FreeBSD Mail Archives

Date:      Mon, 29 Mar 2010 00:48:36 +0200
From:      Frank Bartels <knarf@knarf.de>
To:        java@freebsd.org, secteam@freebsd.org
Subject:   portaudit prevents installation of linux-sun-jdk16
Message-ID:  <20100328224836.GA49926@server-king.de>

index | next in thread | raw e-mail


[-- Attachment #1 --]
Hi java@freebsd.org & secteam@FreeBSD.org,

I think this is both a java and a portaudit issue.

I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6:

http://www.java.com/en/download/faq/firefox_newplugin.xml

So had a look at the versions of /usr/ports/java/*jdk16* on my
FreeBSD machine.

linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that
meets the requirements. But if I try to make it, portaudit prevents
the build:

===>  linux-sun-jdk-1.6.0.18 has known vulnerabilities:
=> jdk -- jar directory traversal vulnerability.
   Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a
.html>

But if I have a look at the reference URL, 1.6 does not seem to be
affected. I did a portaudit -F in order to make sure my database
is up to date.

So is this a false positive that should get fixed?

There was a PR on this in 2007:

http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat=

The reason for this PR to get closed was it was reproducable with
linux-sun-jdk-1.6.0.02.

http://freebsd.monkey.org/freebsd-java/200708/msg00101.html

My open questions:

1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have
a bad.jar, but I'm willing to test.

2. Shouldn't
http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get
updated in order to make clear at least linux-sun-jdk-1.6.0.02 was
vulnerable?

3. Why does portaudit think it's vulnerable even if the auditfile
does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18?

$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile
jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk<=1.3.1.0_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk-freebsd6<=i386.1.5.0.07.00|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability

Thanks for listening,
Knarf

[-- Attachment #2 --]
0��	*�H��
���0��10	+0	*�H��
��0�(0��V0
	*�H��
0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CA0
090728000001Z
100728235959Z0��10	UDE10
UBayern10UMunchen1-0+U$StartCom Verified Certificate Member10U
Frank Bartels10	*�H��
	knarf@knarf.de0�"0
	*�H��
�0�
��X)�����(�2���.�Enޙ�d���n���/oqBM��Ж]:_�N�xL)k�Κ���L[a��u6��c��'�L8`��݄�9�)�6͒�������t����[������]�̍�,F7��:�n�4�5G��L_I����c�m��#;#o�'ț����9W��8A��6d�p~��=��Dr7�$|$4Z�������H��?�z��?.�%)<"�4�4">���3����B�$Ĉ��1�*3;z����o���0��0	U00U�0U%0++0Ux�C�TT*���M��"�c��0U0�knarf@knarf.de0��U#��0����U�o�1ʹ���k1��㬻����0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority�0�GU �>0�:0�6+��70�%0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0��+0��0
StartCom Ltd.0��Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf0cU\0Z0+�)�'�%http://www.startssl.com/crtu2-crl.crl0+�)�'�%http://crl.startssl.com/crtu2-crl.crl0��+��009+0�-http://ocsp.startssl.com/sub/class2/client/ca0B+0�6http://www.startssl.com/certs/sub.class2.client.ca.crt0#U0�http://www.startssl.com/0
	*�H��
��^��U/}re��@忎���wN`����v�[R(d� J_�6������E��4��.=5ѧ�k����x$ZSnБc_sEY�/��|x�������A�)��pFL���dd<�=vEx�c�s�)fQ�V�j\�5��M0�aX����%�*6���:#J�7y���G=0x�N_����o ��GHC$XA_�+Mߤw�o\�)d�q��4�o�/Z�s9�����s�a�f�7�$��>����l�0��0�ʠ0
	*�H��
0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210254Z
121022210254Z0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CA0�"0
	*�H��
�0�
��(�E�,��3�*�
��U�]"�gF�S��ݤ��>}�m
�w鞆F����������A7��~�
��|-�q���l"�/��Q?V�p��`�G�&viĜ�73�������������{B���'87�d�s�	N���f��z1%T�I����I���|�2o/��mD���� �\t�	:0�������8���VG�qǴ�3R����p}��JTz��F�;&���X}r���D�� ����Q6���[0�W0U0�0U�0U�U�o�1ʹ���k1��㬻0��U#��0���N��@[�i�0�4hC�A�򡁁�0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority�0	U00=+10/0-+0�!http://www.startssl.com/sfsca.crt0`UY0W0,�*�(�&http://cert.startcom.org/sfsca-crl.crl0'�%�#�!http://crl.startssl.com/sfsca.crl0�]U �T0�P0�L+��70�;0/+#http://cert.startcom.org/policy.pdf05+)http://cert.startcom.org/intermediate.pdf0��+0��0' Start Commercial (StartCom) Ltd.0��Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://cert.startcom.org/policy.pdf0	`�H��B0P	`�H��B
CAStartCom Class 2 Primary Intermediate Free SSL Email Certificates0
	*�H��
�����y/�7M��WYӻ|=�j��Ox�;��ԥmG����E^�=�<O)D�O��Ÿ��q����:r��DӾ���k���f��
�V�-Fa2~�����y��8g$�$�~�#,���!f|L�1Q��g�r�01�@�(��B��sx�)2Ii�IH'���`f�i�GV��I�
F�c}]j��E6>_U��
�7)L\W���,���P��$$&�{��ؕ����v���YL#�<�d����:�q�9C-`>�^�,ݐ�/|����x������]��@0U�_%
���P��qnq:@VOqI�^?H33DQA���8T�k~W%7����9xJӉԥ��a3��ӌ�����I�2��t����$`��Μ�X/���q�����Ȼ��k�O����>��B(M>JI#��K�%8|�P�/��!6,uC�ê�gǍz=7
Cl���A�rMU�'����,5�����M��v�w�������<���Z���ʪy/�1�o0�k0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CAV0	+���0	*�H��
	1	*�H��
0	*�H��
	1
100328224836Z0#	*�H��
	1�v!;�`���8w=��z=$I0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0
	*�H��
�-��v�O~�U	eݿ�"Vf�zu�IQ��(��1����Կq�t+"*��rn��K73=�oU�������ŋ��iח�f�����nA��ﱚ#�r\��jc�����ӤL3�8#
J�����w�Q�=�H�B#�b��d�C@�����
���#�j�H3���yτ���	�Cn��	f||Rl�+�E����uy8�Am$����{j
>���h��g�¢�w�K/KG��H:���z��CBEl�ml�Vz=

help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100328224836.GA49926>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation