Re: [freenet-support] Part 2: Probably a bug: please report: 1 peers forcibly disconnected due to not acknowledging packets.
On Friday 07 August 2009 23:36:05 Juiceman wrote: That's very interesting! That IP resolves to China, I believe: Pinging 197.36.202.62.cust.bluewin.ch [62.202.36.197] with 32 bytes of data: Request timed out. ..ch is Switzerland (China is .cn); it looks like a dynamically-allocated DSL address, which raises the question: How does Freenet handle nodes that suddenly change their IP if the ISP doesn't allow them to renew their lease on the same address? Stephen ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
[freenet-support] Urgent Freenet security announcement: upgrade your Java now!
Anyone running Freenet must upgrade to at least Sun Java 6 Update 15 or Sun Java 5 Update 20. Until you are able to do this, please shut down anything that parses XML, specifically: - Do not use the search function (XMLLibrarian). - Unload the WoT and Freetalk plugins if you are using them. Likewise with Library etc. - Do not use Thaw. Shut it down if it is running. Other applications may also be vulnerable via the Python libexpat and Apache Xerces libraries, so you should update your distribution ASAP. However, not all applications that process XML are vulnerable as there are a number of XML parsers. This concerns both denial of service and remote code execution and thus is a *SEVERE* vulnerability. I will be putting out a new build ASAP, which will tell any users who haven't upgraded to upgrade and will disable XMLLibrarian until they do so. http://www.cert.fi/en/reports/2009/vulnerability2009085.html signature.asc Description: This is a digitally signed message part. ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
[freenet-support] Freenet 0.7 build 1228
Freenet 0.7 build 1228 is now available. Apologies for not posting a changelog for 1227, I will now. Please upgrade ASAP as 1228 is mandatory on Friday and warns the user about a critical security problem in Sun JVMs. 1228: - Warn user about, and refuse to load plugins handling XML, a severe vulnerability in Java. - Some robustness code in the client layer (half-deleted stuff left over by bugs causing problems). - Avoid node-to-node text messages leaking memory when peers are removed. - If we have peers, set the completed-the-first-time-wizard flag to true. This affects encryption of the client layer database, and also whether we show the wizard on later startups before managing to connect. - Fix a thread leak in FCP, usually triggered by FMS. - Remove TargetNodeName in FCP message ReceivedN2NFeedMessage. - Minor improvement to javadocs generation, and indenting. infinity0 ljb toad 1227: - Fix failure to start when trying to defrag a big node.db4o. - Some robustness code in the client layer (half-deleted stuff left over by bugs causing problems). - Fix ?forcedownload headers. On some systems, forcedownload was not working. - New FCP messages for plugin management: LoadPlugin, RemovePlugin, ReloadPlugin, response message PluginRemoved. - Some refactoring, logging and minor internal changes. - Fix a wierd NPE breaking site inserts when heavy logging is enabled. saces volodya toad With regards to the JVM thing, Windows users will generally have auto-update for their JVM; Linux and Mac users are more problematic, initially the vulnerability was much less serious so may not be deployed quickly, also it might be possible to fix it without increasing the JVM version in which case we would not be able to detect the fix... signature.asc Description: This is a digitally signed message part. ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
[freenet-support] Freenet Not detecting JVM Properly
Hello! I recently updated to build 1228 per the recommendation of this thread and the automatic process of my node. I also updated my Java to J6R15, which according to the Java control panel is the latest version of J6. My node, however, insists that I have to have J5R15 or J6R20 (which appears to not exist yet), and is warning me about the security flaw that I had believed these updates were supposed to protect against. Any thoughts? Is it possible the node is misidentifying the requirements? Thanks! ~ Jeff ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Freenet Not detecting JVM Properly
On Sun, Aug 9, 2009 at 12:22 AM, Jeff Isaaccineveggie.li...@gmail.com wrote: Hello! I recently updated to build 1228 per the recommendation of this thread and the automatic process of my node. I also updated my Java to J6R15, which according to the Java control panel is the latest version of J6. My node, however, insists that I have to have J5R15 or J6R20 (which appears to not exist yet), and is warning me about the security flaw that I had believed these updates were supposed to protect against. Any thoughts? Is it possible the node is misidentifying the requirements? Thanks! ~ Jeff ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe I get the same thing. Freenet stat page shows Java Version: 1.6.0_15 so the code that is checking versions is not right. here it is! +if(is150 subver 10) + spuriousOOMs = true; + +if(is150 subver 15 || is160 subver 20) + xmlRemoteCodeExec = true; That's backwards. ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Freenet Not detecting JVM Properly
On Sun, Aug 9, 2009 at 1:33 AM, Juicemanjuicema...@gmail.com wrote: On Sun, Aug 9, 2009 at 12:22 AM, Jeff Isaaccineveggie.li...@gmail.com wrote: Hello! I recently updated to build 1228 per the recommendation of this thread and the automatic process of my node. I also updated my Java to J6R15, which according to the Java control panel is the latest version of J6. My node, however, insists that I have to have J5R15 or J6R20 (which appears to not exist yet), and is warning me about the security flaw that I had believed these updates were supposed to protect against. Any thoughts? Is it possible the node is misidentifying the requirements? Thanks! ~ Jeff ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe I get the same thing. Freenet stat page shows Java Version: 1.6.0_15 so the code that is checking versions is not right. here it is! + if(is150 subver 10) + spuriousOOMs = true; + + if(is150 subver 15 || is160 subver 20) + xmlRemoteCodeExec = true; That's backwards. I have corrected the code in commit e195ed26 on the staging branch. ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe