Date: Mon, 28 Sep 2009 13:26:19 +0300 From: Eugene Dzhurinsky <bofh@redwerk.com> To: freebsd-java@freebsd.org Subject: Re: java/jdk16 vulnerability? Message-ID: <20090928102619.GA51928@office.redwerk.com> In-Reply-To: <20090928101048.GA1189@phenom.cordula.ws> References: <20090928101048.GA1189@phenom.cordula.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
--SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: > [Sorry for resending: I didn't get any replies] >=20 > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system > complains about an old and vulnerable Java version: >=20 > Your installed version of Java is vulnerable to a severe remote > exploit (remote code execution!). You must upgrade to at least Java > 5 update 20 or Java 6 update 15 as soon as possible. Freenet has > disabled any plugins handling XML for the time being, but this > includes searching and chat so you should upgrade ASAP! >=20 > See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for > details. >=20 > Also, please do not use Thaw or Freetalk. The UPnP plugin is > enabled, it might present a risk if you have bad guys on your LAN, > but without it Freenet will not be able to port forward and will > have severe problems. >=20 > I'm running java/jdk16: >=20 > phenom# java -version > java version "1.6.0_03-p4" > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05= -b00) > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_= 05-b00, mixed mode) >=20 > On 7.2-STABLE: >=20 > phenom# uname -a > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10= :43:26 CEST 2009 root@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC a= md64 >=20 > Is that version of Java really vulnerable? If yes, why doesn't > # portaudit -Fda > report it as such, and could you please update the java/jdk16 port? AFAIR, the maintenance of JDK 6 is put on hold due to some licencing issues with Sun. You may want to use OpenJDK port, probably that will solve your problem. As for it's own vulnerabilities - I'm not sure if they do exist. --=20 Eugene N Dzhurinsky --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkrAj0sACgkQy/i/DoZLbHxJrwCfc6pQO5EZuvnB5qEQL0agamO4 UPEAn0kQ2dCGtZI6EH42D5Y73kUJ2olz =kEYf -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090928102619.GA51928>