On Fri, May 02, 2003 at 02:13:08PM -0500, Drew Scott Daniels wrote:
> http://www.securityfocus.com/bid/7109 says Sun's JRE and Java SDKs versions
> less than 1.4.1_02 are vulnerable as well as IBM's JDK.
>
> The BID seems to indicate the vulnerability is in java.util.zip
>
> I'm not sure which versions of Java JRE's and SDKs are in Debian, but it
> seems to me that in Contrib there's an IBM JDK installer that might install
> an affected version.
>
Well, that's an easy question, and also docummented [1]. The JDKs available
in Debian are Sun's JDK 1.1 (is it vulnerable?) and Kafee (ditto) (notice
that IBM-JDK was an installer-only package in 'stable'). The
newer JDKs/JRE are _not_ available (they are at Blackdown).
In any case, this is also non-free software (i.e. unsupported) you might
want to mention it to the security team but it will go to the end of the
"to fix " queue.
Regards
Javi
[1] http://www.debian.org/doc/manuals/debian-java-faq/
Some info is not fully up to date so don't trust it fully.
pgpKfwlhafBVm.pgp
Description: PGP signature