Fixes in NetPhantom 8 since version 7.60 Build 8336

These are fixes done in NetPhantom 8 since version 7.60 Build 8336 in chronological order.

Version 8.00 RC

  • CVE: Fix causing potential access to files outside of Web Server root

    A fix has been implemented to block access to files outside of the Web Server document root by means of HTTP requests.

  • Code signing certificate issue

    The code signing certificate used by NetPhantom 7.x was delivered by Sectigo on 8th of February 2023, valid until 7th of May 2026.
     
    The issue is that the Sectigo Root certificate AAA Certificate Services issued to Comodo (today DigiCert), has a weak SHA1 signature causing newer Java versions to fail code signing verification as follows:
     
      [Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
      unable to find valid certification path to requested target]
     
    Running e.g. the JarSigner command: jarsigner -certs -verify -verbose NetPhantomClient.jar shows the error:
     
        Warning: This jar contains entries whose certificate chain is invalid.
        Reason: PKIX path building failed:
        sun.security.provider.certpath.SunCertPathBuilderException:
        unable to find valid certification path to requested target
     
        The signer certificate will expire on 2026-05-08.
        The timestamp will expire on 2031-11-10.

  • Code signing certificate issue resolved with new EV code signing certificate

    Mindus now has an Extended Validation (EV) code signing certificate issued by Sectigo that uses today's certificate and signature requirements, and all NetPhantom components requiring code signing uses this certificate.

  • Options for project "Repack the Jar files (Pack200)" and "Remove client debug information" removed

    Since Java 14, the pack200 utility that packs a Jar file and optionally can remove its debug information has been removed and replaced by compiling the code to remove debug rather than to keep it and remove during a "pack200" operation (that this utility supported). This had previously been done using the Java 11 JDK shipped with NetPhantom Quick Start, but that one would fail if the target Java version was 17. On top of this, "pack200" modifies the contents of the Java class files in the JAR archive undergoing compression. Transformations to the class files include merging constant pools and removing duplicated attributes. The format is not lossless; it is possible for a JAR file after unpacking to not be identical to how it was before packing.

  • Failed to get Java project in Eclipse

    Fix for newer versions of Eclipse 2024-03 and better has modified the API to access the instance of IJavaProject from an IProject instance that has the Java nature. This resulted in lots of different unexpected errors in the NetPhantom Eclipse plugin's.