Hi Fabio, We don't have a scheduled date to release 4.1.8 for now. We normally release CXF every 3-4 months. Given we just released CXF 4.1.7 this month in June, I don't think we will release 4.1.8 very soon. Could you please test against the snapshot build and verify the fix is good for you.
Thanks! Regards Freeman On Tue, Jun 30, 2026 at 10:42 AM Fabio Burzigotti <[email protected]> wrote: > Hi Freeman, > And thanks for this fix. > Do you think we can have a 4.1.8 release that we can integrate into > WildFly now that the issue is solved? > > Best Regards, > Fabio. > > ------------------------------ > *From:* ffang (via GitHub) <[email protected]> > *Sent:* Friday, June 26, 2026 6:30 PM > *To:* [email protected] <[email protected]> > *Subject:* [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission > regressions introduced in 4… [cxf] > > > ffang opened a new pull request, #3256: > URL: > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e= > > ….1.7 > > ## Summary > > Fixes three SecurityManager permission regressions introduced in CXF > 4.1.7 > that break deployments running under a tight SecurityManager policy > (reported > by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks). > > ## Root Cause > > **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154) > > `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()` > without > `doPrivileged`, forcing all callers including user deployments to hold > this > permission. > > **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and > `SocketPermission`** (introduced by #3157) > > Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all schema > resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` → > `URIResolver.tryFileSystem()` — a code path never previously reached in > this > context under a SecurityManager. This exposed two pre-existing gaps: > - `SecurityActions.fileExists()` called `sm.checkPermission()` > **outside** > `doPrivileged`, walking the full call stack into user deployment code. > - `URIResolver.createInputStream()` called `url.openConnection()` > without > `doPrivileged`, requiring callers to hold `SocketPermission`. > > ## Fix > > | File | Change | > |------|--------| > | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in > `doPrivileged` | > | `SecurityActions.java` | Move `sm.checkPermission()` inside the > `doPrivileged` block so the stack walk stops at the CXF privilege boundary > (confused-deputy guard preserved) | > | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` | > > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: [email protected] > > For queries about this service, please contact Infrastructure at: > [email protected] > > Unless otherwise stated above: > > IBM Italia S.p.A. > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > Cap. Soc. euro 247.656.998.20 > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > Società con unico azionista > Società soggetta all'attività di direzione e coordinamento di > International Business Machines Corporation >
