Re: java/jdk16 vulnerability?
On Mon, Sep 28, 2009 at 08:48:37PM -0700, Greg Lewis wrote: On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system complains about an old and vulnerable Java version: Your installed version of Java is vulnerable to a severe remote exploit (remote code execution!). You must upgrade to at least Java 5 update 20 or Java 6 update 15 as soon as possible. Freenet has disabled any plugins handling XML for the time being, but this includes searching and chat so you should upgrade ASAP! We're almost certainly vulnerable. The jdk16 port is at Update 3. Ah, I see. Thanks for clarifying. See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details. Also, please do not use Thaw or Freetalk. The UPnP plugin is enabled, it might present a risk if you have bad guys on your LAN, but without it Freenet will not be able to port forward and will have severe problems. I'm running java/jdk16: phenom# java -version java version 1.6.0_03-p4 Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) On 7.2-STABLE: phenom# uname -a FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64 Is that version of Java really vulnerable? If yes, why doesn't # portaudit -Fda report it as such, and could you please update the java/jdk16 port? We need an entry in the VUXML database I guess. Updating java/jdk16 is going to be a slow process. There are lots of changes between Update 3 and Update 15. I've partially merged Update 4, but obviously that still leaves many to go... Looks like *a lot* of work... Any chance to see progress here before 8.0-RELEASE? It's not a big deal, but shipping an updated port without that vuln. would be nice. Greg Lewis Email : gle...@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : gle...@freebsd.org Thanks for the great work supporting JDK natively on FreeBSD, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
java/jdk16 vulnerability?
[Sorry for resending: I didn't get any replies] Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system complains about an old and vulnerable Java version: Your installed version of Java is vulnerable to a severe remote exploit (remote code execution!). You must upgrade to at least Java 5 update 20 or Java 6 update 15 as soon as possible. Freenet has disabled any plugins handling XML for the time being, but this includes searching and chat so you should upgrade ASAP! See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details. Also, please do not use Thaw or Freetalk. The UPnP plugin is enabled, it might present a risk if you have bad guys on your LAN, but without it Freenet will not be able to port forward and will have severe problems. I'm running java/jdk16: phenom# java -version java version 1.6.0_03-p4 Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) On 7.2-STABLE: phenom# uname -a FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64 Is that version of Java really vulnerable? If yes, why doesn't # portaudit -Fda report it as such, and could you please update the java/jdk16 port? Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: java/jdk16 vulnerability?
On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote: Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system complains about an old and vulnerable Java version: Your installed version of Java is vulnerable to a severe remote exploit (remote code execution!). You must upgrade to at least Java 5 update 20 or Java 6 update 15 as soon as possible. Freenet has disabled any plugins handling XML for the time being, but this includes searching and chat so you should upgrade ASAP! We're almost certainly vulnerable. The jdk16 port is at Update 3. See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details. Also, please do not use Thaw or Freetalk. The UPnP plugin is enabled, it might present a risk if you have bad guys on your LAN, but without it Freenet will not be able to port forward and will have severe problems. I'm running java/jdk16: phenom# java -version java version 1.6.0_03-p4 Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) On 7.2-STABLE: phenom# uname -a FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64 Is that version of Java really vulnerable? If yes, why doesn't # portaudit -Fda report it as such, and could you please update the java/jdk16 port? We need an entry in the VUXML database I guess. Updating java/jdk16 is going to be a slow process. There are lots of changes between Update 3 and Update 15. I've partially merged Update 4, but obviously that still leaves many to go... -- Greg Lewis Email : gle...@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : gle...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: java/jdk16 vulnerability?
Greg Lewis writes: Your installed version of Java is vulnerable to a severe remote exploit (remote code execution!). You must upgrade to at least Java 5 update 20 or Java 6 update 15 as soon as possible. Freenet has disabled any plugins handling XML for the time being, but this includes searching and chat so you should upgrade ASAP! We're almost certainly vulnerable. The jdk16 port is at Update 3. We need an entry in the VUXML database I guess. Updating java/jdk16 is going to be a slow process. There are lots of changes between Update 3 and Update 15. I've partially merged Update 4, but obviously that still leaves many to go... As someone with zero knowledge of Java internals: what is the recommended version at the moment? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
java/jdk16 vulnerability?
Hi Greg, Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system complains about an old and vulnerable Java version: Your installed version of Java is vulnerable to a severe remote exploit (remote code execution!). You must upgrade to at least Java 5 update 20 or Java 6 update 15 as soon as possible. Freenet has disabled any plugins handling XML for the time being, but this includes searching and chat so you should upgrade ASAP! See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details. Also, please do not use Thaw or Freetalk. The UPnP plugin is enabled, it might present a risk if you have bad guys on your LAN, but without it Freenet will not be able to port forward and will have severe problems. I'm running java/jdk16: phenom# java -version java version 1.6.0_03-p4 Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) On 7.2-STABLE: phenom# uname -a FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64 Is that version of Java really vulnerable? If yes, why doesn't # portaudit -Fda report it as such, and could you please update the java/jdk16 port? Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org