LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 11-03-2010, 02:20 PM   #1
Bart_
LQ Newbie
 
Registered: May 2010
Posts: 17

Rep: Reputation: 0
Slackware 13.1: java security updates?


Hi,
on Slackware 13.1 the firefox plugin for java is still 1.6.0_20 and it is vulnerable. Why there are no security updates?
 
Old 11-03-2010, 04:26 PM   #2
rg3
Member
 
Registered: Jul 2007
Distribution: Slackware Linux
Posts: 514

Rep: Reputation: Disabled
The workaround for the most common case (web browser) is to disable the plugin until the next upgrade. You can do this from "Tools > Addons > Plugins", clicking on the java plugin and then on "Disable". I've been running like that for about two weeks. Fortunately, none of the sites I frequently visit require java.
 
1 members found this post helpful.
Old 11-03-2010, 05:05 PM   #3
koenigdavidmj
Member
 
Registered: Oct 2009
Posts: 73

Rep: Reputation: 25
I am not completely positive that it will work (it should, since it is just an upstream binary), but you can use the jre or jdk packages from Slackware-current if you want.
 
Old 11-03-2010, 05:42 PM   #4
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,390

Rep: Reputation: Disabled
Quote:
Originally Posted by koenigdavidmj View Post
I am not completely positive that it will work (it should, since it is just an upstream binary), but you can use the jre or jdk packages from Slackware-current if you want.
It will work.

Eric
 
Old 11-03-2010, 07:23 PM   #5
rg3
Member
 
Registered: Jul 2007
Distribution: Slackware Linux
Posts: 514

Rep: Reputation: Disabled
Even in -current, the jre and jdk packages are still one version behind. They're 6u21, and 6u22 was released some days ago to fix a security problem. The release notes make it sound like a minor problem, but it's still a security problem.

http://www.oracle.com/technetwork/ja...es-176121.html
 
Old 11-03-2010, 10:26 PM   #6
koenigdavidmj
Member
 
Registered: Oct 2009
Posts: 73

Rep: Reputation: 25
In that case, if you are truly desperate, you can grab the SlackBuild from source/l/jre on your Slackware DVD (or an rsync dump), edit the version number, get the up to date .bin file from Oracle, and run the SlackBuild. That will create an updated txz for your upgrading pleasure.

Similar instructions apply for the JDK.
 
Old 11-04-2010, 04:31 AM   #7
Bart_
LQ Newbie
 
Registered: May 2010
Posts: 17

Original Poster
Rep: Reputation: 0
Thanks for the workaround but I don't understand why it's not a security update for slackware 13.1 especially if there is a fix for the current...
 
Old 11-04-2010, 06:40 AM   #8
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
There were some arbitrary code vulnerabilities for PDF stuff (poppler, xpdf, kpdf etc.) that were discovered by RedHat at the beginning of October that haven't been updated in either current or stable yet. I ended up building my own packages for those as I thought the risk was sufficient enough to warrant it: I tend to read a lot of downloaded pdfs written by others.

Slackware's Thunderbird package is also a release behind at the moment, though the risk of that being exploited appears to be far less.

Slackware is a pretty small operation: developer resource constraint may be a factor, but yes, IMO java, pdf readers, and browsers deserve extra attention from a security standpoint as they interact with external data all the time. I've no idea why Pat hasn't updated them, but I believe you're right to be concerned. JAVA is a pretty big target for the bad guys in recent times and being 2 updates behind does seem risky.
 
Old 11-04-2010, 07:06 AM   #9
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,390

Rep: Reputation: Disabled
As you can see here; http://www.oracle.com/technetwork/ja...e2-176330.html the current version of the JRE and JDK in Slackware releases is not vulnerable by default (only Java 1.6 update 18 and older were vulnerable). The default behaviour for TLS connections has been changed back in March 2010 to revert the vulnerability-by-default. Then the waiting began for a fix in the protocol (not purely Java related - the scope is much broader). The fix in Update 22 is a final protocol fix to this man-in-the-middle exploit so that all possible JVM confugurations are no longer vulnerable.
Because Slackware's Java packages are not exploitable by default, there is no hurry to fix this in the tree. An update will come of course, but it perhaps does not warrant a CVE entry. Note that this is Pat's decision, not mine, and the above is my own view on the matter.

Eric
 
1 members found this post helpful.
Old 11-04-2010, 07:35 AM   #10
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
I'm not really up on the java landscape, but isn't that TLS one just one of the many?

http://www.oracle.com/technetwork/to...10-176258.html
Quote:
Oracle Java SE and Java for Business Executive Summary

This Critical Patch Update contains 29 new security fixes for Oracle Java SE and Java for Business. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
 
Old 11-04-2010, 06:42 PM   #11
rg3
Member
 
Registered: Jul 2007
Distribution: Slackware Linux
Posts: 514

Rep: Reputation: Disabled
@Alien Bob

I think the original page I linked to confused me. It's a matter or formatting. I didn't see the TLS issue you're talking about because, when I read the page, its header and contents appear indented with the same depth as the explanation for CVE-2010-3560 above, which is a very minor issue. I skipped those paragraphs because I thought they were still talking about that vulnerability. I didn't even notice the TLS problem.

@GazL

In the webpage you mentioned, every issue seems to be solved in update 21, which is what we have now in -current but not in stable. I'm simply pointing it out, not trying to correct anything.

--

Finally, I think the problem stems from following: if you're running Firefox and click on "Tools > Addons > Plugins > Find Updates", no matter if you're running -current and you're not vulnerable to anything, you land on a page that tells you your java plugin is vulnerable and should be upgraded. Given that most end users are probably not going to research if they're really vulnerable or not, two solutions exist. Either the Mozilla foundation changes that page, or Slackware updates java. I'm pretty sure the second one is much easier.
 
Old 11-04-2010, 08:56 PM   #12
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
Quote:
Originally Posted by rg3 View Post
@GazL

In the webpage you mentioned, every issue seems to be solved in update 21, which is what we have now in -current but not in stable. I'm simply pointing it out, not trying to correct anything.
Hey, if I say something that's wrong then I'd prefer people to correct me, so don't worry about that. As I hinted at, I'm really not all that JAVA savvy.

I thought that the "last affected" column on that table was saying that 6U21 was vulnerable to those, but it's quite possible I was misunderstanding it, and I didn't look any deeper than that page.
 
Old 11-05-2010, 02:19 AM   #13
rg3
Member
 
Registered: Jul 2007
Distribution: Slackware Linux
Posts: 514

Rep: Reputation: Disabled
My mistake again. I misread the column title.

I'm not java savvy at all, either.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] slackware security updates repo Slackware 4 03-02-2010 09:12 AM
slackware security updates repo Slackware 9 02-08-2009 04:37 PM
Keeping Slackware 12.0 patched with security updates pwc101 Slackware 25 12-30-2007 12:56 PM
Slackware security updates !!! JKoder Linux - Security 1 06-09-2006 08:31 AM
Slackware security updates - for how long? Nobber Slackware 12 04-03-2006 12:54 PM


All times are GMT -5. The time now is 12:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration