|

»

java/jdk16 vulnerability?

View: New views

7 Messages — Rating Filter: Alert me

	java/jdk16 vulnerability? by cpghost :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message [Sorry for resending: I didn't get any replies] Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system complains about an old and vulnerable Java version: Your installed version of Java is vulnerable to a severe remote exploit (remote code execution!). You must upgrade to at least Java 5 update 20 or Java 6 update 15 as soon as possible. Freenet has disabled any plugins handling XML for the time being, but this includes searching and chat so you should upgrade ASAP! See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details. Also, please do not use Thaw or Freetalk. The UPnP plugin is enabled, it might present a risk if you have bad guys on your LAN, but without it Freenet will not be able to port forward and will have severe problems. I'm running java/jdk16: phenom# java -version java version "1.6.0_03-p4" Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) On 7.2-STABLE: phenom# uname -a FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root@...:/usr/obj/usr/src/sys/GENERIC amd64 Is that version of Java really vulnerable? If yes, why doesn't # portaudit -Fda report it as such, and could you please update the java/jdk16 port? Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/ _______________________________________________ freebsd-java@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-java To unsubscribe, send any mail to "freebsd-java-unsubscribe@..."
	Re: java/jdk16 vulnerability? by bofh-6 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: > [Sorry for resending: I didn't get any replies] > > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system > complains about an old and vulnerable Java version: > > Your installed version of Java is vulnerable to a severe remote > exploit (remote code execution!). You must upgrade to at least Java > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > disabled any plugins handling XML for the time being, but this > includes searching and chat so you should upgrade ASAP! > > See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for > details. > > Also, please do not use Thaw or Freetalk. The UPnP plugin is > enabled, it might present a risk if you have bad guys on your LAN, > but without it Freenet will not be able to port forward and will > have severe problems. > > I'm running java/jdk16: > > phenom# java -version > java version "1.6.0_03-p4" > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) > > On 7.2-STABLE: > > phenom# uname -a > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root@...:/usr/obj/usr/src/sys/GENERIC amd64 > > Is that version of Java really vulnerable? If yes, why doesn't > # portaudit -Fda > report it as such, and could you please update the java/jdk16 port? AFAIR, the maintenance of JDK 6 is put on hold due to some licencing issues with Sun. You may want to use OpenJDK port, probably that will solve your problem. As for it's own vulnerabilities - I'm not sure if they do exist. -- Eugene N Dzhurinsky attachment0 (203 bytes) Download Attachment
	Re: java/jdk16 vulnerability? by Greg Lewis-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system > complains about an old and vulnerable Java version: > > Your installed version of Java is vulnerable to a severe remote > exploit (remote code execution!). You must upgrade to at least Java > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > disabled any plugins handling XML for the time being, but this > includes searching and chat so you should upgrade ASAP! We're almost certainly vulnerable. The jdk16 port is at Update 3. > See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for > details. > > Also, please do not use Thaw or Freetalk. The UPnP plugin is > enabled, it might present a risk if you have bad guys on your LAN, > but without it Freenet will not be able to port forward and will > have severe problems. > > I'm running java/jdk16: > > phenom# java -version > java version "1.6.0_03-p4" > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) > > On 7.2-STABLE: > > phenom# uname -a > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root@...:/usr/obj/usr/src/sys/GENERIC amd64 > > Is that version of Java really vulnerable? If yes, why doesn't > # portaudit -Fda > report it as such, and could you please update the java/jdk16 port? We need an entry in the VUXML database I guess. Updating java/jdk16 is going to be a slow process. There are lots of changes between Update 3 and Update 15. I've partially merged Update 4, but obviously that still leaves many to go... -- Greg Lewis Email : glewis@... Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@... _______________________________________________ freebsd-java@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-java To unsubscribe, send any mail to "freebsd-java-unsubscribe@..."
	Re: java/jdk16 vulnerability? by Robert Huff :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Greg Lewis writes: > > Your installed version of Java is vulnerable to a severe remote > > exploit (remote code execution!). You must upgrade to at least Java > > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > > disabled any plugins handling XML for the time being, but this > > includes searching and chat so you should upgrade ASAP! > > We're almost certainly vulnerable. The jdk16 port is at Update 3. > We need an entry in the VUXML database I guess. > > Updating java/jdk16 is going to be a slow process. There are > lots of changes between Update 3 and Update 15. I've partially > merged Update 4, but obviously that still leaves many to go... As someone with zero knowledge of Java internals: what is the recommended version at the moment? Robert Huff _______________________________________________ freebsd-java@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-java To unsubscribe, send any mail to "freebsd-java-unsubscribe@..."
