On Sun, Aug 16, 2009 at 12:27 PM, Ian Clarke<ian at locut.us> wrote: > On Sun, Aug 16, 2009 at 11:19 AM, xor<xor at gmx.li> wrote: >> On Sunday 16 August 2009 17:50:21 Ian Clarke wrote: >>> >>> Can't we use a 3rd party XML parsing library to get around this >>> vulnerability? >> >> We should rather nag Sun or the responsible Mac people (I don't know whether >> they have package management and just not upgraded the package yet or whether >> Sun did not deploy a new version?) to fix the issue, it is a shame that a >> remotely exploitable bug is not fixed for weeks. > > Unfortunately Apple is responsible for the JRE on OSX and they are > notorious for neglecting it, and leaving unpatched vulnerabilities > open for months, even years :-( > >> Its not our job, and switching to other libraries would be a major amount of >> work I guess. > > Well, it may not be our fault, but it is our problem if Mac users are > either vulnerable, or can't get full use of Freenet and get scary > messages on the fproxy front page.
Which means that even fixing this issue doesn't actually solve the underlying problem. We should complain to Apple and alert the user. If there's a non-Apple OSX JVM available that's more up to date, we could add a link and recommend that. Aside from that, I think Freenet's responsibilities extend to being aware of other people's security bugs, but not to fixing them. I use OSX on my laptop, and I'm annoyed at Apple, but I don't think this is Freenet's problem. Evan Daniel
