Date: Wed, 30 Sep 2009 17:10:09 +0200 From: cpghost <cpghost@cordula.ws> To: Greg Lewis <glewis@eyesbeyond.com> Cc: freebsd-questions@FreeBSD.org, freebsd-java@FreeBSD.org Subject: Re: java/jdk16 vulnerability? Message-ID: <20090930151009.GA1937@phenom.cordula.ws> In-Reply-To: <20090929034837.GA56588@misty.eyesbeyond.com> References: <20090928101048.GA1189@phenom.cordula.ws> <20090929034837.GA56588@misty.eyesbeyond.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 28, 2009 at 08:48:37PM -0700, Greg Lewis wrote: > On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: > > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system > > complains about an old and vulnerable Java version: > > > > Your installed version of Java is vulnerable to a severe remote > > exploit (remote code execution!). You must upgrade to at least Java > > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > > disabled any plugins handling XML for the time being, but this > > includes searching and chat so you should upgrade ASAP! > > We're almost certainly vulnerable. The jdk16 port is at Update 3. Ah, I see. Thanks for clarifying. > > See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for > > details. > > > > Also, please do not use Thaw or Freetalk. The UPnP plugin is > > enabled, it might present a risk if you have bad guys on your LAN, > > but without it Freenet will not be able to port forward and will > > have severe problems. > > > > I'm running java/jdk16: > > > > phenom# java -version > > java version "1.6.0_03-p4" > > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) > > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) > > > > On 7.2-STABLE: > > > > phenom# uname -a > > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64 > > > > Is that version of Java really vulnerable? If yes, why doesn't > > # portaudit -Fda > > report it as such, and could you please update the java/jdk16 port? > > We need an entry in the VUXML database I guess. > > Updating java/jdk16 is going to be a slow process. There are lots of > changes between Update 3 and Update 15. I've partially merged Update 4, > but obviously that still leaves many to go... Looks like *a lot* of work... Any chance to see progress here before 8.0-RELEASE? It's not a big deal, but shipping an updated port without that vuln. would be nice. > Greg Lewis Email : glewis@eyesbeyond.com > Eyes Beyond Web : http://www.eyesbeyond.com > Information Technology FreeBSD : glewis@FreeBSD.org Thanks for the great work supporting JDK natively on FreeBSD, -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090930151009.GA1937>