SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
The workaround for the most common case (web browser) is to disable the plugin until the next upgrade. You can do this from "Tools > Addons > Plugins", clicking on the java plugin and then on "Disable". I've been running like that for about two weeks. Fortunately, none of the sites I frequently visit require java.
Even in -current, the jre and jdk packages are still one version behind. They're 6u21, and 6u22 was released some days ago to fix a security problem. The release notes make it sound like a minor problem, but it's still a security problem.
In that case, if you are truly desperate, you can grab the SlackBuild from source/l/jre on your Slackware DVD (or an rsync dump), edit the version number, get the up to date .bin file from Oracle, and run the SlackBuild. That will create an updated txz for your upgrading pleasure.
There were some arbitrary code vulnerabilities for PDF stuff (poppler, xpdf, kpdf etc.) that were discovered by RedHat at the beginning of October that haven't been updated in either current or stable yet. I ended up building my own packages for those as I thought the risk was sufficient enough to warrant it: I tend to read a lot of downloaded pdfs written by others.
Slackware's Thunderbird package is also a release behind at the moment, though the risk of that being exploited appears to be far less.
Slackware is a pretty small operation: developer resource constraint may be a factor, but yes, IMO java, pdf readers, and browsers deserve extra attention from a security standpoint as they interact with external data all the time. I've no idea why Pat hasn't updated them, but I believe you're right to be concerned. JAVA is a pretty big target for the bad guys in recent times and being 2 updates behind does seem risky.
As you can see here; http://www.oracle.com/technetwork/ja...e2-176330.html the current version of the JRE and JDK in Slackware releases is not vulnerable by default (only Java 1.6 update 18 and older were vulnerable). The default behaviour for TLS connections has been changed back in March 2010 to revert the vulnerability-by-default. Then the waiting began for a fix in the protocol (not purely Java related - the scope is much broader). The fix in Update 22 is a final protocol fix to this man-in-the-middle exploit so that all possible JVM confugurations are no longer vulnerable.
Because Slackware's Java packages are not exploitable by default, there is no hurry to fix this in the tree. An update will come of course, but it perhaps does not warrant a CVE entry. Note that this is Pat's decision, not mine, and the above is my own view on the matter.
Oracle Java SE and Java for Business Executive Summary
This Critical Patch Update contains 29 new security fixes for Oracle Java SE and Java for Business. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
I think the original page I linked to confused me. It's a matter or formatting. I didn't see the TLS issue you're talking about because, when I read the page, its header and contents appear indented with the same depth as the explanation for CVE-2010-3560 above, which is a very minor issue. I skipped those paragraphs because I thought they were still talking about that vulnerability. I didn't even notice the TLS problem.
In the webpage you mentioned, every issue seems to be solved in update 21, which is what we have now in -current but not in stable. I'm simply pointing it out, not trying to correct anything.
Finally, I think the problem stems from following: if you're running Firefox and click on "Tools > Addons > Plugins > Find Updates", no matter if you're running -current and you're not vulnerable to anything, you land on a page that tells you your java plugin is vulnerable and should be upgraded. Given that most end users are probably not going to research if they're really vulnerable or not, two solutions exist. Either the Mozilla foundation changes that page, or Slackware updates java. I'm pretty sure the second one is much easier.