized (SSLContext.init()) with an instance of the X509TrustManager implementation, JSSE 1.0.3 incorrectly called the isClientTrusted() method when making server trust decisions." The SUN bulletin: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081&zone_32=category%3Asecurity The changelog Java(tm) Secure Socket Extension 1.0.3_01 mentions this vulnerability http://java.sun.com/products/jsse/CHANGES.txt -- -Alex
This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 05:56:33 PST