Question Update Java Security Updates
Greg Lewis
glewis at eyesbeyond.com
Tue Mar 1 06:06:57 UTC 2011
On Thu, Feb 24, 2011 at 09:05:20PM +0100, Zenger, Alexander wrote:
> I was wondering how the security updates from the Oracle Java are integrated in FreeBSD Java.
> I couldn't find any information related to that on the FreeBSD Java site, and I also didn't see
> any portaudit entries, but I think there must be some.
> For example CVE-2010-4476 "Converting the deciaml value '2.2250738585072012e-308'" causes a dos".
> There were several CVE's fixed with the last Release, see here:
>
> http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
Unfortunately it's basically only the OpenJDK ports that are getting
security updates for most instances, and even then only when the ports
themselves are updated due to new releases, not often when the
vulnerability is announced.
For the particular issue you reference I did commit a patch, but that's
only because I found one easily enough. I'd very much welcome people
submitting patches, although doing so for the Diablo ports is problematic
since each change requires the test suite to be rerun (no small task) and
for jdk16 the whole port just needs a major update to a recent JDK6
release.
--
Greg Lewis Email : glewis at eyesbeyond.com
Eyes Beyond Web : http://www.eyesbeyond.com
Information Technology FreeBSD : glewis at FreeBSD.org
More information about the freebsd-java
mailing list