Date: Fri, 13 Oct 2006 23:18:53 +0400 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Greg Lewis" <glewis@FreeBSD.org>, java@FreeBSD.org Cc: "Simon L. Nielsen" <simon@freebsd.org>, secteam@freebsd.org Subject: Re: JDK/JRE RSA vulnerability Message-ID: <cb5206420610131218n23274729u600772a1faef34fb@mail.gmail.com> In-Reply-To: <20061004181113.GB1008@zaphod.nitro.dk> References: <cb5206420610040941i33d9cb6j98c0beb4e21dc415@mail.gmail.com> <20061004181113.GB1008@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/4/06, Simon L. Nielsen <simon@freebsd.org> wrote: > On 2006.10.04 20:41:34 +0400, Andrew Pantyukhin wrote: > > Please review the following patch to vuln.xml: > > > > http://people.freebsd.org/~sat/diffs/jdk1509.diff > > Are you sure that the JDK/JRE for FreeBSD is actually vulnerable? On > some OS'es which don't support cryptographic operations by default > (e.g. Windows) crypto libs are bundled with the program, but OS > suplied libs are used on the OS'es which has them. I don't know if > this is the case of JDK/JRE but it should probably be checked first. > Could you poke the java people (e.g. glewis AFAIR) to check? > > As a sitenote, the Secunia advisory doesn't contain anything which > isn't on Sun's page, so much better to use the info directly from Sun. Could you please take a look and tell us if we're affected by one or more of these advisories: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5201 http://secunia.com/advisories/22204/ I'm almost sure linux versions are vulnerable, but as for native versions (both certified and not), it's unclear. Thank you!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420610131218n23274729u600772a1faef34fb>