java/jdk16 vulnerability?

cpghost cpghost at cordula.ws
Wed Sep 30 15:10:13 UTC 2009 

On Mon, Sep 28, 2009 at 08:48:37PM -0700, Greg Lewis wrote:
> On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote:
> > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
> > complains about an old and vulnerable Java version:
> > 
> >   Your installed version of Java is vulnerable to a severe remote
> >   exploit (remote code execution!). You must upgrade to at least Java
> >   5 update 20 or Java 6 update 15 as soon as possible. Freenet has
> >   disabled any plugins handling XML for the time being, but this
> >   includes searching and chat so you should upgrade ASAP!
> 
> We're almost certainly vulnerable.  The jdk16 port is at Update 3.

Ah, I see. Thanks for clarifying.

> >   See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for
> >   details.
> > 
> >   Also, please do not use Thaw or Freetalk. The UPnP plugin is
> >   enabled, it might present a risk if you have bad guys on your LAN,
> >   but without it Freenet will not be able to port forward and will
> >   have severe problems.
> > 
> > I'm running java/jdk16:
> > 
> > phenom# java -version
> > java version "1.6.0_03-p4"
> > Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
> > Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)
> > 
> > On 7.2-STABLE:
> > 
> > phenom# uname -a
> > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep  8 10:43:26 CEST 2009     root at phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC  amd64
> > 
> > Is that version of Java really vulnerable? If yes, why doesn't
> >   # portaudit -Fda
> > report it as such, and could you please update the java/jdk16 port?
> 
> We need an entry in the VUXML database I guess.
> 
> Updating java/jdk16 is going to be a slow process.  There are lots of
> changes between Update 3 and Update 15.  I've partially merged Update 4,
> but obviously that still leaves many to go...

Looks like *a lot* of work...

Any chance to see progress here before 8.0-RELEASE? It's not a big deal,
but shipping an updated port without that vuln. would be nice.

> Greg Lewis                          Email   : glewis at eyesbeyond.com
> Eyes Beyond                         Web     : http://www.eyesbeyond.com
> Information Technology              FreeBSD : glewis at FreeBSD.org

Thanks for the great work supporting JDK natively on FreeBSD,

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/

More information about the freebsd-questions mailing list