Date: Mon, 3 May 2010 15:04:01 +0200 From: Frank Bartels <freebsd@knarf.de> To: freebsd-ports@freebsd.org Subject: portaudit prevents installation of linux-sun-jdk16 Message-ID: <20100503130401.GA54358@server-king.de>
next in thread | raw e-mail | index | archive | help
--gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline I've sent the following email to java@freebsd.org & secteam@FreeBSD.org one month ago, but I got no answer. The same problem still exists with linux-sun-jdk-1.6.0.20. Date: Mon, 29 Mar 2010 00:48:36 +0200 To: java@freebsd.org, secteam@FreeBSD.org Subject: portaudit prevents installation of linux-sun-jdk16 Hi java@freebsd.org & secteam@FreeBSD.org, I think this is both a java and a portaudit issue. I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6: http://www.java.com/en/download/faq/firefox_newplugin.xml So had a look at the versions of /usr/ports/java/*jdk16* on my FreeBSD machine. linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that meets the requirements. But if I try to make it, portaudit prevents the build: ===> linux-sun-jdk-1.6.0.18 has known vulnerabilities: => jdk -- jar directory traversal vulnerability. Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a .html> But if I have a look at the reference URL, 1.6 does not seem to be affected. I did a portaudit -F in order to make sure my database is up to date. So is this a false positive that should get fixed? There was a PR on this in 2007: http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat= The reason for this PR to get closed was it was reproducable with linux-sun-jdk-1.6.0.02. http://freebsd.monkey.org/freebsd-java/200708/msg00101.html My open questions: 1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have a bad.jar, but I'm willing to test. 2. Shouldn't http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get updated in order to make clear at least linux-sun-jdk-1.6.0.02 was vulnerable? 3. Why does portaudit think it's vulnerable even if the auditfile does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18? $ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk<=1.3.1.0_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk-freebsd6<=i386.1.5.0.07.00|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability Thanks for listening, Knarf --gBBFr7Ir9EOA20Yy Content-Type: application/x-pkcs7-signature Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIIR4AYJKoZIhvcNAQcCoIIR0TCCEc0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DxIwggfiMIIFyqADAgECAgEOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYD VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0 ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg U2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0 ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLKIVFnAEs+xny q6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQA7Xj9AGM6wgP hEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQgKO19b+R t8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj113yK Mm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTAD AQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1Ud IwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQG A1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh dGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmC AQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYI KwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUF BwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYB BQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xp bWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyog b2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFi bGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEB BAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt ZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEA HvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8pROEc GU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJ SCfB9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt 7KYkJCaTe6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98 p/SwnXito+GW0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkF ojhUqGt+VyU3GH/+BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQP YIu+zpzwWC/8sZFxoJCwvbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh8 6VDNL8bIIQE2LHVDwcOq+mcQx416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302g onaFdwi++YyqjPyhPO6q4fRarYvWyqp5L6UwggcoMIIGEKADAgECAgIBVjANBgkqhkiG9w0B AQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29t IENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTA5MDcyODAwMDAw MVoXDTEwMDcyODIzNTk1OVowgZYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xEDAO BgNVBAcTB011bmNoZW4xLTArBgNVBAsTJFN0YXJ0Q29tIFZlcmlmaWVkIENlcnRpZmljYXRl IE1lbWJlcjEWMBQGA1UEAxMNRnJhbmsgQmFydGVsczEdMBsGCSqGSIb3DQEJARYOa25hcmZA a25hcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLWCmP9KDwAsUohjL8 tYwuvEVu3pnXZBit+oNuqBTzxC9vcR1CTZau0JZdOl/PTr94TClr0c6a1RntmRv8TFthge51 No/zY6gImSe6TDhgvBzj3YTaHDm1Kes2zZKzvKCW+sbodAGn6KreAbhb9IiJ2QuL3d7yXcbM jfMsRjfFCH/TOuRurjTPNUeEBbxMX0nJDpee9GPEbeIYBewjOyNviSfIm4Hy3OQ5GFeyEpo4 QQvi4oA2ZJpwfrzTParnRHI34CR8JDQQWqaFhd/uFOv2SKrFP6d6+BmcPy7pJSk8ItQ0ujQi Po2N4TOn9aT7Qr0kxIi7nzHTKjM7epnArtFvAgMBAAGjggOGMIIDgjAJBgNVHRMEAjAAMAsG A1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFHim Q7xUVCq3zdFNCNHFIhmhY5WJMBkGA1UdEQQSMBCBDmtuYXJmQGtuYXJmLmRlMIGoBgNVHSME gaAwgZ2AFK5Vg2/sMcq59x36r2sx88gd46y7oYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRl IFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEO MIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGvMBQWDVN0 YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9u ICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9s aWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1 Mi1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3Js MIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j b20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRz c2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRw Oi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAIVekIt/VS99FXJlHosC 30Dlv473hPN3TmCgsIUT43YW41sLUihkEaUgSl8YsRA2yR34hePf60W+zws0r/AuPTXRp/1r xwvvov7DeCRaU27QkWNfc0VZ3S8b6ZbmfHjRyPAApwLG4hPnQeIBASnc2HBGTLOWtWRkPKM9 dkV46h9j6nOMHSkLZlGqVtlqXJU1rhWXTRww3WFYwRUC7uLqFyXdKjas7OEROiNKzTd5pY3K Rz0weBXskU5fFcvw/vG6hm8FILyYR0gSQyRYQV/4GitN36R3/29crCkRZMJxhNI0h2/+L1rf czn69fq4gnPeYYJmlTe0JMcawT6jvayqbP0xggKWMIICkgIBATCBkzCBjDELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJ bnRlcm1lZGlhdGUgQ2xpZW50IENBAgIBVjAJBgUrDgMCGgUAoIHYMBgGCSqGSIb3DQEJAzEL BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDUwMzEzMDQwMVowIwYJKoZIhvcNAQkE MRYEFLymvpEofpCSf0UGTA0llmdHeNzfMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEq MAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUA BIIBABuIqXgvNE6WH9kclUC4xfX2R5xeNVsYDqtHRYBNr7OjuHQ52LbEG3n0wGJVbXjfPtMv vDkdiOgeLbXg5LxebvmCASRK1yAgajxEfcTgCNjyG23t0fCE0r45ihHmb36b9PLu6uHovHDi 9WV7keCS24VcZFousgj8BLW+9uWzv2KesxTElMaM6G9ywvj3YMQp8w6CykEfQeSxh+5/oguz UArlhAGlfGYZCPe6ZkecwsUGsG1lBWUwrov91qu32Q5tha/r2fxWyHtKFDmcIlgPF9SoN2/k 2clAEfm3EmaM/ppAeWuki7E7XW7eeamZMpOO+BBfT/+0t2+xEs3oLvffdwI= --gBBFr7Ir9EOA20Yy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100503130401.GA54358>