1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
|
Key:
SX - http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=X
PRX - http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=X
RHX - https://bugzilla.redhat.com/show_bug.cgi?id=X
DX - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=X
GX - http://bugs.gentoo.org/show_bug.cgi?id=X
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release 1.8.4 (2020-06-03):
* Backport of https://github.com/AdoptOpenJDK/IcedTea-Web/pull/389
* Backport of https://github.com/AdoptOpenJDK/IcedTea-Web/pull/384
* Backport of https://github.com/AdoptOpenJDK/IcedTea-Web/pull/340
* https://github.com/AdoptOpenJDK/IcedTea-Web/pull/576
* https://github.com/AdoptOpenJDK/IcedTea-Web/pull/577
New in release 1.8.3 (2019-08-02):
* Security updates
- CVE-2019-10182 - Fixed bug when relative path (..) could leak up (even out of cache)
- CVE-2019-10185 - Nested jar, if by relative path point up, is stored as hashed
- CVE-2019-10181 - All files, except signatures files, are now checked for signatures
New in release 1.8.2 (2019-07-15):
* fix(JNLPFile): location/sourceLocation confusion
* Fix hang in windows when javaws is launched outside the console
* support handling of white space in PolicyURI when on file system
* fix(ManifestAttributesChecker): jars must be relative to codebase
* Added embedded mode
* Update JNLPPolicy.java
* If streams are disabled, and console enabled, silent also client application
New in release 1.8.1 (2019-05-21):
* backport deadlock fix from #219
* handle jnlp filename with space for shortcuts (#180)
* use ico-file instead of png-file as itw-icon and use it as default icon
New in release 1.8 (2019-03-12):
* added support for javafx-desc and so allwong run of pure-javafx only applications
* --nosecurity enhanced for possibility to skip invalid signatures
* enhanced to allow resources to be read also from j2se/java element (OmegaT)
* PR3644 - java.lang.NoClassDefFoundError: Could not initialize class net.sourceforge.jnlp.runtime.JNLPRuntime$DeploymentConfigurationHolder
* deployment.config now support generic url instead just file
* Added support for windows desktop shortcuts via https://github.com/DmitriiShamrikov/mslinks
* cache can now be operated by groups, list by -Xcacheids (details via -verbose, can filter by regex), Xclearcache now can clear only selected id. There is also gui to operate cache via id in itweb-settings now.
* desktop shortcut name get shortened to title or file if title is missing.
* shared native launchers
* scripted launchers rework: Windows bat launchers rewritten to be feature complete, Linux shell launchers made portable, build enhanced to produce platform independent image
New in release 1.7 (2017-07-19):
* PR3366 - bash completion file was split to three, and is setup-able by bashcompdir environment variable
* added experimental support for windows
* added experimental support for java 9 (linux only)
* added experimental support for jnlp protocol (see https://bugs.openjdk.java.net/browse/JDK-8055464)
* restricted to JDK8 and higher
* all connection restrictions now consider also port
* Enabled Entry-Point attribute check
* permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all.
