On Sat, Aug 8, 2009 at 7:22 PM, Matthew Toseland<toad at amphibian.dyndns.org> wrote: > Anyone running Freenet must upgrade to at least Sun Java 6 Update 15 or Sun > Java 5 Update 20. > > Until you are able to do this, please shut down anything that parses XML, > specifically: > - Do not use the search function (XMLLibrarian). > - Unload the WoT and Freetalk plugins if you are using them. Likewise with > Library etc. > - Do not use Thaw. Shut it down if it is running. > > Other applications may also be vulnerable via the Python libexpat and Apache > Xerces libraries, so you should update your distribution ASAP. However, not > all applications that process XML are vulnerable as there are a number of XML > parsers. > > This concerns both denial of service and remote code execution and thus is a > *SEVERE* vulnerability. > > I will be putting out a new build ASAP, which will tell any users who haven't > upgraded to upgrade and will disable XMLLibrarian until they do so. > > http://www.cert.fi/en/reports/2009/vulnerability2009085.html
Should this also disable the Thaw Index Browser (Thaw indexes are XML also, I haven't looked at the code though)? Evan Daniel
