From owner-freebsd-java@FreeBSD.ORG Tue Mar 1 06:06:56 2011 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E84B9106566C for ; Tue, 1 Mar 2011 06:06:56 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (gerbercreations.com [71.39.140.16]) by mx1.freebsd.org (Postfix) with ESMTP id AA80A8FC14 for ; Tue, 1 Mar 2011 06:06:56 +0000 (UTC) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) by misty.eyesbeyond.com (8.14.4/8.14.4) with ESMTP id p2166pW8005879; Mon, 28 Feb 2011 22:06:52 -0800 (PST) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.14.4/8.14.4/Submit) id p2166oQo005878; Mon, 28 Feb 2011 22:06:50 -0800 (PST) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Mon, 28 Feb 2011 22:06:50 -0800 From: Greg Lewis To: "Zenger, Alexander" Message-ID: <20110301060650.GA5830@misty.eyesbeyond.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "'freebsd-java@FreeBSD.org'" Subject: Re: Question Update Java Security Updates X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2011 06:06:57 -0000 On Thu, Feb 24, 2011 at 09:05:20PM +0100, Zenger, Alexander wrote: > I was wondering how the security updates from the Oracle Java are integrated in FreeBSD Java. > I couldn't find any information related to that on the FreeBSD Java site, and I also didn't see > any portaudit entries, but I think there must be some. > For example CVE-2010-4476 "Converting the deciaml value '2.2250738585072012e-308'" causes a dos". > There were several CVE's fixed with the last Release, see here: > > http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html Unfortunately it's basically only the OpenJDK ports that are getting security updates for most instances, and even then only when the ports themselves are updated due to new releases, not often when the vulnerability is announced. For the particular issue you reference I did commit a patch, but that's only because I found one easily enough. I'd very much welcome people submitting patches, although doing so for the Diablo ports is problematic since each change requires the test suite to be rerun (no small task) and for jdk16 the whole port just needs a major update to a recent JDK6 release. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org