On 01/13/2013 05:35 AM, James Knott wrote:
Jay Lozier wrote:
Yes, all OS's are affected because Java is cross platform. I am not
sure if any of the previous version are affected or if only the
current release is affected.
The primary concern is Java applets run by your browser. The
vulnerability allows a zero-day browser exploit that as yet is not
patched by Oracle. The primary concerns I have heard of are
installation of keyloggers and installation of ransomware. I would
assume the malware will use the JVM to run and would be cross
platform. AFAIK, Oracle has not yet announced when a patch will be
available.
As I mentioned in another note, I'm running OpenJDK, not Oracle Java.
So the question becomes is it a problem in general with Java or just
Oracle's.
It is an OpenJDK problem as well. I've just posted this on the Mozilla
SeaMonkey user support nntp group:
Given the Zero-Day Java 7 vulnerabilities (see Paul B Gallagher's
thread: 'Java 7u10 vulnerability in browsers' and for those using
OpenJDK & Icedtea for Java JRE:
Security releases for OpenJDK and Icedtea were released yesterday (Tues
Jan 17).
<<http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/>>
<http://blog.fuseyism.com/index.php/2013/01/16/security-and-browser-plugins/>
This confirms that OpenJDK7 and IcedTea7 were vulnerable - of course I
reckon that it will take awhile for the builds to get pushed to the
distro's.
Note that "OpenJDK 6 is not affected.". So if you are using OpenJDK7 I'd
recommend installing OpenJDK6 (you can leave OpenJDK7 installed[1]), and
then using update-alternatives to set OpenJDK6 as the system JRE.
For Debian/Ubuntu users:
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install openjdk-6-jre
$ sudo apt-get install icedtea6-plugin
$ sudo update-alternatives --config java
$ sudo update-alternatives --config mozilla-javaplugin.so
Ensure that you are using OpenJDK6 instead of OpenJDK7. Example:
~$ java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (6b24-1.11.5-0ubuntu1~12.04.1)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
If you enable Java in SeaMonkey (I recommend using Prefbar to turn Java
on/off), the IcedTead plugin (Ubuntu in this example) in about:config
will show:
IcedTea-Web Plugin (using IcedTea-Web 1.2 (1.2-2ubuntu1.3))
File: /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
Version:
The IcedTea-Web Plugin executes Java applets.
I'd also check your LibreOffice/ApacheOO installs & select OpenJDK6:
Tools|Options|Java| select 'Sun Microsystems, Inc. 1.6.0_24
Note: I do not know of the current zero-day vulnerablity affecting
LibreOffice/ApacheOO - but to be cautious I revert to OpenJDK6.
[1] I keep openJDK7 installed so that it will be updated when the distro
packagers issue the security update.
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.