Is sun-java6 6.26-0squeeze1 vulnerable to CVE-2012-1723?
Sorry if this has been addressed elsewhere. I searched the list and bug reports and didn't see anything. I'm running Squeeze and today Iceweasel informed me that Java Plug-in 1.6.0_26 is insecure and recommended disabling it. Versions below 1.6.0_33 or between 1.7.0 and 1.7.0_5 are now in the Mozilla blocklist: https://addons.mozilla.org/en-US/firefox/blocked/p119 https://bugzilla.mozilla.org/show_bug.cgi?id=780717 My question is, is sun-java6 6.26-0squeeze1 vulnerable to CVE-2012-1723? If yes, this is a bug against sun-java6 to update the package. If no, I need to file a bug against mozilla's blocklist for incorrectly flagging this version as insecure. Thanks, Kevin -- http://www.fastmail.fm - A no graphics, no pop-ups email service __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: Is sun-java6 6.26-0squeeze1 vulnerable to CVE-2012-1723?
On 2012-08-14 23:16, Kevin wrote: Sorry if this has been addressed elsewhere. I searched the list and bug reports and didn't see anything. I'm running Squeeze and today Iceweasel informed me that Java Plug-in 1.6.0_26 is insecure and recommended disabling it. Versions below 1.6.0_33 or between 1.7.0 and 1.7.0_5 are now in the Mozilla blocklist: https://addons.mozilla.org/en-US/firefox/blocked/p119 https://bugzilla.mozilla.org/show_bug.cgi?id=780717 My question is, is sun-java6 6.26-0squeeze1 vulnerable to CVE-2012-1723? If yes, this is a bug against sun-java6 to update the package. If no, I need to file a bug against mozilla's blocklist for incorrectly flagging this version as insecure. Thanks, Kevin Hi, It is quite possible that sun-java6 is vulnerable to that CVE; I haven't checked. The problem is that we cannot do anything about it as we do not have permission to distribute updates for sun-java6[1]... ~Niels [1] http://sylvestre.ledru.info/blog/sylvestre/2011/08/26/sun_java6_packages_removed_from_debian_u __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: Is sun-java6 6.26-0squeeze1 vulnerable to CVE-2012-1723?
It is quite possible that sun-java6 is vulnerable to that CVE; I haven't checked. The problem is that we cannot do anything about it as we do not have permission to distribute updates for sun-java6[1]... Thanks for the explanation. I understand this package has been dropped from testing and unstable. Is there a way other than the Mozilla blocklist to inform Squeeze users that they are running an insecure package? Since I'm running stable and this package is still present in the repository, I assumed it was still receiving security updates. Forgive me if this is a naive question, but should the package be removed from stable so users are not unwittingly given a false sense of security? Thanks, Kevin -- http://www.fastmail.fm - Send your email first class __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.