java vulnerability
What's the status of the java package that's installed on SL6x? java-1.6.0-openjdk. Is it vulnerable to this java security flaw that made the national news this week? Cyber is advising us to remove it but a lot of packages depend on it. The biggie is LibreOffice. Thanks!
Re: java vulnerability
On Thu, 17 Jan 2013, Ken Teh wrote: What's the status of the java package that's installed on SL6x? java-1.6.0-openjdk. Is it vulnerable to this java security flaw that made the national news this week? Cyber is advising us to remove it but a lot of packages depend on it. The biggie is LibreOffice. I thought that the biggest issue was with Java 7 and not Java 6. -connie Thanks!
Re: java vulnerability
On Thu, 17 Jan 2013, Connie Sieh wrote: On Thu, 17 Jan 2013, Ken Teh wrote: What's the status of the java package that's installed on SL6x? java-1.6.0-openjdk. Is it vulnerable to this java security flaw that made the national news this week? Cyber is advising us to remove it but a lot of packages depend on it. The biggie is LibreOffice. I thought that the biggest issue was with Java 7 and not Java 6. And as Pat said a specific CVE should help answer this. -Connie Sieh -connie Thanks!
Re: java vulnerability
On Jan 17, 2013, at 18:15 , Connie Sieh wrote: > On Thu, 17 Jan 2013, Ken Teh wrote: > >> What's the status of the java package that's installed on SL6x? >> java-1.6.0-openjdk. Is it vulnerable to this java security flaw that made >> the national news this week? Cyber is advising us to remove it but a lot of >> packages depend on it. The biggie is LibreOffice. > > I thought that the biggest issue was with Java 7 and not Java 6. That's what I thought. In any case, removing the browser plugin (icedtea-web with openjdk) seems to be the most important step, and advisable wherever feasible. LibreOffice shouldn't depend on that. A related question: Does anyone know whether openjdk6 will continue to be supported after the Oracle JDK6 end of service life? -- Stephan Wiesand DESY -DV- Platanenenallee 6 15738 Zeuthen, Germany
Re: java vulnerability
On Thu, 17 Jan 2013, Connie Sieh wrote: On Thu, 17 Jan 2013, Connie Sieh wrote: On Thu, 17 Jan 2013, Ken Teh wrote: What's the status of the java package that's installed on SL6x? java-1.6.0-openjdk. Is it vulnerable to this java security flaw that made the national news this week? Cyber is advising us to remove it but a lot of packages depend on it. The biggie is LibreOffice. I thought that the biggest issue was with Java 7 and not Java 6. And as Pat said a specific CVE should help answer this. Synopsis: Important: java-1.7.0-openjdk security update Issue Date:2013-01-16 CVE Numbers: CVE-2013-0422 CVE-2012-3174 was released yesterday for SL 5 and 6 . -Connie Sieh -Connie Sieh -connie Thanks!
Re: [SCIENTIFIC-LINUX-USERS] java vulnerability
On 01/17/2013 10:54 AM, Ken Teh wrote: What's the status of the java package that's installed on SL6x? java-1.6.0-openjdk. Is it vulnerable to this java security flaw that made the national news this week? Cyber is advising us to remove it but a lot of packages depend on it. The biggie is LibreOffice. Thanks! If you've got particular CVEs you are concerned about those are easier to see if they are resolved. At this time there are no unpublished security updates for SL 5 or SL 6 on our build systems. Pat -- Pat Riehecky Scientific Linux Developer
