Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Sep 2009 22:36:37 +0200
From:      cpghost <cpghost@cordula.ws>
To:        Greg Lewis <glewis@FreeBSD.org>
Cc:        freebsd-questions@freebsd.org
Subject:   java/jdk16 vulnerability?
Message-ID:  <20090920203637.GA2670@phenom.cordula.ws>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi Greg,

Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
complains about an old and vulnerable Java version:

  Your installed version of Java is vulnerable to a severe remote
  exploit (remote code execution!). You must upgrade to at least Java
  5 update 20 or Java 6 update 15 as soon as possible. Freenet has
  disabled any plugins handling XML for the time being, but this
  includes searching and chat so you should upgrade ASAP!

  See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for
  details.

  Also, please do not use Thaw or Freetalk. The UPnP plugin is
  enabled, it might present a risk if you have bad guys on your LAN,
  but without it Freenet will not be able to port forward and will
  have severe problems.

I'm running java/jdk16:

phenom# java -version
java version "1.6.0_03-p4"
Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)

On 7.2-STABLE:

phenom# uname -a
FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep  8 10:43:26 CEST 2009     root@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC  amd64

Is that version of Java really vulnerable? If yes, why doesn't
  # portaudit -Fda
report it as such, and could you please update the java/jdk16 port?

Thanks,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20090920203637.GA2670>