java/141919: Serious remote vulnerability in the JRE

Brian Gardner openjdk at getsnappy.com
Mon Dec 28 07:50:05 UTC 2009 

The following reply was made to PR java/141919; it has been noted by GNATS.

From: Brian Gardner <openjdk at getsnappy.com>
To: Romain Dalmaso <artefact2 at gmail.com>
Cc: freebsd-gnats-submit at freebsd.org
Subject: Re: java/141919: Serious remote vulnerability in the JRE
Date: Sun, 27 Dec 2009 23:46:23 -0800

 I believe openjdk6-b17  fixes the problem.  I haven't released it yet,  
 although it's been tested and it's ready to ship.  I'll try and get it  
 committed later this week.  The latest version of the port and  
 instructions are available for test from here:
 
 http://www.getsnappy.com/tech-blog/freebsd-tips-tricks/upgrading-freebsd-port-java-openjdk6-from-b16-to-b17/
 
 It sounds like the openjdk community  will be releasing b18 shortly  
 which I believe also includes some security fixes.
 
 On Dec 23, 2009, at 5:37 AM, Romain Dalmaso wrote:
 
 >
 >> Number:         141919
 >> Category:       java
 >> Synopsis:       Serious remote vulnerability in the JRE
 >> Confidential:   no
 >> Severity:       critical
 >> Priority:       high
 >> Responsible:    freebsd-java
 >> State:          open
 >> Quarter:
 >> Keywords:
 >> Date-Required:
 >> Class:          update
 >> Submitter-Id:   current-users
 >> Arrival-Date:   Wed Dec 23 13:40:06 UTC 2009
 >> Closed-Date:
 >> Last-Modified:
 >> Originator:     Romain Dalmaso
 >> Release:        7.2-RELEASE
 >> Organization:
 >> Environment:
 >> Description:
 > A serious vulnerability affecting all the current Java ports allows  
 > any potential attacker to take control of the machine remotely if it  
 > uses a Java application dealing with the XML parser.
 >
 > The issue has been there for months, and has been fixed since Java 6  
 > update 15 and Java 5 update 20. So simply updating the port would  
 > solve the issue.
 >
 > This vulnerability affects, for instance, all the Freenet nodes  
 > running under FreeBSD :
 > http://freenetproject.org/news.html#xml-vuln
 >
 > More details about it :
 > http://www.cert.fi/en/reports/2009/vulnerability2009085.html
 >
 > Thanks for your interest.
 >> How-To-Repeat:
 >
 >> Fix:
 >
 >
 >> Release-Note:
 >> Audit-Trail:
 >> Unformatted:
 > _______________________________________________
 > freebsd-java at freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-java
 > To unsubscribe, send any mail to "freebsd-java- 
 > unsubscribe at freebsd.org"
 >

More information about the freebsd-java mailing list