On Sunday 09 August 2009 01:10:19 Ximin Luo wrote:
> Matthew Toseland wrote:
> > Anyone running Freenet must upgrade to at least Sun Java 6 Update 15 or Sun
> > Java 5 Update 20.
> >
> > Until you are able to do this, please shut down anything that parses XML,
> > specifically:
> > - Do not use the search function (XMLLibrarian).
> > - Unload the WoT and Freetalk plugins if you are using them. Likewise with
> > Library etc.
> > - Do not use Thaw. Shut it down if it is running.
> >
> > Other applications may also be vulnerable via the Python libexpat and
> > Apache Xerces libraries, so you should update your distribution ASAP.
> > However, not all applications that process XML are vulnerable as there are
> > a number of XML parsers.
> >
> > This concerns both denial of service and remote code execution and thus is
> > a *SEVERE* vulnerability.
> >
> > I will be putting out a new build ASAP, which will tell any users who
> > haven't upgraded to upgrade and will disable XMLLibrarian until they do so.
> >
> > http://www.cert.fi/en/reports/2009/vulnerability2009085.html
> >
> >
>
> The bug exists for OpenJDK too. It has been fixed (27.b16.fc11) in the Fedora
> repositories:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=512921
How do we reliably detect whether the OpenJDK JVM is vulnerable? On Sun we just
look at the version/update numbers... what does Freenet say on the stats page
with the broken/fixed JVM? Or fire up bsh (beanshell) and do
System.err.println(System.getProperty("java.version"));
>
> Debian's bug-tracker makes no mention of it however:
The first hit on google suggests debian are treating it as a non-critical DoS,
which is what CVE says it is. Unfortunately CVE are wrong. CVE now link to
cert-fi's announcement of it as a remote code execution vulnerability and still
rate it as a DoS. :(
http://osdir.com/ml/debian-devel-changes/2009-08/msg00683.html
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=openjdk-6;dist=unstable;repeatmerged=0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20090809/b06e00ba/attachment.pgp>
