From owner-freebsd-java@FreeBSD.ORG Tue Sep 29 03:48:50 2009 Return-Path: Delivered-To: freebsd-java@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BC3A106568B; Tue, 29 Sep 2009 03:48:50 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (gerbercreations.com [71.39.140.16]) by mx1.freebsd.org (Postfix) with ESMTP id E7C2F8FC0A; Tue, 29 Sep 2009 03:48:49 +0000 (UTC) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) by misty.eyesbeyond.com (8.14.3/8.14.3) with ESMTP id n8T3mctN056605; Mon, 28 Sep 2009 20:48:38 -0700 (PDT) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.14.3/8.14.3/Submit) id n8T3mc9f056604; Mon, 28 Sep 2009 20:48:38 -0700 (PDT) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Mon, 28 Sep 2009 20:48:37 -0700 From: Greg Lewis To: cpghost Message-ID: <20090929034837.GA56588@misty.eyesbeyond.com> References: <20090928101048.GA1189@phenom.cordula.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090928101048.GA1189@phenom.cordula.ws> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Greg Lewis , freebsd-questions@FreeBSD.org, freebsd-java@FreeBSD.org Subject: Re: java/jdk16 vulnerability? X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 03:48:50 -0000 On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system > complains about an old and vulnerable Java version: > > Your installed version of Java is vulnerable to a severe remote > exploit (remote code execution!). You must upgrade to at least Java > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > disabled any plugins handling XML for the time being, but this > includes searching and chat so you should upgrade ASAP! We're almost certainly vulnerable. The jdk16 port is at Update 3. > See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for > details. > > Also, please do not use Thaw or Freetalk. The UPnP plugin is > enabled, it might present a risk if you have bad guys on your LAN, > but without it Freenet will not be able to port forward and will > have severe problems. > > I'm running java/jdk16: > > phenom# java -version > java version "1.6.0_03-p4" > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) > > On 7.2-STABLE: > > phenom# uname -a > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64 > > Is that version of Java really vulnerable? If yes, why doesn't > # portaudit -Fda > report it as such, and could you please update the java/jdk16 port? We need an entry in the VUXML database I guess. Updating java/jdk16 is going to be a slow process. There are lots of changes between Update 3 and Update 15. I've partially merged Update 4, but obviously that still leaves many to go... -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org