From nobody@FreeBSD.org  Wed Dec 23 13:37:17 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 693551065676
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Dec 2009 13:37:17 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 58B6C8FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Dec 2009 13:37:17 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id nBNDbG7R070860
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Dec 2009 13:37:17 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id nBNDbGvJ070848;
	Wed, 23 Dec 2009 13:37:16 GMT
	(envelope-from nobody)
Message-Id: <200912231337.nBNDbGvJ070848@www.freebsd.org>
Date: Wed, 23 Dec 2009 13:37:16 GMT
From: Romain Dalmaso <artefact2@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Serious remote vulnerability in the JRE
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         141919
>Category:       java
>Synopsis:       Serious remote vulnerability in the JRE
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-java
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 23 13:40:06 UTC 2009
>Closed-Date:    Sun Mar 06 15:53:32 EST 2011
>Last-Modified:  Mon Mar  7 02:20:09 UTC 2011
>Originator:     Romain Dalmaso
>Release:        7.2-RELEASE
>Organization:
>Environment:
>Description:
A serious vulnerability affecting all the current Java ports allows any potential attacker to take control of the machine remotely if it uses a Java application dealing with the XML parser.

The issue has been there for months, and has been fixed since Java 6 update 15 and Java 5 update 20. So simply updating the port would solve the issue.

This vulnerability affects, for instance, all the Freenet nodes running under FreeBSD : 
http://freenetproject.org/news.html#xml-vuln

More details about it : 
http://www.cert.fi/en/reports/2009/vulnerability2009085.html

Thanks for your interest.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:

From: Brian Gardner <openjdk@getsnappy.com>
To: Romain Dalmaso <artefact2@gmail.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: java/141919: Serious remote vulnerability in the JRE
Date: Sun, 27 Dec 2009 23:46:23 -0800

 I believe openjdk6-b17  fixes the problem.  I haven't released it yet,  
 although it's been tested and it's ready to ship.  I'll try and get it  
 committed later this week.  The latest version of the port and  
 instructions are available for test from here:
 
 http://www.getsnappy.com/tech-blog/freebsd-tips-tricks/upgrading-freebsd-port-java-openjdk6-from-b16-to-b17/
 
 It sounds like the openjdk community  will be releasing b18 shortly  
 which I believe also includes some security fixes.
 
 On Dec 23, 2009, at 5:37 AM, Romain Dalmaso wrote:
 
 >
 >> Number:         141919
 >> Category:       java
 >> Synopsis:       Serious remote vulnerability in the JRE
 >> Confidential:   no
 >> Severity:       critical
 >> Priority:       high
 >> Responsible:    freebsd-java
 >> State:          open
 >> Quarter:
 >> Keywords:
 >> Date-Required:
 >> Class:          update
 >> Submitter-Id:   current-users
 >> Arrival-Date:   Wed Dec 23 13:40:06 UTC 2009
 >> Closed-Date:
 >> Last-Modified:
 >> Originator:     Romain Dalmaso
 >> Release:        7.2-RELEASE
 >> Organization:
 >> Environment:
 >> Description:
 > A serious vulnerability affecting all the current Java ports allows  
 > any potential attacker to take control of the machine remotely if it  
 > uses a Java application dealing with the XML parser.
 >
 > The issue has been there for months, and has been fixed since Java 6  
 > update 15 and Java 5 update 20. So simply updating the port would  
 > solve the issue.
 >
 > This vulnerability affects, for instance, all the Freenet nodes  
 > running under FreeBSD :
 > http://freenetproject.org/news.html#xml-vuln
 >
 > More details about it :
 > http://www.cert.fi/en/reports/2009/vulnerability2009085.html
 >
 > Thanks for your interest.
 >> How-To-Repeat:
 >
 >> Fix:
 >
 >
 >> Release-Note:
 >> Audit-Trail:
 >> Unformatted:
 > _______________________________________________
 > freebsd-java@freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-java
 > To unsubscribe, send any mail to "freebsd-java- 
 > unsubscribe@freebsd.org"
 >
 
State-Changed-From-To: open->closed 
State-Changed-By: eadler 
State-Changed-When: Sun Mar 6 15:53:31 EST 2011 
State-Changed-Why:  
java has been updated since then 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141919 

From: Rob Farmer <rfarmer@predatorlabs.net>
To: eadler@freebsd.org
Cc: artefact2@gmail.com, freebsd-java@freebsd.org, bug-followup@freebsd.org
Subject: Re: java/141919: Serious remote vulnerability in the JRE
Date: Sun, 6 Mar 2011 17:43:41 -0800

 On Sun, Mar 6, 2011 at 12:53 PM,  <eadler@freebsd.org> wrote:
 > State-Changed-Why:
 > java has been updated since then
 >
 
 I don't think so.
 
 jdk != openjdk
 
 -- 
 Rob Farmer
>Unformatted:
