From owner-freebsd-java@FreeBSD.ORG Mon Sep 28 10:55:18 2009 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ADEA81065679 for ; Mon, 28 Sep 2009 10:55:18 +0000 (UTC) (envelope-from bofh@redwerk.com) Received: from redwerk.com (redwerk.com [89.105.196.9]) by mx1.freebsd.org (Postfix) with ESMTP id 41A4D8FC28 for ; Mon, 28 Sep 2009 10:55:18 +0000 (UTC) Received: from [192.168.250.5] (helo=office.redwerk.com) by redwerk.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1MsDQy-0005oK-Kh for freebsd-java@freebsd.org; Mon, 28 Sep 2009 12:26:21 +0200 Received: from bofh by office.redwerk.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MsDQx-000EVt-Tw for freebsd-java@freebsd.org; Mon, 28 Sep 2009 13:26:19 +0300 Date: Mon, 28 Sep 2009 13:26:19 +0300 From: Eugene Dzhurinsky To: freebsd-java@freebsd.org Message-ID: <20090928102619.GA51928@office.redwerk.com> Mail-Followup-To: freebsd-java@freebsd.org References: <20090928101048.GA1189@phenom.cordula.ws> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline In-Reply-To: <20090928101048.GA1189@phenom.cordula.ws> Subject: Re: java/jdk16 vulnerability? X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 10:55:18 -0000 --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: > [Sorry for resending: I didn't get any replies] >=20 > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system > complains about an old and vulnerable Java version: >=20 > Your installed version of Java is vulnerable to a severe remote > exploit (remote code execution!). You must upgrade to at least Java > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > disabled any plugins handling XML for the time being, but this > includes searching and chat so you should upgrade ASAP! >=20 > See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for > details. >=20 > Also, please do not use Thaw or Freetalk. The UPnP plugin is > enabled, it might present a risk if you have bad guys on your LAN, > but without it Freenet will not be able to port forward and will > have severe problems. >=20 > I'm running java/jdk16: >=20 > phenom# java -version > java version "1.6.0_03-p4" > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05= -b00) > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_= 05-b00, mixed mode) >=20 > On 7.2-STABLE: >=20 > phenom# uname -a > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10= :43:26 CEST 2009 root@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC a= md64 >=20 > Is that version of Java really vulnerable? If yes, why doesn't > # portaudit -Fda > report it as such, and could you please update the java/jdk16 port? AFAIR, the maintenance of JDK 6 is put on hold due to some licencing issues with Sun. You may want to use OpenJDK port, probably that will solve your problem. As for it's own vulnerabilities - I'm not sure if they do exist. --=20 Eugene N Dzhurinsky --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkrAj0sACgkQy/i/DoZLbHxJrwCfc6pQO5EZuvnB5qEQL0agamO4 UPEAn0kQ2dCGtZI6EH42D5Y73kUJ2olz =kEYf -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua--