COMMAND
	Java Secure Socket Extension Incorrect Certificate Validation
SYSTEMS AFFECTED
	Sun Java JSSE 1.0.3
PROBLEM
	Alex Loots reports :
	According to SUN it has been reported  that:  "the  Java  Secure  Socket
	Extension (JSSE) may incorrectly validate the digital certificate  of  a
	web  site.  This  may  result   in   untrustworthy   web   sites   being
	authenticated for SSL transactions. The Java Plug-in and Java Web  Start
	may incorrectly validate the digital certificates of signed  JAR  files.
	This may result in untrustworthy code being executed as trusted code."
	From  the  JSSE   changelog:   "If   an   SSLContext   was   initialized
	(SSLContext.init())   with   an   instance   of   the   X509TrustManager
	implementation, JSSE  1.0.3  incorrectly  called  the  isClientTrusted()
	method when making server trust decisions."
SOLUTION
	See the SUN bulletin:
	
	 http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50081&zone_32=category%3Asecurity
	
	The changelog Java(tm) Secure Socket Extension  1.0.3_01  mentions  this
	vulnerability :
	
	 http://java.sun.com/products/jsse/CHANGES.txt