Hi Thomas,
We won't be going to a new version of Eclipse until 2025. We CAN however ask for the defect fixes to be back ported to 4.23.
My issue with THIS back port is the CVE is a high severity. While users expect the marketplace and your update site to be secure and safe, the circumvention to allow HTTP P2 updates is a bad idea. (And should only be allowed inside an Intranet.)
The fix is in place to ensure users are connecting to the site they expect. And while yes it can be hard to ensure users add the site certificate manually if required, it does ensure that a redirect to a nefarious site isn't occurring.
The fix was put in place because some valid plugins on the marketplace had injected Bit Coin mining code.
The better solution is to download the P2 site; scan it, then install it locally, like you have suggested.
Steve Ferrell
Principal Software Engineer Lead RDi
Fortra
-----Original Message-----
From: WDSCI-L <wdsci-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Thomas Raddatz
Sent: Wednesday, January 10, 2024 1:16 AM
To: wdsci-l@xxxxxxxxxxxxxxxxxx
Subject: [WDSCI-L] Problems installing iSphere, Rapid Fire, iRPGUnit and JCRCMDS in RDi 9.8
External: Pause and review the sender's email address, any URLs before clicking links, opening attachments, or following requests. When in doubt, contact the Service Desk.
Hello All,
Unfortunately the iSphere update site is broken, so that you cannot install or update iSphere from the Eclipse Marketplace or the iSphere Update site. It also does not help to use the
http://master.dl.sourceforge.net/project/ url.
The problem is, that Eclipse no longer allows switching the protocol from https to http. See here:
https://github.com/advisories/GHSA-c5fh-3q27-g4r5
Newer Eclipse version provide the "p2.httpAction" configuration property to overrule that limitation. See here (if I understood that correctly):
https://github.com/eclipse-equinox/p2/issues/230
Unfortunately there is no way that I know how to make Rational Developer for I 9.8 to accept switching the http protocol.
For those how are interested, here is what happens (tested with Postman):
Starting point:
https://isphere.sourceforge.io/eclipse/rdi8.0/content.jar
302:
http://master.dl.sourceforge.net/project/isphere/eclipse/rdi8.0/content.jar
301:
http://downloads.sourceforge.net/project/isphere/eclipse/rdi8.0/content.jar
302:
http://altushost-swe.dl.sourceforge.net/project/isphere/eclipse/rdi8.0/content.jar
200:
Content delivered
So all I can suggest for the moment is to download the zipped update site from SourceForge and install iSphere from it.
Of course not only iSphere is effected by that problem, but also all my projects that are hosted on SourceForge:
* iSphere (Frank Hildebrandt and Thomas Raddatz)
* Rapid Fire (Frank Hildebrandt and Thomas Raddatz)
* iRPGUnit (Mihael Schmidt and Thomas Raddatz)
* JCRCMDS (Craig Rutledge andThomas Raddatz)
Looks like it requires a new update server. Any ideas?
Regards,
Thomas.
--
This is the Rational Developer for IBM i (WDSCI-L) mailing list
To post a message email: WDSCI-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/wdsci-l
or email: WDSCI-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/wdsci-l.
midrange.com
