java/jdk16 vulnerability?
Eugene Dzhurinsky
bofh at redwerk.com
Mon Sep 28 10:55:18 UTC 2009
On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote:
> [Sorry for resending: I didn't get any replies]
>
> Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
> complains about an old and vulnerable Java version:
>
> Your installed version of Java is vulnerable to a severe remote
> exploit (remote code execution!). You must upgrade to at least Java
> 5 update 20 or Java 6 update 15 as soon as possible. Freenet has
> disabled any plugins handling XML for the time being, but this
> includes searching and chat so you should upgrade ASAP!
>
> See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for
> details.
>
> Also, please do not use Thaw or Freetalk. The UPnP plugin is
> enabled, it might present a risk if you have bad guys on your LAN,
> but without it Freenet will not be able to port forward and will
> have severe problems.
>
> I'm running java/jdk16:
>
> phenom# java -version
> java version "1.6.0_03-p4"
> Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)
>
> On 7.2-STABLE:
>
> phenom# uname -a
> FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root at phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64
>
> Is that version of Java really vulnerable? If yes, why doesn't
> # portaudit -Fda
> report it as such, and could you please update the java/jdk16 port?
AFAIR, the maintenance of JDK 6 is put on hold due to some licencing issues
with Sun. You may want to use OpenJDK port, probably that will solve your
problem. As for it's own vulnerabilities - I'm not sure if they do exist.
--
Eugene N Dzhurinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-java/attachments/20090928/6ab5b503/attachment.pgp
More information about the freebsd-java
mailing list