From owner-freebsd-java@FreeBSD.ORG  Mon Dec  6 08:28:40 2004
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
Delivered-To: freebsd-java@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 60FD516A4CE
	for <freebsd-java@freebsd.org>; Mon,  6 Dec 2004 08:28:40 +0000 (GMT)
Received: from fly.ebs.gr (fly.ebs.gr [62.103.84.177])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 833D343D1D
	for <freebsd-java@freebsd.org>; Mon,  6 Dec 2004 08:28:38 +0000 (GMT)
	(envelope-from past@ebs.gr)
Received: from ebs.gr (root@hal.ebs.gr [10.1.1.2])
	by fly.ebs.gr (8.12.9p1/8.12.9) with ESMTP id iB68SNLc000309;
	Mon, 6 Dec 2004 10:28:23 +0200 (EET)
	(envelope-from past@ebs.gr)
Received: from [127.0.0.1] (past@hal.ebs.gr [10.1.1.2])
	by ebs.gr (8.12.11/8.12.11) with ESMTP id iB68SI1q080341;
	Mon, 6 Dec 2004 10:28:20 +0200 (EET)
	(envelope-from past@ebs.gr)
Message-ID: <41B4181E.10704@ebs.gr>
Date: Mon, 06 Dec 2004 10:28:14 +0200
From: Panagiotis Astithas <past@ebs.gr>
Organization: EBS Ltd.
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Greg Lewis <glewis@eyesbeyond.com>
References: <20041124161926.GB10910@misty.eyesbeyond.com>
In-Reply-To: <20041124161926.GB10910@misty.eyesbeyond.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-java@freebsd.org
Subject: Re: [glewis@freebsd.org: cvs commit: ports/java/jdk14 Makefile]
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2004 08:28:40 -0000

Greg Lewis wrote:
> All,
> 
> FYI.  Please stop using the browser plugin until we can fix this.
> 
> ----- Forwarded message from Greg Lewis <glewis@freebsd.org> -----
> 
> glewis      2004-11-24 15:16:39 UTC
> 
>   FreeBSD ports repository
> 
>   Modified files:
>     java/jdk14           Makefile 
>   Log:
>   . Mark FORBIDDEN when building with the browser plugin due to the
>     vulnerabilities discussed in:
>   
>     http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029
>   
>   Revision  Changes    Path
>   1.82      +2 -0      ports/java/jdk14/Makefile
> 
> ----- End forwarded message -----


There seems to be another vulnerability:

Java 1.4.2_05 also has a vulnerability in the serialization APIs (used 
by RMI) that allows to overload a remote JVM [and drive uptime loads
to the 100s].

http://www.securityfocus.com/archive/1/382309

I suppose we are vulnerable to that, too.

Cheers,
Panagiotis