From owner-freebsd-ports@FreeBSD.ORG Mon May 3 13:20:52 2010 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F3BD1065670 for ; Mon, 3 May 2010 13:20:52 +0000 (UTC) (envelope-from freebsd@knarf.de) Received: from mail.server-king.de (mail.server-king.de [188.40.65.110]) by mx1.freebsd.org (Postfix) with ESMTP id B9C688FC14 for ; Mon, 3 May 2010 13:20:51 +0000 (UTC) Received: from cheese.server-king.de (localhost [127.0.0.1]) by mail.server-king.de (8.14.4/8.14.4) with ESMTP id o43D41kL058191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 3 May 2010 15:04:01 +0200 (CEST) (envelope-from freebsd@knarf.de) DomainKey-Signature: a=rsa-sha1; s=mail.server-king.de; d=knarf.de; c=nofws; q=dns; h=dkim-signature:received: x-authentication-warning:date:from:to:subject:message-id:mime-version:content-type: content-disposition:user-agent:x-greylist; b=xT8RIU/+IRgbigeWrQtguWp6yt7dp6gbPs2R+oOjKK3xe5FsneTi9ukh/FjQ+Q40/ itturKAmDIYg5FkVGhTy1wDakn6ugmZGOKnka3lS6D2Cz2wlaWyh1NR3QE7TgIdmGki hfqD0vKfsuLO/fWM2FbMvWPJqvI8kqzuL0vbuu8= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=knarf.de; s=mail.server-king.de; t=1272891841; bh=R4SuGKIq05/1tOZIG25UMaFZH1GmXCLQeuj2SJ/jRKk=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=DaWD6U+esl5AaHJKjMGyerlAUbrUOm6X+C0XYjqX1V8HU5xczyh9+YMObXpFGtBpP wKcZe4q96W/mMt8m03JTgS2VvjPAmukzee+7iR/i3X9JLCmkFUZhHLCPZilzLLrtXJ KfBiPGKGUXzh8rdjUabPeUSHXsgP2YK3sjcaD9Sg= Received: (from knarf@localhost) by cheese.server-king.de (8.14.4/8.14.4/Submit) id o43D41pN058190 for freebsd-ports@freebsd.org; Mon, 3 May 2010 15:04:01 +0200 (CEST) (envelope-from freebsd@knarf.de) X-Authentication-Warning: cheese.server-king.de: knarf set sender to freebsd@knarf.de using -f Date: Mon, 3 May 2010 15:04:01 +0200 From: Frank Bartels To: freebsd-ports@freebsd.org Message-ID: <20100503130401.GA54358@server-king.de> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (mail.server-king.de [127.0.0.1]); Mon, 03 May 2010 15:04:01 +0200 (CEST) Subject: portaudit prevents installation of linux-sun-jdk16 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2010 13:20:52 -0000 --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline I've sent the following email to java@freebsd.org & secteam@FreeBSD.org one month ago, but I got no answer. The same problem still exists with linux-sun-jdk-1.6.0.20. Date: Mon, 29 Mar 2010 00:48:36 +0200 To: java@freebsd.org, secteam@FreeBSD.org Subject: portaudit prevents installation of linux-sun-jdk16 Hi java@freebsd.org & secteam@FreeBSD.org, I think this is both a java and a portaudit issue. I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6: http://www.java.com/en/download/faq/firefox_newplugin.xml So had a look at the versions of /usr/ports/java/*jdk16* on my FreeBSD machine. linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that meets the requirements. But if I try to make it, portaudit prevents the build: ===> linux-sun-jdk-1.6.0.18 has known vulnerabilities: => jdk -- jar directory traversal vulnerability. Reference: But if I have a look at the reference URL, 1.6 does not seem to be affected. I did a portaudit -F in order to make sure my database is up to date. So is this a false positive that should get fixed? There was a PR on this in 2007: http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat= The reason for this PR to get closed was it was reproducable with linux-sun-jdk-1.6.0.02. http://freebsd.monkey.org/freebsd-java/200708/msg00101.html My open questions: 1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have a bad.jar, but I'm willing to test. 2. Shouldn't http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get updated in order to make clear at least linux-sun-jdk-1.6.0.02 was vulnerable? 3. Why does portaudit think it's vulnerable even if the auditfile does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18? $ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk<=1.3.1.0_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk-freebsd6<=i386.1.5.0.07.00|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability Thanks for listening, Knarf --gBBFr7Ir9EOA20Yy Content-Type: application/x-pkcs7-signature Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIIR4AYJKoZIhvcNAQcCoIIR0TCCEc0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DxIwggfiMIIFyqADAgECAgEOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYD VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0 ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg