Question Update Java Security Updates

[Greg Lewis]

On Thu, Feb 24, 2011 at 09:05:20PM +0100, Zenger, Alexander wrote:
> I was wondering how the security updates from the Oracle Java are integrated in FreeBSD Java.
> I couldn't find any information related to that on the FreeBSD Java site, and I also didn't see
> any portaudit entries, but I think there must be some. 
> For example CVE-2010-4476 "Converting the deciaml value '2.2250738585072012e-308'" causes a dos".
> There were several CVE's fixed with the last Release, see here:
> 
> 	http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

Unfortunately it's basically only the OpenJDK ports that are getting
security updates for most instances, and even then only when the ports
themselves are updated due to new releases, not often when the
vulnerability is announced.

For the particular issue you reference I did commit a patch, but that's
only because I found one easily enough.  I'd very much welcome people
submitting patches, although doing so for the Diablo ports is problematic
since each change requires the test suite to be rerun (no small task) and
for jdk16 the whole port just needs a major update to a recent JDK6
release.

-- 
Greg Lewis                          Email   : glewis at eyesbeyond.com
Eyes Beyond                         Web     : http://www.eyesbeyond.com
Information Technology              FreeBSD : glewis at FreeBSD.org