On Sunday 09 August 2009 01:10:19 Ximin Luo wrote: > Matthew Toseland wrote: > > Anyone running Freenet must upgrade to at least Sun Java 6 Update 15 or Sun > > Java 5 Update 20. > > > > Until you are able to do this, please shut down anything that parses XML, > > specifically: > > - Do not use the search function (XMLLibrarian). > > - Unload the WoT and Freetalk plugins if you are using them. Likewise with > > Library etc. > > - Do not use Thaw. Shut it down if it is running. > > > > Other applications may also be vulnerable via the Python libexpat and > > Apache Xerces libraries, so you should update your distribution ASAP. > > However, not all applications that process XML are vulnerable as there are > > a number of XML parsers. > > > > This concerns both denial of service and remote code execution and thus is > > a *SEVERE* vulnerability. > > > > I will be putting out a new build ASAP, which will tell any users who > > haven't upgraded to upgrade and will disable XMLLibrarian until they do so. > > > > http://www.cert.fi/en/reports/2009/vulnerability2009085.html > > > > > > The bug exists for OpenJDK too. It has been fixed (27.b16.fc11) in the Fedora > repositories: > > https://bugzilla.redhat.com/show_bug.cgi?id=512921
How do we reliably detect whether the OpenJDK JVM is vulnerable? On Sun we just
look at the version/update numbers... what does Freenet say on the stats page
with the broken/fixed JVM? Or fire up bsh (beanshell) and do
System.err.println(System.getProperty("java.version"));
>
> Debian's bug-tracker makes no mention of it however:
The first hit on google suggests debian are treating it as a non-critical DoS,
which is what CVE says it is. Unfortunately CVE are wrong. CVE now link to
cert-fi's announcement of it as a remote code execution vulnerability and still
rate it as a DoS. :(
http://osdir.com/ml/debian-devel-changes/2009-08/msg00683.html
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=openjdk-6;dist=unstable;repeatmerged=0
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
