From owner-freebsd-java@FreeBSD.ORG Tue Sep 29 16:32:23 2009 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96298106568D for ; Tue, 29 Sep 2009 16:32:23 +0000 (UTC) (envelope-from openjdk@getsnappy.com) Received: from mailA.getsnappy.com (mailA.getsnappy.com [72.29.186.40]) by mx1.freebsd.org (Postfix) with ESMTP id 668D98FC0A for ; Tue, 29 Sep 2009 16:32:23 +0000 (UTC) Received: from [192.168.1.57] (adsl-69-111-247-57.dsl.snlo01.pacbell.net [69.111.247.57]) by mailA.getsnappy.com (8.14.3/8.14.3) with ESMTP id n8TFxcNI068982 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 29 Sep 2009 08:59:43 -0700 (PDT) (envelope-from openjdk@getsnappy.com) Message-Id: <57EA4E37-8064-47B7-B101-2FB3E183714A@getsnappy.com> From: Brian Gardner To: freebsd-java@freebsd.org In-Reply-To: <20090929034837.GA56588@misty.eyesbeyond.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Tue, 29 Sep 2009 08:59:38 -0700 References: <20090928101048.GA1189@phenom.cordula.ws> <20090929034837.GA56588@misty.eyesbeyond.com> X-Mailer: Apple Mail (2.936) Subject: Re: java/jdk16 vulnerability? X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 16:32:23 -0000 openjdk6 b17 is coming soon, and should fix these vulnerabilities. On Sep 28, 2009, at 8:48 PM, Greg Lewis wrote: > On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: >> Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system >> complains about an old and vulnerable Java version: >> >> Your installed version of Java is vulnerable to a severe remote >> exploit (remote code execution!). You must upgrade to at least Java >> 5 update 20 or Java 6 update 15 as soon as possible. Freenet has >> disabled any plugins handling XML for the time being, but this >> includes searching and chat so you should upgrade ASAP! > > We're almost certainly vulnerable. The jdk16 port is at Update 3. > >> See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for >> details. >> >> Also, please do not use Thaw or Freetalk. The UPnP plugin is >> enabled, it might present a risk if you have bad guys on your LAN, >> but without it Freenet will not be able to port forward and will >> have severe problems. >> >> I'm running java/jdk16: >> >> phenom# java -version >> java version "1.6.0_03-p4" >> Java(TM) SE Runtime Environment (build 1.6.0_03-p4- >> root_08_sep_2009_17_05-b00) >> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4- >> root_08_sep_2009_17_05-b00, mixed mode) >> >> On 7.2-STABLE: >> >> phenom# uname -a >> FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue >> Sep 8 10:43:26 CEST 2009 root@phenom.cordula.ws:/usr/obj/usr/ >> src/sys/GENERIC amd64 >> >> Is that version of Java really vulnerable? If yes, why doesn't >> # portaudit -Fda >> report it as such, and could you please update the java/jdk16 port? > > We need an entry in the VUXML database I guess. > > Updating java/jdk16 is going to be a slow process. There are lots of > changes between Update 3 and Update 15. I've partially merged > Update 4, > but obviously that still leaves many to go... > > -- > Greg Lewis Email : glewis@eyesbeyond.com > Eyes Beyond Web : http:// > www.eyesbeyond.com > Information Technology FreeBSD : glewis@FreeBSD.org > _______________________________________________ > freebsd-java@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-java > To unsubscribe, send any mail to "freebsd-java- > unsubscribe@freebsd.org" >