[Mageia-discuss] Current java plugin with security hole?

Wolfgang Bornath molch.b at googlemail.com
Thu Mar 29 09:51:04 CEST 2012


2012/3/29 Luc Menut <lmenut at free.fr>:
> Le 29/03/2012 09:30, Oliver Burger a écrit :
>
>> Am 29.03.2012 09:22, schrieb Wolfgang Bornath:
>>>
>>> The page gives a link to a test routine at java.com where you can test
>>> which version is installed on your machine. For my Mageia 1
>>> installation with firefox the test shows "Your Java version: Version
>>> 6 Update 26" - which matches the installed package
>>> (java-1.6.0-sun-plugin-1.6.0.26-0.2.mga1.nonfree).
>>>
>>> Recommended is "version 6 update 31". But this is not available yet at
>>> Mageia.
>>>
>>> - will there be a security related update for Mageia 1?
>>> - if not, should we use the recommended newer version from java.com
>>> (rpm packages available for 32 and 64 bit)
>>
>> Afaik oracle has withdrawn the redistribution license for all newer java
>> versions.
>> But I'm not sure if only java >= 1.7 is concerned or java > 1.6.0.26.
>
>
> java-1.6.0-sun > 1.6.0.26 is concerned too.
> http://jdk-distros.java.net/
> http://robilad.livejournal.com/90792.html
> https://bugs.mageia.org/show_bug.cgi?id=3101

Ah, missed the bug report on this - but this only shows that the
average "non-mailing-list-reader" may not know about the issue at all.

Step 1: action ASAP as suggested in the bug report comment #13
("update" the version in mga1 repos with a README.urpmi)
Step 2: after this is done give out a related warning (mailing list, forum).

As Dave Hodgins wrote in Bugzilla: "It may be bad for beginner users,
but it's worse to leave them
with insecure software that is being actively exploited."

-- 
wobo


More information about the Mageia-discuss mailing list