java/141919: Serious remote vulnerability in the JRE
openjdk at getsnappy.com
Mon Dec 28 07:50:05 UTC 2009
The following reply was made to PR java/141919; it has been noted by GNATS.
From: Brian Gardner <openjdk at getsnappy.com>
To: Romain Dalmaso <artefact2 at gmail.com>
Cc: freebsd-gnats-submit at freebsd.org
Subject: Re: java/141919: Serious remote vulnerability in the JRE
Date: Sun, 27 Dec 2009 23:46:23 -0800
I believe openjdk6-b17 fixes the problem. I haven't released it yet,
although it's been tested and it's ready to ship. I'll try and get it
committed later this week. The latest version of the port and
instructions are available for test from here:
It sounds like the openjdk community will be releasing b18 shortly
which I believe also includes some security fixes.
On Dec 23, 2009, at 5:37 AM, Romain Dalmaso wrote:
>> Number: 141919
>> Category: java
>> Synopsis: Serious remote vulnerability in the JRE
>> Confidential: no
>> Severity: critical
>> Priority: high
>> Responsible: freebsd-java
>> State: open
>> Class: update
>> Submitter-Id: current-users
>> Arrival-Date: Wed Dec 23 13:40:06 UTC 2009
>> Originator: Romain Dalmaso
>> Release: 7.2-RELEASE
> A serious vulnerability affecting all the current Java ports allows
> any potential attacker to take control of the machine remotely if it
> uses a Java application dealing with the XML parser.
> The issue has been there for months, and has been fixed since Java 6
> update 15 and Java 5 update 20. So simply updating the port would
> solve the issue.
> This vulnerability affects, for instance, all the Freenet nodes
> running under FreeBSD :
> More details about it :
> Thanks for your interest.
> freebsd-java at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-java-
> unsubscribe at freebsd.org"
More information about the freebsd-java