From owner-freebsd-java@FreeBSD.ORG Sun Mar 28 23:22:58 2010 Return-Path: Delivered-To: java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8947F106564A; Sun, 28 Mar 2010 23:22:58 +0000 (UTC) (envelope-from knarf@knarf.de) Received: from mail.server-king.de (mail.server-king.de [188.40.65.110]) by mx1.freebsd.org (Postfix) with ESMTP id 022EE8FC14; Sun, 28 Mar 2010 23:22:57 +0000 (UTC) Received: from cheese.server-king.de (localhost [127.0.0.1]) by mail.server-king.de (8.14.4/8.14.4) with ESMTP id o2SMmbSA085694 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 29 Mar 2010 00:48:37 +0200 (CEST) (envelope-from knarf@knarf.de) DomainKey-Signature: a=rsa-sha1; s=mail.server-king.de; d=knarf.de; c=nofws; q=dns; h=dkim-signature:received: x-authentication-warning:date:from:to:subject:message-id:mime-version:content-type: content-disposition:user-agent:x-greylist; b=sm7V/SssdDDcTz3wUVJfyvXsHgeJjKm+L8Co/kC+uhLuYZLvWhMUkpTBQ8At/Fa0G h7M2MqvY4iG9iDyV78cjgYq8tppXGttV3dk+Kqzf8s5mKMUAPMPA2fBraR7vwhXE9EP c2YVpTirZcl9AL+R4SQasztYAIp42R+9mzRNXMg= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=knarf.de; s=mail.server-king.de; t=1269816517; bh=UYQlb3k77MtrDW9bMNnQJPc3RKN/8yExZAqd7CSNpKU=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=alozzWIxIXXZbkeUz+pSD1SEp6+Fk5onHbsUuMEfWf2qiTTJpbPI4DPznr63Wc8ga tKYsy2lZbgQQoSmRQIGRuUp90fn2ECC049LGI+fXgSNv4+kYxIoj7wimhAACts3QtS G9LGHIaLLzMlyCqrQUq150rTO9u2uXly5BFHTtsM= Received: (from knarf@localhost) by cheese.server-king.de (8.14.4/8.14.4/Submit) id o2SMmaiK085693; Mon, 29 Mar 2010 00:48:36 +0200 (CEST) (envelope-from knarf@knarf.de) X-Authentication-Warning: cheese.server-king.de: knarf set sender to knarf@knarf.de using -f Date: Mon, 29 Mar 2010 00:48:36 +0200 From: Frank Bartels To: java@freebsd.org, secteam@freebsd.org Message-ID: <20100328224836.GA49926@server-king.de> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (mail.server-king.de [127.0.0.1]); Mon, 29 Mar 2010 00:48:37 +0200 (CEST) Cc: Subject: portaudit prevents installation of linux-sun-jdk16 X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Mar 2010 23:22:58 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Hi java@freebsd.org & secteam@FreeBSD.org, I think this is both a java and a portaudit issue. I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6: http://www.java.com/en/download/faq/firefox_newplugin.xml So had a look at the versions of /usr/ports/java/*jdk16* on my FreeBSD machine. linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that meets the requirements. But if I try to make it, portaudit prevents the build: ===> linux-sun-jdk-1.6.0.18 has known vulnerabilities: => jdk -- jar directory traversal vulnerability. Reference: But if I have a look at the reference URL, 1.6 does not seem to be affected. I did a portaudit -F in order to make sure my database is up to date. So is this a false positive that should get fixed? There was a PR on this in 2007: http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat= The reason for this PR to get closed was it was reproducable with linux-sun-jdk-1.6.0.02. http://freebsd.monkey.org/freebsd-java/200708/msg00101.html My open questions: 1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have a bad.jar, but I'm willing to test. 2. Shouldn't http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get updated in order to make clear at least linux-sun-jdk-1.6.0.02 was vulnerable? 3. Why does portaudit think it's vulnerable even if the auditfile does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18? $ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk<=1.3.1.0_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk-freebsd6<=i386.1.5.0.07.00|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability Thanks for listening, Knarf --zYM0uCDKw75PZbzx Content-Type: application/x-pkcs7-signature Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIIRuQYJKoZIhvcNAQcCoIIRqjCCEaYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DxIwggcoMIIGEKADAgECAgIBVjANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAU BgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmlj YXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1l ZGlhdGUgQ2xpZW50IENBMB4XDTA5MDcyODAwMDAwMVoXDTEwMDcyODIzNTk1OVowgZYxCzAJ BgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xEDAOBgNVBAcTB011bmNoZW4xLTArBgNVBAsT JFN0YXJ0Q29tIFZlcmlmaWVkIENlcnRpZmljYXRlIE1lbWJlcjEWMBQGA1UEAxMNRnJhbmsg