From owner-freebsd-java@FreeBSD.ORG  Tue Nov 30 19:32:04 2004
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
Delivered-To: freebsd-java@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CE28B16A4CE
	for <freebsd-java@freebsd.org>; Tue, 30 Nov 2004 19:32:04 +0000 (GMT)
Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155])
	by mx1.FreeBSD.org (Postfix) with SMTP id 3EC0943D48
	for <freebsd-java@freebsd.org>; Tue, 30 Nov 2004 19:32:04 +0000 (GMT)
	(envelope-from mdg@secureworks.net)
Received: (qmail 29357 invoked from network); 30 Nov 2004 19:32:03 -0000
Received: from unknown (HELO ?192.168.8.243?) (209.101.212.253)
  by mail.secureworks.net with SMTP; 30 Nov 2004 19:32:03 -0000
Message-ID: <41ACCAB3.7040405@secureworks.net>
Date: Tue, 30 Nov 2004 14:32:03 -0500
From: Matthew George <mdg@secureworks.net>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041117)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-java@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: jdk14 MINIMAL=true and XPM vuln
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2004 19:32:04 -0000


Ok, so open-motif, the origin of libXm is marked in vuXML due to the XPM 
  vulnerabilities.  The jdk is in vuXML due to the javascript unsafe 
class loading issue.  Since the jdk issue is with the browser plugin, I 
figured I'd be ok using MINIMAL=true to skip the plugin, but now I'm 
tripping over open-motif.  I'd like to understand the relationship 
between the two a little more before proceeding.  From the CVS history, 
I see a note that libXm is statically linked into libawt.  It seems like 
this is a non-issue for me since I'm precompiling a package that is 
intended for use on servers that won't run X, but I'd like to get some 
kind of confirmation before I go ahead and override the vulnerability check.

-- 
Matthew George
SecureWorks Technical Operations