portaudit prevents installation of linux-sun-jdk16

Frank Bartels freebsd at knarf.de
Mon May 3 13:20:52 UTC 2010

I've sent the following email to java at freebsd.org & secteam at FreeBSD.org
one month ago, but I got no answer.

The same problem still exists with linux-sun-jdk-

Date: Mon, 29 Mar 2010 00:48:36 +0200
To: java at freebsd.org, secteam at FreeBSD.org
Subject: portaudit prevents installation of linux-sun-jdk16

Hi java at freebsd.org & secteam at FreeBSD.org,

I think this is both a java and a portaudit issue.

I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6:


So had a look at the versions of /usr/ports/java/*jdk16* on my
FreeBSD machine.

linux-sun-jdk- seems to be the only port in the tree that
meets the requirements. But if I try to make it, portaudit prevents
the build:

===>  linux-sun-jdk- has known vulnerabilities:
=> jdk -- jar directory traversal vulnerability.
   Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a

But if I have a look at the reference URL, 1.6 does not seem to be
affected. I did a portaudit -F in order to make sure my database
is up to date.

So is this a false positive that should get fixed?

There was a PR on this in 2007:


The reason for this PR to get closed was it was reproducable with


My open questions:

1. Is linux-sun-jdk- still vulnerable? Sorry, I don't have
a bad.jar, but I'm willing to test.

2. Shouldn't
http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get
updated in order to make clear at least linux-sun-jdk- was

3. Why does portaudit think it's vulnerable even if the auditfile
does not seem to contain a matching entry for linux-sun-jdk-

$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile
jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk<=|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk>=1.5.*<=,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk<=|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk-freebsd6<=i386.|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability

Thanks for listening,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4580 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20100503/d45bac04/smime.bin

More information about the freebsd-ports mailing list