Hi, Yesterday it was discovered that Java contains a floating point bug that can be exploited to crash a system:
http://www.theregister.co.uk/2011/02/09/java_floating_point_bug_fixed/ The denial of service (DOS) can be triggered when the Java Virtual Machine needs to convert a certain large number from a string representation to a number. It appears that Tomcat (a widely used Java web server) is vulnerable. If a certain HTTP request is sent to Tomcat, the thread that handles the HTTP request gets stuck in an endless loop which can lead to a denial of service (DOS) if multiple requests are sent. Because Djigzo uses Tomcat for the Web GUI, this Java bug effects Djigzo as well. If your Djigzo server is externally accessible, i.e., from outside your firewall, attackers might cause Tomcat to hang. Ubuntu will probably release a patched JVM within a couple of days. For those who can't wait for this, I have a Java patch available which you can install. Please contact me directly if you need the patch. For more information about the problem see: http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html Oracle has issued an emergency patch and will release an official patch next week. Ubuntu will probably have a patch ready next week. To sum up: If your Djigzo server is externally accessible, it is vulnerable to a Java bug which might result in the Web GUI to hang. This Java bug impacts most systems using Java. Kind regards, Martijn Brinkers -- Djigzo open source email encryption
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
smime.p7s
Description: S/MIME Cryptographic Signature
