Date: Mon, 28 Feb 2011 22:06:50 -0800 From: Greg Lewis <glewis@eyesbeyond.com> To: "Zenger, Alexander" <Alexander.Zenger@f-i-ts.de> Cc: "'freebsd-java@FreeBSD.org'" <freebsd-java@freebsd.org> Subject: Re: Question Update Java Security Updates Message-ID: <20110301060650.GA5830@misty.eyesbeyond.com> In-Reply-To: <E0E6BA3CD1F1A345BDC29F408F490D782DE077CB83@IZPSIMSX03.asp.izb> References: <E0E6BA3CD1F1A345BDC29F408F490D782DE077CB83@IZPSIMSX03.asp.izb>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 24, 2011 at 09:05:20PM +0100, Zenger, Alexander wrote: > I was wondering how the security updates from the Oracle Java are integrated in FreeBSD Java. > I couldn't find any information related to that on the FreeBSD Java site, and I also didn't see > any portaudit entries, but I think there must be some. > For example CVE-2010-4476 "Converting the deciaml value '2.2250738585072012e-308'" causes a dos". > There were several CVE's fixed with the last Release, see here: > > http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html Unfortunately it's basically only the OpenJDK ports that are getting security updates for most instances, and even then only when the ports themselves are updated due to new releases, not often when the vulnerability is announced. For the particular issue you reference I did commit a patch, but that's only because I found one easily enough. I'd very much welcome people submitting patches, although doing so for the Diablo ports is problematic since each change requires the test suite to be rerun (no small task) and for jdk16 the whole port just needs a major update to a recent JDK6 release. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110301060650.GA5830>