java/jdk16 vulnerability?

Greg Lewis glewis at
Tue Sep 29 04:20:07 UTC 2009

On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote:
> Freenet ( on my FreeBSD/amd64 system
> complains about an old and vulnerable Java version:
>   Your installed version of Java is vulnerable to a severe remote
>   exploit (remote code execution!). You must upgrade to at least Java
>   5 update 20 or Java 6 update 15 as soon as possible. Freenet has
>   disabled any plugins handling XML for the time being, but this
>   includes searching and chat so you should upgrade ASAP!

We're almost certainly vulnerable.  The jdk16 port is at Update 3.

>   See for
>   details.
>   Also, please do not use Thaw or Freetalk. The UPnP plugin is
>   enabled, it might present a risk if you have bad guys on your LAN,
>   but without it Freenet will not be able to port forward and will
>   have severe problems.
> I'm running java/jdk16:
> phenom# java -version
> java version "1.6.0_03-p4"
> Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)
> On 7.2-STABLE:
> phenom# uname -a
> FreeBSD 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep  8 10:43:26 CEST 2009     root at  amd64
> Is that version of Java really vulnerable? If yes, why doesn't
>   # portaudit -Fda
> report it as such, and could you please update the java/jdk16 port?

We need an entry in the VUXML database I guess.

Updating java/jdk16 is going to be a slow process.  There are lots of
changes between Update 3 and Update 15.  I've partially merged Update 4,
but obviously that still leaves many to go...

Greg Lewis                          Email   : glewis at
Eyes Beyond                         Web     :
Information Technology              FreeBSD : glewis at

More information about the freebsd-questions mailing list