Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 May 2005 22:08:25 -0600
From:      Greg Lewis <glewis@eyesbeyond.com>
To:        Alfred Perlstein <alfred@freebsd.org>
Cc:        java@freebsd.org
Subject:   Re: What's up with java and security?
Message-ID:  <20050517040825.GA95824@misty.eyesbeyond.com>
In-Reply-To: <20050517033420.GB62055@elvis.mu.org>
References:  <20050517033420.GB62055@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Alfred,

On Mon, May 16, 2005 at 08:34:20PM -0700, Alfred Perlstein wrote:
> I wanted to play with java, but it looks like all the ports we
> have are busted...
> 
> jdk13 native has issues:
> ===>  jdk-1.3.1p9_5 has known vulnerabilities:
> => jdk/jre -- Security Vulnerability With Java Plugin.
>    Reference: <http://www.FreeBSD.org/ports/portaudit/ac619d06-3ef8-11d9-8741-c942c075aa41.html>;

As long as you don't use the plugin you're not vulnerable, so it depends on
what you want to do.

> jdk14 depends on linux-sun-jdk14 which has issues:
> ===>  linux-sun-jdk-1.4.2.08_1 has known vulnerabilities:
> => jdk -- jar directory traversal vulnerability.
>    Reference: <http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html>;

Right, but once the native jdk14 is built you can remove the Linux version.
The native jdk14 (if your ports tree is up to date, I committed the fix
last week) has the jar directory traversal problems fixed, so its not
vulnerable.

> Is Sun planning on fixing this?

I would have thought it would have been in 1.5.0_03, but its not, and
they haven't released a 1.4.2_09 with it in yet either.  One assumes
they are planning on fixing it, but they just haven't yet.

Until then, just install the Linux version long enough to bootstrap
the native port and remove it once its built.  The build process doesn't
expose you to any vulnerabilities.

-- 
Greg Lewis                          Email   : glewis@eyesbeyond.com
Eyes Beyond                         Web     : http://www.eyesbeyond.com
Information Technology              FreeBSD : glewis@FreeBSD.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050517040825.GA95824>