* fixed DownloadService
* PR2779: html-gen.sh: Don't try to call hg if .hg directory isn't present
* PR2591 - IcedTea-Web request resources twice for meta informations and causes ClientAbortException on tomcat in conjunction with JnlpDownloadServlet
* PR2690 - Can't run BOM into JNLP file
* PR2669 - remove bash-specific syntax from top level Makefile.am
* PR2489 - various NPEs when codebase is null
* PR2855 - configure.ac: Remove unnecessary checks for libX11 and zlib
* PR878 - (http-511) Handle HTTP error 511 Network Authentication Required (standard secure proxy authentification/captive portal detection)
* PR1190 - unuseable javaws cache handling
* PR3227 - can not save file with query longer then (together with name) then 255 chars
* comments in deployment.properties now should persists load/save
* fixed bug in caching of files with query
* fixed issues with recreating of existing shortcut
* trustAll/trustNone now processed correctly
* headless no longer shows dialogues
* RH1231441 Unable to read the text of the buttons of the security dialogue
* Fixed RH1233697 icedtea-web: applet origin spoofing
* Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets
* FIXED PR3263 - Cannot retrieve JavaScript Engine using ScriptEngineManager.getEngineByName
* fixed fatal impact of initialization error of FileLog
* MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed
* more dialogs got remember me possibility
- MissingALACAttributePanel
- AccessWarning
- MissingPermissionsAttributePanel
- MatchingALACAttributePanel
- UnsignedAppletTrustWarningPanel
- PartiallySignedAppTrustWarningPanel
* Itw-settings
- All rememberable dialogues can have saved value modified
* NetX
- fixed issues with -html shortcuts
- fixed issue with -html receiving garbage in width and height
- main-class attribute trimmed by default
- in strict mode, main-class attribute checked for invalid characters
- added -browser switch as workaround around most uttermost http authentications cornercases
* PolicyEditor
- Entry list is sorted, entries will appear with consistent ordering
- file flag made to work when used standalone
- file flag cannot be used in combination with main argument
- defaultfile flag added
- support for SignedBy and Principals along with existing Codebase
* Plugin
- RH1273691 - Escaped equals signs in deployment.properties not un-escaped when used
- PR2746 - IcedTea-Web Plugin 1.6.1: net.sourceforge.jnlp.LaunchException
- PR2714 - IcedTea-Web plugin sends uninitialized memory garbage across a pipe when NPN_GetValueForURL call fails
- PR3198 - Error in webmin
- PR2968 - IcedTea-Web crashes on Dell EqualLogic SAN
New in release 1.6 (2015-XX-XX):
* Massively improved offline abilities. Added Xoffline switch to force work without inet connection.
* Improved to be able to run with any JDK
* JDK 6 and older no longer supported
* JDK 8 support added (URLPermission granted if applicable)
* JDK 9 supported
* Added support for Entry-Point manifest attribute
* Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to control scan of Manifest file
* starting arguments now accept also -- abbreviations
* Added new documentation
* Added support for menu shortcuts - both javaws applications/applets and html applets are supported
* added support for -html switch for javaws. Now you can run most of the applets without browser at all
* Control Panel
- PR1856: ControlPanel UI improvement for lower resolutions (800*600)
* NetX
- PR1858: Java Console accepts multi-byte encodings
- PR1859: Java Console UI improvement for lower resolutions (800*600)
- RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception java.lang.ClassCastException in method sun.applet.PluginAppletViewer$8.run()
- Dropped support for long unmaintained -basedir argument
- Returned support for -jnlp argument
- RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9
* Plugin
- PR1743 - Intermittant deadlock in PluginRequestProcessor
- PR1298 - LiveConnect - problem setting array elements (applet variables) from JS
- RH1121549: coverity defects
- Resolves method overloading correctly with superclass heirarchy distance
* PolicyEditor
- codebases can be renamed in-place, copied, and pasted
- codebase URLs can be copied to system clipboard
- displays a progress dialog while opening or saving files
- codebases without permissions assigned save to file anyway (and re-appear on next open)
- PR1776: NullPointer on save-and-exit
- PR1850: duplicate codebases when launching from security dialogs
- Fixed bug where clicking "Cancel" on the "Save before Exiting" dialog could result in the editor
exiting without saving changes
- Keyboard accelerators and mnemonics greatly improved
- "File - New" allows editing a new policy without first selecting the file to save to
* Common
- PR1769: support signed applets which specify Sandbox permissions in their manifests
* Temporary Permissions in security dialog now multi-selectable and based on PolicyEditor permissions
New in release 1.5 (2014-XX-XX):
* IcedTea-Web now using tagsoup as default (tagsoup dependence) sanitizer for input
* JDK older then 1.5 no longer supported
* IcedTea-Web is now following XDG .config and .cache specification(RH947647)
* A console for debugging plugin and javaws
* Dialogs center on screen before becoming visible
* Support for u45 and u51 new manifest attributes (Application-Name, Codebase, Permissions, Trusted-only)
* Custom applet permission policies panel in itweb-settings control panel
* javaws -version flag
* New PolicyEditor for easily adding/removing permissions to individual applets
* Cache Viewer
- Can be closed by ESC key
- Enabling and disabling of operational buttons is handled properly