	Re: java/jdk16 vulnerability? by Wenliang Cai-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Perhaps we can have a specific page to show the recommended JDK version for all people including these who are not in the list... [?] On Tue, Sep 29, 2009 at 12:30 PM, Robert Huff <roberthuff@...> wrote: > > Greg Lewis writes: > > > > Your installed version of Java is vulnerable to a severe remote > > > exploit (remote code execution!). You must upgrade to at least Java > > > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > > > disabled any plugins handling XML for the time being, but this > > > includes searching and chat so you should upgrade ASAP! > > > > We're almost certainly vulnerable. The jdk16 port is at Update 3. > > > > We need an entry in the VUXML database I guess. > > > > Updating java/jdk16 is going to be a slow process. There are > > lots of changes between Update 3 and Update 15. I've partially > > merged Update 4, but obviously that still leaves many to go... > > As someone with zero knowledge of Java internals: what is the > recommended version at the moment? > > > Robert Huff > > _______________________________________________ > freebsd-java@... mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-java > To unsubscribe, send any mail to "freebsd-java-unsubscribe@..." > _______________________________________________ freebsd-java@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-java To unsubscribe, send any mail to "freebsd-java-unsubscribe@..."
	Re: java/jdk16 vulnerability? by Brian Gardner-6 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message openjdk6 b17 is coming soon, and should fix these vulnerabilities. On Sep 28, 2009, at 8:48 PM, Greg Lewis wrote: > On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: >> Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system >> complains about an old and vulnerable Java version: >> >> Your installed version of Java is vulnerable to a severe remote >> exploit (remote code execution!). You must upgrade to at least Java >> 5 update 20 or Java 6 update 15 as soon as possible. Freenet has >> disabled any plugins handling XML for the time being, but this >> includes searching and chat so you should upgrade ASAP! > > We're almost certainly vulnerable. The jdk16 port is at Update 3. > >> See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for >> details. >> >> Also, please do not use Thaw or Freetalk. The UPnP plugin is >> enabled, it might present a risk if you have bad guys on your LAN, >> but without it Freenet will not be able to port forward and will >> have severe problems. >> >> I'm running java/jdk16: >> >> phenom# java -version >> java version "1.6.0_03-p4" >> Java(TM) SE Runtime Environment (build 1.6.0_03-p4- >> root_08_sep_2009_17_05-b00) >> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4- >> root_08_sep_2009_17_05-b00, mixed mode) >> >> On 7.2-STABLE: >> >> phenom# uname -a >> FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue >> Sep 8 10:43:26 CEST 2009 root@...:/usr/obj/usr/ >> src/sys/GENERIC amd64 >> >> Is that version of Java really vulnerable? If yes, why doesn't >> # portaudit -Fda >> report it as such, and could you please update the java/jdk16 port? > > We need an entry in the VUXML database I guess. > > Updating java/jdk16 is going to be a slow process. There are lots of > changes between Update 3 and Update 15. I've partially merged > Update 4, > but obviously that still leaves many to go... > > -- > Greg Lewis Email : glewis@... > Eyes Beyond Web : http:// > www.eyesbeyond.com > Information Technology FreeBSD : glewis@... > _______________________________________________ > freebsd-java@... mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-java > To unsubscribe, send any mail to "freebsd-java- > unsubscribe@..." > _______________________________________________ freebsd-java@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-java To unsubscribe, send any mail to "freebsd-java-unsubscribe@..."
	Re: java/jdk16 vulnerability? by cpghost :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Sep 28, 2009 at 08:48:37PM -0700, Greg Lewis wrote: > On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: > > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system > > complains about an old and vulnerable Java version: > > > > Your installed version of Java is vulnerable to a severe remote > > exploit (remote code execution!). You must upgrade to at least Java > > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > > disabled any plugins handling XML for the time being, but this > > includes searching and chat so you should upgrade ASAP! > > We're almost certainly vulnerable. The jdk16 port is at Update 3. Ah, I see. Thanks for clarifying. > > See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for > > details. > > > > Also, please do not use Thaw or Freetalk. The UPnP plugin is > > enabled, it might present a risk if you have bad guys on your LAN, > > but without it Freenet will not be able to port forward and will > > have severe problems. > > > > I'm running java/jdk16: > > > > phenom# java -version > > java version "1.6.0_03-p4" > > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) > > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) > > > > On 7.2-STABLE: > > > > phenom# uname -a > > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root@...:/usr/obj/usr/src/sys/GENERIC amd64 > > > > Is that version of Java really vulnerable? If yes, why doesn't > > # portaudit -Fda > > report it as such, and could you please update the java/jdk16 port? > > We need an entry in the VUXML database I guess. > > Updating java/jdk16 is going to be a slow process. There are lots of > changes between Update 3 and Update 15. I've partially merged Update 4, > but obviously that still leaves many to go... Looks like a lot of work... Any chance to see progress here before 8.0-RELEASE? It's not a big deal, but shipping an updated port without that vuln. would be nice. > Greg Lewis Email : glewis@... > Eyes Beyond Web : http://www.eyesbeyond.com > Information Technology FreeBSD : glewis@... Thanks for the great work supporting JDK natively on FreeBSD, -cpghost. -- Cordula's Web. http://www.cordula.ws/ _______________________________________________ freebsd-java@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-java To unsubscribe, send any mail to "freebsd-java-unsubscribe@..."