From owner-freebsd-java@FreeBSD.ORG  Tue May 17 04:08:29 2005
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
Delivered-To: freebsd-java@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0A56316A4CE; Tue, 17 May 2005 04:08:29 +0000 (GMT)
Received: from misty.eyesbeyond.com (glewis.dsl.xmission.com [166.70.56.15])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1499543D78; Tue, 17 May 2005 04:08:28 +0000 (GMT)
	(envelope-from glewis@eyesbeyond.com)
Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1])
	by misty.eyesbeyond.com (8.13.3/8.13.3) with ESMTP id j4H48QHx095905;
	Mon, 16 May 2005 22:08:26 -0600 (MDT)
	(envelope-from glewis@eyesbeyond.com)
Received: (from glewis@localhost)
	by misty.eyesbeyond.com (8.13.3/8.13.3/Submit) id j4H48Q09095904;
	Mon, 16 May 2005 22:08:26 -0600 (MDT)
	(envelope-from glewis@eyesbeyond.com)
X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to
	glewis@eyesbeyond.com using -f
Date: Mon, 16 May 2005 22:08:25 -0600
From: Greg Lewis <glewis@eyesbeyond.com>
To: Alfred Perlstein <alfred@freebsd.org>
Message-ID: <20050517040825.GA95824@misty.eyesbeyond.com>
References: <20050517033420.GB62055@elvis.mu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050517033420.GB62055@elvis.mu.org>
User-Agent: Mutt/1.4.2.1i
cc: java@freebsd.org
Subject: Re: What's up with java and security?
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2005 04:08:29 -0000

Hi Alfred,

On Mon, May 16, 2005 at 08:34:20PM -0700, Alfred Perlstein wrote:
> I wanted to play with java, but it looks like all the ports we
> have are busted...
> 
> jdk13 native has issues:
> ===>  jdk-1.3.1p9_5 has known vulnerabilities:
> => jdk/jre -- Security Vulnerability With Java Plugin.
>    Reference: <http://www.FreeBSD.org/ports/portaudit/ac619d06-3ef8-11d9-8741-c942c075aa41.html>

As long as you don't use the plugin you're not vulnerable, so it depends on
what you want to do.

> jdk14 depends on linux-sun-jdk14 which has issues:
> ===>  linux-sun-jdk-1.4.2.08_1 has known vulnerabilities:
> => jdk -- jar directory traversal vulnerability.
>    Reference: <http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html>

Right, but once the native jdk14 is built you can remove the Linux version.
The native jdk14 (if your ports tree is up to date, I committed the fix
last week) has the jar directory traversal problems fixed, so its not
vulnerable.

> Is Sun planning on fixing this?

I would have thought it would have been in 1.5.0_03, but its not, and
they haven't released a 1.4.2_09 with it in yet either.  One assumes
they are planning on fixing it, but they just haven't yet.

Until then, just install the Linux version long enough to bootstrap
the native port and remove it once its built.  The build process doesn't
expose you to any vulnerabilities.

-- 
Greg Lewis                          Email   : glewis@eyesbeyond.com
Eyes Beyond                         Web     : http://www.eyesbeyond.com
Information Technology              FreeBSD : glewis@FreeBSD.org