On 01/13/2013 06:48 PM, NoOp wrote: > On 01/12/2013 07:42 PM, George R. Crossman wrote: >> I'm seeing warnings saying that one should disable embedded Java to >> avoid hacking. Does this apply to linux users? If so, what is the procedure? > > Yes. If you are using your distributions version of Oracle Java 7, then > they will (eventually) issue a security update. If you have installed on > your own, Java7u11 is now available: > > <https://www.java.com/en/download/manual.jsp> > > <http://www.oracle.com/technetwork/java/javase/downloads/index.html> > <http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>
Note: This may be off topic for this list as all reports indicate that the issue only concerns browsers. However LO (and AOO) accomodate http links in documents; so until LO confirms there is no risk I'd recommend turning off *all* java & only turn back on for necessary applications. ** No idea if openJDK has been affected yet. Follow-up: U.S. says Java still risky, even after security update: <http://www.reuters.com/article/2013/01/14/us-java-oracle-security-idUSBRE90D10P20130114> Of course Reuters don't bother to provide a cite link, so I have: <http://www.kb.cert.org/vuls/id/625617> <quote> Solution Update to Java 7u11 Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe vulnerability (CVE-2012-3174). Immunity[1] has indicated that only the reflection vulnerability has been fixed. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets. Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future. </quote> Added note: Windows users - if you have javafx installed, you must either uninstall it, or update it to the latest 2.2.4 version after you update the Java7U11 in order for Firefox or SeaMonkey to recognize java. Javafx update link is here: <https://www.java.com/en/javafx/> If you absolutely have to run java in FF or SM, I highly recommend installing Prefbar so that you can easily turn on/off java simply by checking the Java box. <https://addons.mozilla.org/en-us/seamonkey/addon/prefbar/> <http://prefbar.tuxfamily.org/help/buttons.html#java> [1] <http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html> -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
