On 01/13/2013 06:48 PM, NoOp wrote:
On 01/12/2013 07:42 PM, George R. Crossman wrote:
I'm seeing warnings saying that one should disable embedded Java to
avoid hacking. Does this apply to linux users? If so, what is the procedure?
Yes. If you are using your distributions version of Oracle Java 7, then
they will (eventually) issue a security update. If you have installed on
your own, Java7u11 is now available:
<https://www.java.com/en/download/manual.jsp>
<http://www.oracle.com/technetwork/java/javase/downloads/index.html>
<http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html>
Note: This may be off topic for this list as all reports indicate that
the issue only concerns browsers. However LO (and AOO) accomodate http
links in documents; so until LO confirms there is no risk I'd recommend
turning off *all* java & only turn back on for necessary applications.
** No idea if openJDK has been affected yet.
Follow-up: U.S. says Java still risky, even after security update:
<http://www.reuters.com/article/2013/01/14/us-java-oracle-security-idUSBRE90D10P20130114>
Of course Reuters don't bother to provide a cite link, so I have:
<http://www.kb.cert.org/vuls/id/625617>
<quote>
Solution
Update to Java 7u11
Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11
addresses this (CVE-2013-0422) and an equally severe vulnerability
(CVE-2012-3174). Immunity[1] has indicated that only the reflection
vulnerability has been fixed. Java 7u11 sets the default Java security
settings to "High" so that users will be prompted before running
unsigned or self-signed Java applets.
Unless it is absolutely necessary to run Java in web browsers, disable
it as described below, even after updating to 7u11. This will help
mitigate other Java vulnerabilities that may be discovered in the future.
</quote>
Added note: Windows users - if you have javafx installed, you must
either uninstall it, or update it to the latest 2.2.4 version after you
update the Java7U11 in order for Firefox or SeaMonkey to recognize java.
Javafx update link is here:
<https://www.java.com/en/javafx/>
If you absolutely have to run java in FF or SM, I highly recommend
installing Prefbar so that you can easily turn on/off java simply by
checking the Java box.
<https://addons.mozilla.org/en-us/seamonkey/addon/prefbar/>
<http://prefbar.tuxfamily.org/help/buttons.html#java>
[1]
<http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html>
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Context
- Re: [libreoffice-users] Embedded Java (continued)
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.