U2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0 ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLKIVFnAEs+xny q6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQA7Xj9AGM6wgP hEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQgKO19b+R t8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj113yK Mm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTAD AQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1Ud IwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQG A1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh dGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmC AQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYI KwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUF BwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYB BQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xp bWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyog b2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFi bGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEB BAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt ZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEA HvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8pROEc GU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJ SCfB9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt 7KYkJCaTe6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98 p/SwnXito+GW0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkF ojhUqGt+VyU3GH/+BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQP YIu+zpzwWC/8sZFxoJCwvbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh8 6VDNL8bIIQE2LHVDwcOq+mcQx416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302g onaFdwi++YyqjPyhPO6q4fRarYvWyqp5L6UwggcoMIIGEKADAgECAgIBVjANBgkqhkiG9w0B AQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29t IENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTA5MDcyODAwMDAw MVoXDTEwMDcyODIzNTk1OVowgZYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xEDAO BgNVBAcTB011bmNoZW4xLTArBgNVBAsTJFN0YXJ0Q29tIFZlcmlmaWVkIENlcnRpZmljYXRl IE1lbWJlcjEWMBQGA1UEAxMNRnJhbmsgQmFydGVsczEdMBsGCSqGSIb3DQEJARYOa25hcmZA a25hcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLWCmP9KDwAsUohjL8 tYwuvEVu3pnXZBit+oNuqBTzxC9vcR1CTZau0JZdOl/PTr94TClr0c6a1RntmRv8TFthge51 No/zY6gImSe6TDhgvBzj3YTaHDm1Kes2zZKzvKCW+sbodAGn6KreAbhb9IiJ2QuL3d7yXcbM jfMsRjfFCH/TOuRurjTPNUeEBbxMX0nJDpee9GPEbeIYBewjOyNviSfIm4Hy3OQ5GFeyEpo4 QQvi4oA2ZJpwfrzTParnRHI34CR8JDQQWqaFhd/uFOv2SKrFP6d6+BmcPy7pJSk8ItQ0ujQi Po2N4TOn9aT7Qr0kxIi7nzHTKjM7epnArtFvAgMBAAGjggOGMIIDgjAJBgNVHRMEAjAAMAsG A1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFHim Q7xUVCq3zdFNCNHFIhmhY5WJMBkGA1UdEQQSMBCBDmtuYXJmQGtuYXJmLmRlMIGoBgNVHSME gaAwgZ2AFK5Vg2/sMcq59x36r2sx88gd46y7oYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRl IFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEO MIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGvMBQWDVN0 YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9u ICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9s aWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1 Mi1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3Js MIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j b20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRz c2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRw Oi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAIVekIt/VS99FXJlHosC 30Dlv473hPN3TmCgsIUT43YW41sLUihkEaUgSl8YsRA2yR34hePf60W+zws0r/AuPTXRp/1r xwvvov7DeCRaU27QkWNfc0VZ3S8b6ZbmfHjRyPAApwLG4hPnQeIBASnc2HBGTLOWtWRkPKM9 dkV46h9j6nOMHSkLZlGqVtlqXJU1rhWXTRww3WFYwRUC7uLqFyXdKjas7OEROiNKzTd5pY3K Rz0weBXskU5fFcvw/vG6hm8FILyYR0gSQyRYQV/4GitN36R3/29crCkRZMJxhNI0h2/+L1rf czn69fq4gnPeYYJmlTe0JMcawT6jvayqbP0xggKWMIICkgIBATCBkzCBjDELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJ bnRlcm1lZGlhdGUgQ2xpZW50IENBAgIBVjAJBgUrDgMCGgUAoIHYMBgGCSqGSIb3DQEJAzEL BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDUwMzEzMDQwMVowIwYJKoZIhvcNAQkE MRYEFLymvpEofpCSf0UGTA0llmdHeNzfMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEq MAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUA BIIBABuIqXgvNE6WH9kclUC4xfX2R5xeNVsYDqtHRYBNr7OjuHQ52LbEG3n0wGJVbXjfPtMv vDkdiOgeLbXg5LxebvmCASRK1yAgajxEfcTgCNjyG23t0fCE0r45ihHmb36b9PLu6uHovHDi 9WV7keCS24VcZFousgj8BLW+9uWzv2KesxTElMaM6G9ywvj3YMQp8w6CykEfQeSxh+5/oguz UArlhAGlfGYZCPe6ZkecwsUGsG1lBWUwrov91qu32Q5tha/r2fxWyHtKFDmcIlgPF9SoN2/k 2clAEfm3EmaM/ppAeWuki7E7XW7eeamZMpOO+BBfT/+0t2+xEs3oLvffdwI= --gBBFr7Ir9EOA20Yy--