LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware 13.1: java security updates? (http://www.linuxquestions.org/questions/slackware-14/slackware-13-1-java-security-updates-842156/)

Bart_ 11-03-2010 01:20 PM

Slackware 13.1: java security updates?
 
Hi,
on Slackware 13.1 the firefox plugin for java is still 1.6.0_20 and it is vulnerable. Why there are no security updates?

rg3 11-03-2010 03:26 PM

The workaround for the most common case (web browser) is to disable the plugin until the next upgrade. You can do this from "Tools > Addons > Plugins", clicking on the java plugin and then on "Disable". I've been running like that for about two weeks. Fortunately, none of the sites I frequently visit require java.

koenigdavidmj 11-03-2010 04:05 PM

I am not completely positive that it will work (it should, since it is just an upstream binary), but you can use the jre or jdk packages from Slackware-current if you want.

Alien Bob 11-03-2010 04:42 PM

Quote:

Originally Posted by koenigdavidmj (Post 4148400)
I am not completely positive that it will work (it should, since it is just an upstream binary), but you can use the jre or jdk packages from Slackware-current if you want.

It will work.

Eric

rg3 11-03-2010 06:23 PM

Even in -current, the jre and jdk packages are still one version behind. They're 6u21, and 6u22 was released some days ago to fix a security problem. The release notes make it sound like a minor problem, but it's still a security problem.

http://www.oracle.com/technetwork/ja...es-176121.html

koenigdavidmj 11-03-2010 09:26 PM

In that case, if you are truly desperate, you can grab the SlackBuild from source/l/jre on your Slackware DVD (or an rsync dump), edit the version number, get the up to date .bin file from Oracle, and run the SlackBuild. That will create an updated txz for your upgrading pleasure.

Similar instructions apply for the JDK.

Bart_ 11-04-2010 03:31 AM

Thanks for the workaround but I don't understand why it's not a security update for slackware 13.1 especially if there is a fix for the current...

GazL 11-04-2010 05:40 AM

There were some arbitrary code vulnerabilities for PDF stuff (poppler, xpdf, kpdf etc.) that were discovered by RedHat at the beginning of October that haven't been updated in either current or stable yet. I ended up building my own packages for those as I thought the risk was sufficient enough to warrant it: I tend to read a lot of downloaded pdfs written by others.

Slackware's Thunderbird package is also a release behind at the moment, though the risk of that being exploited appears to be far less.

Slackware is a pretty small operation: developer resource constraint may be a factor, but yes, IMO java, pdf readers, and browsers deserve extra attention from a security standpoint as they interact with external data all the time. I've no idea why Pat hasn't updated them, but I believe you're right to be concerned. JAVA is a pretty big target for the bad guys in recent times and being 2 updates behind does seem risky.

Alien Bob 11-04-2010 06:06 AM

As you can see here; http://www.oracle.com/technetwork/ja...e2-176330.html the current version of the JRE and JDK in Slackware releases is not vulnerable by default (only Java 1.6 update 18 and older were vulnerable). The default behaviour for TLS connections has been changed back in March 2010 to revert the vulnerability-by-default. Then the waiting began for a fix in the protocol (not purely Java related - the scope is much broader). The fix in Update 22 is a final protocol fix to this man-in-the-middle exploit so that all possible JVM confugurations are no longer vulnerable.
Because Slackware's Java packages are not exploitable by default, there is no hurry to fix this in the tree. An update will come of course, but it perhaps does not warrant a CVE entry. Note that this is Pat's decision, not mine, and the above is my own view on the matter.

Eric

GazL 11-04-2010 06:35 AM

I'm not really up on the java landscape, but isn't that TLS one just one of the many?

http://www.oracle.com/technetwork/to...10-176258.html
Quote:

Oracle Java SE and Java for Business Executive Summary

This Critical Patch Update contains 29 new security fixes for Oracle Java SE and Java for Business. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

rg3 11-04-2010 05:42 PM

@Alien Bob

I think the original page I linked to confused me. It's a matter or formatting. I didn't see the TLS issue you're talking about because, when I read the page, its header and contents appear indented with the same depth as the explanation for CVE-2010-3560 above, which is a very minor issue. I skipped those paragraphs because I thought they were still talking about that vulnerability. I didn't even notice the TLS problem.

@GazL

In the webpage you mentioned, every issue seems to be solved in update 21, which is what we have now in -current but not in stable. I'm simply pointing it out, not trying to correct anything.

--

Finally, I think the problem stems from following: if you're running Firefox and click on "Tools > Addons > Plugins > Find Updates", no matter if you're running -current and you're not vulnerable to anything, you land on a page that tells you your java plugin is vulnerable and should be upgraded. Given that most end users are probably not going to research if they're really vulnerable or not, two solutions exist. Either the Mozilla foundation changes that page, or Slackware updates java. I'm pretty sure the second one is much easier. :)

GazL 11-04-2010 07:56 PM

Quote:

Originally Posted by rg3 (Post 4149570)
@GazL

In the webpage you mentioned, every issue seems to be solved in update 21, which is what we have now in -current but not in stable. I'm simply pointing it out, not trying to correct anything.

Hey, if I say something that's wrong then I'd prefer people to correct me, so don't worry about that. As I hinted at, I'm really not all that JAVA savvy. :)

I thought that the "last affected" column on that table was saying that 6U21 was vulnerable to those, but it's quite possible I was misunderstanding it, and I didn't look any deeper than that page.

rg3 11-05-2010 01:19 AM

My mistake again. I misread the column title. :)

I'm not java savvy at all, either.


All times are GMT -5. The time now is 12:36 AM.