- Time consuming operations are indicated by a mouse busy cursor
- "Size" and "Last Modified" columns display localized data
* NetX
- PR1465 - java.io.FileNotFoundException while trying to download a JAR file
- Netx can now parse malformed jnlp files using tagsoup
- PR1026 - Apps fail to run because of the nanoxml parser's strict XML validation
- PR1473 - javaws should not depend on name of local file
- Redesigned About dialogue layout and contents
- Console made aware of plugin messages
- PR1856: ControlPanel UI improvement for lower resolutions (800*600)
- PR1858: Java Console accepts multi-byte encodings
- PR1859: Java Console UI improvement for lower resolutions (800*600)
* Plugin
- PR854: Resizing an applet several times causes 100% CPU load
- PR1271: icedtea-web does not handle 'javascript:'-protocol URLs
- RH976833: Multiple applets on one page cause deadlock
- Pipes moved into XDG_RUNTIME_DIR
- Added debug to file
- RH1010958: insecure temporary file use flaw in LiveConnect implementation
- Resolves method overloading correctly with superclass heirarchy distance
* Common
- PR1474: Can't get javaws to use SOCKS proxy
- Man page for itweb-settings
* Security Updates
- CVE-2012-4540, RH869040: Heap-based buffer overflow after triggering event attached to applet
New in release 1.4 (2013-XX-XX):
* Added cs localization
* Added de localization
* Added pl localization
* Splash screen for javaws and plugin
* Better error reporting for plugin via Error-splash-screen
* All IcedTea-Web dialogues are centered to middle of active screen
* Download indicator made compact for more then one jar
* User can select its own JVM via itw-settings and deploy.properties.
* Added extended applets security settings and dialogue
* Security updates
- CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
- CVE-2013-1927, RH884705: fixed gifar vulnerabilit
- CVE-2012-3422, RH840592: Potential read from an uninitialized memory location
- CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings
* NetX
- PR1027: DownloadService is not supported by IcedTea-Web
- PR725: JNLP applications will prompt for creating desktop shortcuts every time they are run
- PR1292: Javaws does not resolve versioned jar names with periods correctly
* Plugin
- PR1106: Buffer overflow in plugin table-
- PR1166: Embedded JNLP File is not supported in applet tag
- PR1217: Add command line arguments for plugins
- PR1189: Icedtea-plugin requires code attribute when using jnlp_href
- PR1198: JSObject is not passed to javascript correctly
- PR1260: IcedTea-Web should not rely on GTK
- PR1157: Applets can hang browser after fatal exception
- PR580: http://www.horaoficial.cl/ loads improperly
* Common
- PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered
- PR955: regression: SweetHome3D fails to run
- PR1145: IcedTea-Web can cause ClassCircularityError
- PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
- PR822: Applets fail to load if jars have different signers
- PR1186: System.getProperty("deployment.user.security.trusted.cacerts") is null
- PR909: The Java applet at http://de.gosupermodel.com/games/wardrobegame.jsp fails
- PR1299: WebStart doesn't read socket proxy settings from firefox correctly
New in release 1.3 (2012-XX-XX):
* NetX
- PR898: signed applications with big jnlp-file doesn't start (webstart affect like "frozen")
- PR811: javaws is not handling urls with spaces (and other characters needing encoding) correctly
* Plugin
- PR820: IcedTea-Web 1.1.3 crashing Firefox when loading Citrix XenApp
- PR863: Error passing strings to applet methods in Chromium
- PR895: IcedTea-Web searches for missing classes on each loadClass or findClass
- PR861: Allow loading from non codebase hosts. Allow code to connect to hosting server
- PR518: NPString.utf8characters not guaranteed to be nul-terminated
- PR722: META-INF/ unsigned entries should be ignored in signing
- PR855: AppletStub getDocumentBase() doesn't return full URL
- PR1011: Folders treated as jar files in archive tag
- PR588: Cookies not written from cookie jar to browser cookies
- PR920: Classes attempted to load twice when class extends from outside jar
* Common
- PR918: java applet windows uses a low resulution black/white icon
- RH838417: Disambiguate signed applet security prompt from certificate warning
- RH838559: Disambiguate signed applet security prompt from certificate warning
- RH720836: project can be compiled against GTK+ 2 or 3 librarie
New in release 1.2 (2011-XX-XX):
* Security updates:
- RH718164, CVE-2011-2513: Home directory path disclosure to untrusted applications
- RH718170, CVE-2011-2514: Java Web Start security warning dialog manipulation
- RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass
* NetX
- PR618: Can't install OpenDJ, JavaWebStart fails with Input stream is null error
- PR765: JNLP file with all resource jars marked as 'lazy' fails to validate signature and stops the launch of application
- PR788: Elluminate Live! is not working
- PR804: javaws launcher incorrectly handles file names with spaces
* Plugin
- PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow
- PR782: Support building against npapi-sdk as well
- PR838: IcedTea plugin crashes with chrome browser when javascript is executed
- PR852: Classloader not being flushed after last applet from a site is closed
- RH586194: Unable to connect to connect with Juniper VPN client
- RH718693: MindTerm SSH Applet doesn't work
Common
- PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up
- PR771: IcedTea-Web certificate verification code does not use the right API
- PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted.
- PR769: IcedTea-Web does not work with some ssl sites with OpenJDK7
- PR778: Jar download and server certificate verification deadlock
- PR789: typo in jrunscript.sh
- PR794: IcedTea-Web does not work if a Web Start app jar has a Class-Path element in the manifest
- PR808: javaws is unable to start, when missing jars are enumerated before main jar
- RH734081: Javaws cannot use proxy settings from Firefox
- RH738814: Access denied at ssl handshake
- Support for authenticating using client certificates
New in release 1.1 (2011-XX-XX):
* Security updates
- S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
- RH677332, CVE-2011-0706: IcedTea multiple signers privilege escalation
* New Features
- IcedTea-Web now installs to a FHS-compliant location
- IcedTea-Web can now handle Proxy Auto Config files
- Binary launchers replaced with simple shell scripts
- Can now use codebase_lookup=false with applets.
* Common Fixes and Improvements
- PR497: Mercurial revision detection not very reliable
- PR638: JNLPClassLoader.loadClass(String name) can return null
- RH677772: NoSuchAlgorithmException using SSL/TLS in javaws
- PR724: Possible NullPointerException in JNLPClassLoader.getClassPathsFromManifest
* NetX
- Use Firefox's proxy settings if possible
- The user's default browser (determined from xdg-open or $BROWSER) is used
- RH669942: javaws fails to download version/packed files (missing support for jnlp.packEnabled and jnlp.versionEnabled)
- PR464: plugin can now load parameters from jnlp files.
- PR658: now jnlp.packEnabled works with applets.
- PR726: closing javaws -about no longer throws exceptions.
- PR727: cache now properly removes files.
* Plugin
- PR475, RH604061: Allow applets from the same page to use the same classloader
- PR612: NetDania application ends on java.security.AccessControlException: access denied (java.util.PropertyPermission browser read)
- PR664: Sound doesn't play on runescape.com.
- PR721: IcedTeaPlugin.so cannot run g_main_context_iteration on a different thread unless a different GMainContext *context is used
- PR735: Firefox 4 sometimes freezes if the applet calls showDocument()
New in release 1.0 (2010-XX-XX):
* Initial release of IcedTea-Web
* Security updates
- RH645843, CVE-2010-3860: IcedTea System property information leak via public static
- RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
* Plugin
- PR542: Plugin fails with NPE on http://www.openprocessing.org/visuals/iframe.php?visualID=2615
- PR552: Support for FreeBSD's pthread implementation
- PR554: System.err writes content two times
- PR556: Applet initialization code is prone to race conditions
- PR557: Applet opens in a separate window if tab is closed when the applet loads
- PR565: UIDefaults.getUI fails with jgoodies:looks 2.3.1
- PR593: Increment of invalidated iterator in IcedTeaPluginUtils (patch from barbara.xxx1975@libero.it)
- PR597: Entities are parsed incorrectly in PARAM tag in applet plugin
- PR619: Improper finalization by the plugin can crash the browser
- Applets are now double-buffered to eliminate flicker in ones that do heavy drawing
- RH665104: OpenJDK Firefox Java plugin loses a cookie
* NetX
- Add a new option -Xclearcache
- Interfaces javax.jnlp.IntegrationService and javax.jnlp.DownloadService2 are now available
- PR592: NetX can create invalid desktop entry files
- RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass
* Control Panel
- Modifications to deployments.properties file can now be done through a GUI
|
