From owner-freebsd-questions@FreeBSD.ORG Tue Sep 29 04:32:03 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EC43106566C for ; Tue, 29 Sep 2009 04:32:03 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 17F5C8FC23 for ; Tue, 29 Sep 2009 04:32:01 +0000 (UTC) Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 29 Sep 2009 00:32:01 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr02.lnh.mail.rcn.net (MOS 3.10.7-GA) with ESMTP id QFC41401; Tue, 29 Sep 2009 00:30:54 -0400 (EDT) Received: from 209-6-22-227.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.22.227]) by smtp01.lnh.mail.rcn.net with ESMTP; 29 Sep 2009 00:30:53 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19137.36221.789093.590674@jerusalem.litteratus.org> Date: Tue, 29 Sep 2009 00:30:53 -0400 To: Greg Lewis In-Reply-To: <20090929034837.GA56588@misty.eyesbeyond.com> References: <20090928101048.GA1189@phenom.cordula.ws> <20090929034837.GA56588@misty.eyesbeyond.com> X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr02.lnh.mail.rcn.net) Cc: Greg Lewis , cpghost , freebsd-questions@freebsd.org, freebsd-java@freebsd.org Subject: Re: java/jdk16 vulnerability? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 04:32:03 -0000 Greg Lewis writes: > > Your installed version of Java is vulnerable to a severe remote > > exploit (remote code execution!). You must upgrade to at least Java > > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > > disabled any plugins handling XML for the time being, but this > > includes searching and chat so you should upgrade ASAP! > > We're almost certainly vulnerable. The jdk16 port is at Update 3. > We need an entry in the VUXML database I guess. > > Updating java/jdk16 is going to be a slow process. There are > lots of changes between Update 3 and Update 15. I've partially > merged Update 4, but obviously that still leaves many to go... As someone with zero knowledge of Java internals: what is the recommended version at the moment? Robert Huff