From owner-freebsd-java@FreeBSD.ORG Mon Dec 28 07:50:05 2009 Return-Path: Delivered-To: freebsd-java@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A0CC1065679 for ; Mon, 28 Dec 2009 07:50:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 511D38FC15 for ; Mon, 28 Dec 2009 07:50:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nBS7o5Cf092831 for ; Mon, 28 Dec 2009 07:50:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nBS7o51T092830; Mon, 28 Dec 2009 07:50:05 GMT (envelope-from gnats) Date: Mon, 28 Dec 2009 07:50:05 GMT Message-Id: <200912280750.nBS7o51T092830@freefall.freebsd.org> To: freebsd-java@FreeBSD.org From: Brian Gardner Cc: Subject: Re: java/141919: Serious remote vulnerability in the JRE X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Brian Gardner List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 07:50:05 -0000 The following reply was made to PR java/141919; it has been noted by GNATS. From: Brian Gardner To: Romain Dalmaso Cc: freebsd-gnats-submit@freebsd.org Subject: Re: java/141919: Serious remote vulnerability in the JRE Date: Sun, 27 Dec 2009 23:46:23 -0800 I believe openjdk6-b17 fixes the problem. I haven't released it yet, although it's been tested and it's ready to ship. I'll try and get it committed later this week. The latest version of the port and instructions are available for test from here: http://www.getsnappy.com/tech-blog/freebsd-tips-tricks/upgrading-freebsd-port-java-openjdk6-from-b16-to-b17/ It sounds like the openjdk community will be releasing b18 shortly which I believe also includes some security fixes. On Dec 23, 2009, at 5:37 AM, Romain Dalmaso wrote: > >> Number: 141919 >> Category: java >> Synopsis: Serious remote vulnerability in the JRE >> Confidential: no >> Severity: critical >> Priority: high >> Responsible: freebsd-java >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: update >> Submitter-Id: current-users >> Arrival-Date: Wed Dec 23 13:40:06 UTC 2009 >> Closed-Date: >> Last-Modified: >> Originator: Romain Dalmaso >> Release: 7.2-RELEASE >> Organization: >> Environment: >> Description: > A serious vulnerability affecting all the current Java ports allows > any potential attacker to take control of the machine remotely if it > uses a Java application dealing with the XML parser. > > The issue has been there for months, and has been fixed since Java 6 > update 15 and Java 5 update 20. So simply updating the port would > solve the issue. > > This vulnerability affects, for instance, all the Freenet nodes > running under FreeBSD : > http://freenetproject.org/news.html#xml-vuln > > More details about it : > http://www.cert.fi/en/reports/2009/vulnerability2009085.html > > Thanks for your interest. >> How-To-Repeat: > >> Fix: > > >> Release-Note: >> Audit-Trail: >> Unformatted: > _______________________________________________ > freebsd-java@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-java > To unsubscribe, send any mail to "freebsd-java- > unsubscribe@freebsd.org" >