Mark-of-the-Beast security bug --- community collaboration?
Dr Andrew John Hughes
gnu_andrew at member.fsf.org
Wed Feb 9 13:44:03 UTC 2011
On 9 February 2011 13:23, Dr Andrew John Hughes
<gnu_andrew at member.fsf.org> wrote:
> On 8 February 2011 11:01, Mark Wielaard <mark at klomp.org> wrote:
>> On Tue, 2011-02-08 at 10:59 +0100, Mark Wielaard wrote:
>>> > It would be great if we could find this and patch
>>> > OpenJDK 6 deployments ASAP.
>>>
>>> There has been extensive discussion on the core-libs mailinglist, with a
>>> patch and some historic digging to find where the issue came from.
>>>
>>> Short story, it was already found through the Free Software Jacks
>>> testsuite in 2001 (!). http://sourceware.org/mauve/jacks.html
>>> http://sourceware.org/cgi-bin/cvsweb.cgi/~checkout~/jacks/docs/tests.html?cvsroot=mauve#3.10.2-runtime
>>> reported by the Jikes compiler hacker Eric Blake.
>>> http://bugs.sun.com/view_bug.do?bug_id=4421494 The bug report even has a
>>> suggested fix. Dmitry Nadezhin posted a patch in 2009, but unfortunately
>>> that didn't make it in.
>>> http://mail.openjdk.java.net/pipermail/core-libs-dev/2009-November/003153.html
>>> https://bugs.openjdk.java.net/show_bug.cgi?id=100119
>>> It was rediscovered through the php issue a week ago.
>>> http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
>>> Andrew Haley almost immediate posted a new patch for it last week.
>>> http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html
>>> Hopefully it will go into IcedTea6 ASAP according to Andrew Hughes.
>>> http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005836.html
>>> With possibly more security fixes following next week.
>>> http://www.oracle.com/technetwork/topics/security/alerts-086861.html
>>
>> For those that cannot wait and need a fix right now Marc Schoenefeld of
>> the Red Hat Security Response Team created a script that will create a
>> jar that you can use with -Xbootclasspath/p:prevent_double_dos.jar to
>> mitigate the DoS bug till there are full new security releases:
>> https://code.google.com/p/javapharmacy/source/browse/trunk/scripts/harden_against_jre_dos.sh
>>
>> Cheers,
>>
>> Mark
>>
>>
>
> The security releases for IcedTea6 (1.7.9, 1.8.6, 1.9.6) are on the
> server and in Mercurial. I'm about to do a full announcement. Oracle
> decided to spring a 'surprise' release on us:
> http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
> so we'll push one out too.
>
> 496b615ccad2a950783b1a2f30a8657956f8c9d9bccb6ab9effc1164ab830792
> icedtea6-1.7.9.tar.gz
> d392c95e76b5bdf21fb4bce8fc5cdc530bdf5bda014cb96fa9cd3efdfdbeff87
> icedtea6-1.8.6.tar.gz
> 100e61fbc3157b4839413951b0247f7ccabb0dcff6d037fbb372d5a13088adc2
> icedtea6-1.9.6.tar.gz
>
> --
> Andrew :-)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> http://www.gnu.org/software/classpath
> http://openjdk.java.net
>
> PGP Key: F5862A37 (https://keys.indymedia.org/)
> Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
>
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-February/012004.html
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
More information about the discuss
mailing list