On 01/13/2013 05:35 AM, James Knott wrote: > Jay Lozier wrote: >> Yes, all OS's are affected because Java is cross platform. I am not >> sure if any of the previous version are affected or if only the >> current release is affected. >> >> The primary concern is Java applets run by your browser. The >> vulnerability allows a zero-day browser exploit that as yet is not >> patched by Oracle. The primary concerns I have heard of are >> installation of keyloggers and installation of ransomware. I would >> assume the malware will use the JVM to run and would be cross >> platform. AFAIK, Oracle has not yet announced when a patch will be >> available. > > As I mentioned in another note, I'm running OpenJDK, not Oracle Java. > So the question becomes is it a problem in general with Java or just > Oracle's.
It is an OpenJDK problem as well. I've just posted this on the Mozilla SeaMonkey user support nntp group: Given the Zero-Day Java 7 vulnerabilities (see Paul B Gallagher's thread: 'Java 7u10 vulnerability in browsers' and for those using OpenJDK & Icedtea for Java JRE: Security releases for OpenJDK and Icedtea were released yesterday (Tues Jan 17). <<http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/>> <http://blog.fuseyism.com/index.php/2013/01/16/security-and-browser-plugins/> This confirms that OpenJDK7 and IcedTea7 were vulnerable - of course I reckon that it will take awhile for the builds to get pushed to the distro's. Note that "OpenJDK 6 is not affected.". So if you are using OpenJDK7 I'd recommend installing OpenJDK6 (you can leave OpenJDK7 installed[1]), and then using update-alternatives to set OpenJDK6 as the system JRE. For Debian/Ubuntu users: $ sudo apt-get update && sudo apt-get upgrade $ sudo apt-get install openjdk-6-jre $ sudo apt-get install icedtea6-plugin $ sudo update-alternatives --config java $ sudo update-alternatives --config mozilla-javaplugin.so Ensure that you are using OpenJDK6 instead of OpenJDK7. Example: ~$ java -version java version "1.6.0_24" OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1) OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode) If you enable Java in SeaMonkey (I recommend using Prefbar to turn Java on/off), the IcedTead plugin (Ubuntu in this example) in about:config will show: IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.3)) File: /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so Version: The IcedTea-Web Plugin executes Java applets. I'd also check your LibreOffice/ApacheOO installs & select OpenJDK6: Tools|Options|Java| select 'Sun Microsystems, Inc. 1.6.0_24 Note: I do not know of the current zero-day vulnerablity affecting LibreOffice/ApacheOO - but to be cautious I revert to OpenJDK6. [1] I keep openJDK7 installed so that it will be updated when the distro packagers issue the security update. -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
