What's up with java and security?
Greg Lewis
glewis at eyesbeyond.com
Mon May 16 21:08:29 PDT 2005
Hi Alfred,
On Mon, May 16, 2005 at 08:34:20PM -0700, Alfred Perlstein wrote:
> I wanted to play with java, but it looks like all the ports we
> have are busted...
>
> jdk13 native has issues:
> ===> jdk-1.3.1p9_5 has known vulnerabilities:
> => jdk/jre -- Security Vulnerability With Java Plugin.
> Reference: <http://www.FreeBSD.org/ports/portaudit/ac619d06-3ef8-11d9-8741-c942c075aa41.html>
As long as you don't use the plugin you're not vulnerable, so it depends on
what you want to do.
> jdk14 depends on linux-sun-jdk14 which has issues:
> ===> linux-sun-jdk-1.4.2.08_1 has known vulnerabilities:
> => jdk -- jar directory traversal vulnerability.
> Reference: <http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html>
Right, but once the native jdk14 is built you can remove the Linux version.
The native jdk14 (if your ports tree is up to date, I committed the fix
last week) has the jar directory traversal problems fixed, so its not
vulnerable.
> Is Sun planning on fixing this?
I would have thought it would have been in 1.5.0_03, but its not, and
they haven't released a 1.4.2_09 with it in yet either. One assumes
they are planning on fixing it, but they just haven't yet.
Until then, just install the Linux version long enough to bootstrap
the native port and remove it once its built. The build process doesn't
expose you to any vulnerabilities.
--
Greg Lewis Email : glewis at eyesbeyond.com
Eyes Beyond Web : http://www.eyesbeyond.com
Information Technology FreeBSD : glewis at FreeBSD.org
More information about the freebsd-java
mailing list