Date: Mon, 28 Dec 2009 07:50:05 GMT From: Brian Gardner <openjdk@getsnappy.com> To: freebsd-java@FreeBSD.org Subject: Re: java/141919: Serious remote vulnerability in the JRE Message-ID: <200912280750.nBS7o51T092830@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR java/141919; it has been noted by GNATS. From: Brian Gardner <openjdk@getsnappy.com> To: Romain Dalmaso <artefact2@gmail.com> Cc: freebsd-gnats-submit@freebsd.org Subject: Re: java/141919: Serious remote vulnerability in the JRE Date: Sun, 27 Dec 2009 23:46:23 -0800 I believe openjdk6-b17 fixes the problem. I haven't released it yet, although it's been tested and it's ready to ship. I'll try and get it committed later this week. The latest version of the port and instructions are available for test from here: http://www.getsnappy.com/tech-blog/freebsd-tips-tricks/upgrading-freebsd-port-java-openjdk6-from-b16-to-b17/ It sounds like the openjdk community will be releasing b18 shortly which I believe also includes some security fixes. On Dec 23, 2009, at 5:37 AM, Romain Dalmaso wrote: > >> Number: 141919 >> Category: java >> Synopsis: Serious remote vulnerability in the JRE >> Confidential: no >> Severity: critical >> Priority: high >> Responsible: freebsd-java >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: update >> Submitter-Id: current-users >> Arrival-Date: Wed Dec 23 13:40:06 UTC 2009 >> Closed-Date: >> Last-Modified: >> Originator: Romain Dalmaso >> Release: 7.2-RELEASE >> Organization: >> Environment: >> Description: > A serious vulnerability affecting all the current Java ports allows > any potential attacker to take control of the machine remotely if it > uses a Java application dealing with the XML parser. > > The issue has been there for months, and has been fixed since Java 6 > update 15 and Java 5 update 20. So simply updating the port would > solve the issue. > > This vulnerability affects, for instance, all the Freenet nodes > running under FreeBSD : > http://freenetproject.org/news.html#xml-vuln > > More details about it : > http://www.cert.fi/en/reports/2009/vulnerability2009085.html > > Thanks for your interest. >> How-To-Repeat: > >> Fix: > > >> Release-Note: >> Audit-Trail: >> Unformatted: > _______________________________________________ > freebsd-java@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-java > To unsubscribe, send any mail to "freebsd-java- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912280750.nBS7o51T092830>