From owner-freebsd-java@FreeBSD.ORG Tue May 17 04:08:29 2005 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A56316A4CE; Tue, 17 May 2005 04:08:29 +0000 (GMT) Received: from misty.eyesbeyond.com (glewis.dsl.xmission.com [166.70.56.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1499543D78; Tue, 17 May 2005 04:08:28 +0000 (GMT) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) by misty.eyesbeyond.com (8.13.3/8.13.3) with ESMTP id j4H48QHx095905; Mon, 16 May 2005 22:08:26 -0600 (MDT) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.13.3/8.13.3/Submit) id j4H48Q09095904; Mon, 16 May 2005 22:08:26 -0600 (MDT) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Mon, 16 May 2005 22:08:25 -0600 From: Greg Lewis To: Alfred Perlstein Message-ID: <20050517040825.GA95824@misty.eyesbeyond.com> References: <20050517033420.GB62055@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050517033420.GB62055@elvis.mu.org> User-Agent: Mutt/1.4.2.1i cc: java@freebsd.org Subject: Re: What's up with java and security? X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2005 04:08:29 -0000 Hi Alfred, On Mon, May 16, 2005 at 08:34:20PM -0700, Alfred Perlstein wrote: > I wanted to play with java, but it looks like all the ports we > have are busted... > > jdk13 native has issues: > ===> jdk-1.3.1p9_5 has known vulnerabilities: > => jdk/jre -- Security Vulnerability With Java Plugin. > Reference: As long as you don't use the plugin you're not vulnerable, so it depends on what you want to do. > jdk14 depends on linux-sun-jdk14 which has issues: > ===> linux-sun-jdk-1.4.2.08_1 has known vulnerabilities: > => jdk -- jar directory traversal vulnerability. > Reference: Right, but once the native jdk14 is built you can remove the Linux version. The native jdk14 (if your ports tree is up to date, I committed the fix last week) has the jar directory traversal problems fixed, so its not vulnerable. > Is Sun planning on fixing this? I would have thought it would have been in 1.5.0_03, but its not, and they haven't released a 1.4.2_09 with it in yet either. One assumes they are planning on fixing it, but they just haven't yet. Until then, just install the Linux version long enough to bootstrap the native port and remove it once its built. The build process doesn't expose you to any vulnerabilities. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org