QmFydGVsczEdMBsGCSqGSIb3DQEJARYOa25hcmZAa25hcmYuZGUwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDLWCmP9KDwAsUohjL8tYwuvEVu3pnXZBit+oNuqBTzxC9vcR1C TZau0JZdOl/PTr94TClr0c6a1RntmRv8TFthge51No/zY6gImSe6TDhgvBzj3YTaHDm1Kes2 zZKzvKCW+sbodAGn6KreAbhb9IiJ2QuL3d7yXcbMjfMsRjfFCH/TOuRurjTPNUeEBbxMX0nJ Dpee9GPEbeIYBewjOyNviSfIm4Hy3OQ5GFeyEpo4QQvi4oA2ZJpwfrzTParnRHI34CR8JDQQ WqaFhd/uFOv2SKrFP6d6+BmcPy7pJSk8ItQ0ujQiPo2N4TOn9aT7Qr0kxIi7nzHTKjM7epnA rtFvAgMBAAGjggOGMIIDgjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggr BgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFHimQ7xUVCq3zdFNCNHFIhmhY5WJMBkGA1Ud EQQSMBCBDmtuYXJmQGtuYXJmLmRlMIGoBgNVHSMEgaAwgZ2AFK5Vg2/sMcq59x36r2sx88gd 46y7oYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEOMIIBRwYDVR0gBIIBPjCCATowggE2Bgsr BgEEAYG1NwECADCCASUwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVk aWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGvMBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0 ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUg YXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAn hiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRwOi8v Y3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2Ew QgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIu Y2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQEFBQADggEBAIVekIt/VS99FXJlHosC30Dlv473hPN3TmCgsIUT43YW41sLUihk EaUgSl8YsRA2yR34hePf60W+zws0r/AuPTXRp/1rxwvvov7DeCRaU27QkWNfc0VZ3S8b6Zbm fHjRyPAApwLG4hPnQeIBASnc2HBGTLOWtWRkPKM9dkV46h9j6nOMHSkLZlGqVtlqXJU1rhWX TRww3WFYwRUC7uLqFyXdKjas7OEROiNKzTd5pY3KRz0weBXskU5fFcvw/vG6hm8FILyYR0gS QyRYQV/4GitN36R3/29crCkRZMJxhNI0h2/+L1rfczn69fq4gnPeYYJmlTe0JMcawT6jvayq bP0wggfiMIIFyqADAgECAgEOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYD VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0 ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg U2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0 ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLKIVFnAEs+xny q6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQA7Xj9AGM6wgP hEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQgKO19b+R t8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj113yK Mm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTAD AQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1Ud IwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQG A1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh dGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmC AQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYI KwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUF BwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYB BQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xp bWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyog b2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFi bGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEB BAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt ZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEA HvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8pROEc GU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJ SCfB9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt 7KYkJCaTe6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98 p/SwnXito+GW0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkF ojhUqGt+VyU3GH/+BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQP YIu+zpzwWC/8sZFxoJCwvbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh8 6VDNL8bIIQE2LHVDwcOq+mcQx416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302g onaFdwi++YyqjPyhPO6q4fRarYvWyqp5L6UxggJvMIICawIBATCBkzCBjDELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJ bnRlcm1lZGlhdGUgQ2xpZW50IENBAgIBVjAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzEL BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDMyODIyNDgzNlowIwYJKoZIhvcNAQkE MRYEFLB2ITveYOf8jDh3PeYau3ocPSRJMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcw DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo MA0GCSqGSIb3DQEBAQUABIIBAC0d3v8BdqdPfvFVGwkWZd2/jiJWZrR6dfdJUb6+KPLKMbSl D7GM1L8Acdl0KwsiKgO02nJu8NRLNzM9z28fVarCwKv5Bb6zxYuS+2nXl+Rmma6awMRuQanx 77GaI/VyXLjkCGoeY/Xugh3CE8zD06RMM/Q4IxANSrfV9q3gd9BRyj2CEgxItkIjsmLOHBmL ZMdDQJQAhskMvsYN/LoYtCPdavFIM+z0xXnPhObcAt4JxxZDboPyCWZ8fFJsyyvORZybudd1 BHk4kEFtJOsO9KaGe2oXCj7+nYZorKln3sKinnfLSy8XS0ey20g6jRWAnnrl90NCRWzmi21s rlZ6PQs= --zYM0uCDKw75PZbzx--