Matthew Toseland wrote: > Anyone running Freenet must upgrade to at least Sun Java 6 Update 15 or Sun > Java 5 Update 20. > > Until you are able to do this, please shut down anything that parses XML, > specifically: > - Do not use the search function (XMLLibrarian). > - Unload the WoT and Freetalk plugins if you are using them. Likewise with > Library etc. > - Do not use Thaw. Shut it down if it is running. > > Other applications may also be vulnerable via the Python libexpat and Apache > Xerces libraries, so you should update your distribution ASAP. However, not > all applications that process XML are vulnerable as there are a number of XML > parsers. > > This concerns both denial of service and remote code execution and thus is a > *SEVERE* vulnerability. > > I will be putting out a new build ASAP, which will tell any users who haven't > upgraded to upgrade and will disable XMLLibrarian until they do so. > > http://www.cert.fi/en/reports/2009/vulnerability2009085.html > >
The bug exists for OpenJDK too. It has been fixed (27.b16.fc11) in the Fedora repositories: https://bugzilla.redhat.com/show_bug.cgi?id=512921 Debian's bug-tracker makes no mention of it however: http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=openjdk-6;dist=unstable;repeatmerged=0 X _______________________________________________ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe